Web Single Sign-On (SSO)

Basic concepts on Board Web Single Sign-On (SSO)

The Board Web SSO allows a user which has already authenticated on a web application, to link into Board web application without having to retype his username and password.

For example let's consider a web site (or portal) which contains the company's web mail and CRM systems, clearly access to these applications will require the user to authenticate. Suppose there is also a Board web application also requiring the user to authenticate before access is granted to the Board analyses. Thanks to the Board Web SSO, users which have already authenticated on the CRM or Web mail systems, can access the Board Web pages without having to authenticate again. The authentication task can therefore be delegated to a single centralized system, making the Board Web application fully integrated with the other existing Web services and applications.

Note that in case the user attempts to directly access the Board Web application without going through the main login page, then Board Web Server will detect the un-authenticated user and prompt the username and password.

If your users are logged-in in a Windows domain and your Board Web Server is in the same Windows domain (or a trusted domain) then it is possible to enable "Windows Authentication" on the Board Web Server, which will automatically recognise the user's network login ID see also Windows Authentication for Board Web Server.

How does Web Single Sing-On works

The Board Web SSO mechanism is based on the use cookies.

How to set up Board Web Single Sing-On

To implement SSO, the main Web application which carries out authentication needs to call a webservice of Board Web Server.

The following code same shows how to make this webservice call using ASP.NET



protected void login_Click(object sender, EventArgs e)


        // (in Visual Studio the call can be made using the function "Add ServiceReference")

        WebClient w = new WebClient();


        // 1. prepares the request

        w.Headers.Add("Content-Type", "text/xml");

        w.Headers.Add("SOAPAction", "http://schemas.board.com/IBoardAuthenticationService/GetAuthenticationCookie");

        string xmlRequest = "<s:Envelope xmlns:s='http://schemas.xmlsoap.org/soap/envelope/'>"

                      + "<s:Body><GetAuthenticationCookie xmlns='http://schemas.board.com/'>"

                      + "<username>" + HttpUtility.UrlEncode(username.Text) + "</username>"

                      + "<password>" + HttpUtility.UrlEncode(pwd.Text) + "</password>"

                      + "</GetAuthenticationCookie></s:Body></s:Envelope>";

        // 2. sends the authentication request to webservice Board

        string xmlResult = w.UploadString("http://www.mydomain.com:84/authentication","POST", xmlRequest);

        // 3. reads the response (xml)

        XmlDocument xdoc = new XmlDocument();

        xdoc.InnerXml = xmlResult;

        string authenticationCookie = xdoc.ChildNodes[0].ChildNodes[0].ChildNodes[0].ChildNodes[0].InnerText;

        if (string.IsNullOrEmpty(authenticationCookie) || authenticationCookie.StartsWith("ERROR"))


            // 4a. authentication failed.

            Result.InnerText = authenticationCookie;




            // authentication was successful.

            string[] buff = authenticationCookie.Split(new char[] { '=' });

            string cookieName = buff[0];

            string cookieValue = buff[1];

            // 4b. the cokie is ready to be sent to the user's browser

            Response.Cookies.Add(new HttpCookie(cookieName, cookieValue));




To close the Board session (i.e. perform a log-out), it is sufficient to delete the cookie from the browser. This is generally done by setting a past expiry date.


HttpCookie expiredCookie = new HttpCookie("EncCredentials");

expiredCookie.Expires = DateTime.Now.AddDays(-1d);


Board Web Server Load Balancing

Usually the authentication cookie is encrypted with a randomly generated key. However, in case the Board Web Server is used in a cluster of server with other Board Web Servers for load balancing, then all instances of Board Web Server must share the encryption key. In this case (and only in this case), it is necessary to specify the key in the Board Web Server configuration program, as shown in the following picture.