I have a legacy web forms application that is multi tenant. One of the tenants wants us to implement SSO, we’re looking at using Okta’s middleware to accomplish that. We’ve started using this guide as a starting point. This works for the most part, but there are a couple sticking points that’s causing some grief.
With forms authentication as the main authentication method for the rest of our users, we want to keep that as the primary user management. We’ve added a new page to our application for the sso logic that gets the owin context and challenges the authentication. What ends up happening there, is that the app starts to run into ‘Decryption key specified has invalid hex characters.’ errors after calling Authentication.Challenge. Admittedly, these errors do go away if I take out the machineKey entry in the web.config file. That will however break our production environment as they need to have the same machine key across each of the web servers so that load can be distributed, so removing the entry isn’t a viable option.
Is it possible to have our webconfig match the validation type (e.g. AES) that is being used by the Challenge method and have it get past this error?
Otherwise is there a different approach where we can still use your middleware to handle the verification of the token and set our own forms authentication cookie for the rest of the application? I would like to avoid writing our own methods for validating the tokens if possible.
Any help would be much appreciated.