Active Directory for Front End Only
Hello,
I have a site where I want to only use active directory for the front end. For the backend, I want to continue to use the default provider. I went through the process of setting up active directory STS and it works. If I leave the federation URL pointed to localhost, you do get the SF login box where you select Default or LDAP. However, I would like it to log you in automatically if you visit a front-end page that requires a specific LDAP group.
Is this possible? The main reason is that many of my active directory users will be backend users but only use it rarely. They will visit the website every day and if they are automatically logged in, we will quickly exceed the 5 concurrent user login limit even though they aren't using the backend tools. My plan would be is they would have a different login for the backend.
I wanted to post what I've done in the interim to see if there is a long-term issue associated with it.
I setup active directory as a Sitefinity provider but I left the URL in the federation tag of the web.config as localhost. I think created a front-end login page that detects if the person is logged in. If the person is not logged in, I redirect them to my STS AD site and they get returned correctly logged in. There is a log out button on the front end and if the person navigates to /Sitefinity, they can login with their Sitefinity default provider login to update content.
Hello Jonathan,
In order to use Active Directory only on the frontend you can just setup your Ladp settings and then tell your frontend Login widget to only use the Ldap provider (by default its named "LdapUsers") from its Advanced section - see image for reference.
If you have configured the STS, you might need to disable it, since it is used mostly when you would like to achieve Windows authentication (Single Sign On) by using the user's Windows credentials when he accesses any part of the backend (~/Sitefinity/someurl). You can disable this if you do not want your users to automatically authenticate in the backend. The authentication on the frontend will still work with the AD users since it works separately from the backend one.
This way you can achieve AD authentication on the frontend, while using the Default Sitefinity provider for the backend login.
Regards,
Nikola Zagorchev
Telerik
Nikola, isn't your method forcing the administrator to have their users login manually? I think what Jonathan is asking is exactly what we are trying to implement. We would like to utilize Windows SSO on the front end without having to associate roles with specific CNs in our Active Directory. Is this possible?
Hi
By default, the users from the ldap will be frontend users only, since they will not have any roles mapped or ability to access the backend of Sitefinity. If you have the provider on place and the STS configured, you should be able to login with the windows identity.
Regards,
Nikola Zagorchev
Telerik
Greetings,
I am new to Sitefinity, in my company all of our users are in AD and as per our IT policy to implement SSO with Windows Authentication for all the implemented systems.
Therefore I need to implement SSO with Windows authentication, I have followed the documentation and I managed to make it work for the backend with SSO.
However I need to implement it for the frontend as well, but when I added the Login widget and set its provider to LdapUsers it authenticates the users but users have to supply their credentials but SSO doesn't work like the backend login. We need the website to recognize the users automatically (SSO) without them pressing anything or providing their credentials.
So, any help on how to do that.
Thanks in advance.