Backend SSO for Windows users

Hi guys,

We've been reading through the various security documents and it's not clear to me how to configure security on azure.

For internal users (those on our network) we want them to access the backend area using their domain accounts (through adfs or something, we have federation in the cloud already). When you setup sitefinity it's username/password based yet looks like when I go into the User Authentication section in settings it's already selected Claims based authentication.

It not clear to me how to setup SSO for users visiting the site from our network when it's running in azure. Is this even supported? All of the SSO/security documentation I see talks about an STS site but these are websites, not cloud services. We have the site up and running on Azure but I'm not seeing how to change the authentication to SSO for domain users.

Thanks

Hi Bil,

The steps should be the same. Please refer to the following documentation for more details:

http://docs.sitefinity.com/administration-set-up-sso-with-windows-authentication

Best Regards,
Junior Dominguez
Telerik

Junior,

Please explain to me how an Azure cloud service (and the associated sitefinity app) will recognize users. It can't. This document only works for on-prem installs in your own domain. You can't use Windows Authentication with an Azure site, it has to use ADFS (or something similiar) in order to recognize users, kick off the appropriate token exchange, etc. to identify a user. So these documents are fine for on-prem but useless for Azure deployments, unless I'm reading them wrong.

Thanks

Hi Bil,

We do support ADSF with Sitefinity’s STS application. It could be on Azure, Amazon or another place since this is not something specific to the cloud. The ADSF is a standardized type of authentication.

3 components are necessary:

1.    Sitefintiy
2.    ADFS server that issues tokens
3.    Sitefinity STS


Sitefintiy is not able to read directly ADFS and vice versa, because we have our own tokens (even registering them in ADFS, they are not translated correctly back inside Sitefinity). This is why they need to use the STS application as a bridge that reads the tokens from ADFS and then pass them to Sitefintiy. 

Best,
Junior Dominguez
Telerik

Thanks for the info. I'll look at the STS application. Still not sure based on the existing documentation how this works in Azure with ADFS as the docs seem to be focused on Windows Authentication and has documentation examples for Facebook and Google+ but not sure how this will work with ADFS and Azure.

I am looking for some documentation for ADFS Integration.  Can you direct me to the location of this?

Hello,

Here are the configuration steps that are needed for the general setup using the standard ADFS for Windows.

        ADFS

1.       STS url has to be registered in ADFS

      SitefinityWebApp

1.       Inside AppSettings add the <relyingParties> security key that you can get from SecurityConfig.config

     <appSettings>

                <add key="https://sitefinitysite/" value="52ACD69BD85C96F08C74762ED247A4AAFD2174E6B3E7F700630C2DAC5E169D21" />

2.       Modify     <microsoft.identityModel> section

  <microsoft.identityModel>

    <service>

      <claimsAuthenticationManager type="Telerik.Sitefinity.Security.Claims.SFClaimsAuthenticationManager, Telerik.Sitefinity" />

      <securityTokenHandlers>

        <add type="Telerik.Sitefinity.Security.Claims.SWT.SWTSecurityTokenHandler, Telerik.Sitefinity" />

      </securityTokenHandlers>

      <audienceUris mode="Never">

      </audienceUris>

      <federatedAuthentication>

        <wsFederation passiveRedirectEnabled="true" issuer="https://stsapplication/mysts.ashx" realm="https:// sitefinitysite " requireHttps="false" />

        <cookieHandler requireSsl="false" />

      </federatedAuthentication>

      <issuerNameRegistry type="Telerik.Sitefinity.Security.Claims.CustomIssuerNameRegistry, Telerik.Sitefinity">

        <trustedIssuers>

        </trustedIssuers>

      </issuerNameRegistry>

      <issuerTokenResolver type="Telerik.Sitefinity.Security.Claims.SWT.WrapIssuerTokenResolver, Telerik.Sitefinity" />

    </service>

  </microsoft.identityModel>

3.       Change  request limits  based on this article

http://docs.sitefinity.com/administration-set-up-sso-with-windows-authentication

     STS application configuration

1.       Add the <relyingParties> security key

<appSettings>

<add key="https://sitefinitywebsite/" value="52ACD69BD85C96F08C74762ED247A4AAFD2174E6B3E7F700630C2DAC5E169D21" />

ADFS related keys

   <add key="ida:FederationMetadataLocation" value="https://fs.youradfs.com/FederationMetadata/2007-06/FederationMetadata.xml" />

    <add key="ida:Issuer" value="https://fs. youradfs.com/adfs/ls/" />

    <add key="ida:ProviderSelection" value="productionSTS" />

2.       Add FederationMetadata location

  <location path="FederationMetadata">

    <system.web>

      <authorization>

        <allow users="*" />

      </authorization>

    </system.web>

 </location>

3.       Add the following configurations in the web.config

  <system.identityModel>

    <identityConfiguration>

      <!--Set website and sts hosts-->

      <audienceUris>

       <add value="https://sitefintiywebapp/" />

      </audienceUris>

      <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">

        <authority name="http://fs. youradfs.com/adfs/services/trust">

          <keys>

            <add thumbprint="6A9494A7D1C15ADB3868A34F9386F322243B15BA " />

          </keys>

          <validIssuers>

            <add name="http://fs. youradfs.com/adfs/services/trust" />

          </validIssuers>

        </authority>

      </issuerNameRegistry>

      <!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->

      <certificateValidation certificateValidationMode="None" />

    </identityConfiguration>

  </system.identityModel>

  <system.identityModel.services>

    <federationConfiguration>

      <cookieHandler requireSsl="false" />

      <!--set realm to sts host-->

      <wsFederation passiveRedirectEnabled="true" issuer="https://fs. youradfs.com/adfs/ls/" realm="https://sitefintiywebapp" requireHttps="false" />

    </federationConfiguration>

  </system.identityModel.services>

4.       Add FederationMetadata.xml under

https://yoursts/FederationMetadata/2007-06/FederationMetadata.xml

5.       From STS/SimpleWebTokenHandler.cs comment the following lines

var winPrincipal = context.User as WindowsPrincipal;

        if (winPrincipal == null || !winPrincipal.Identity.IsAuthenticated)

             throw new ConfigurationException("This web site is not correctly configured for Windows authentication.");