Single Sign-On
Hello,
We are currently working on an implementation of Sitefinity (purchased current version but working with the 4.0 version). One of our requirements is that we be able to restrict the viewing of some of the content to faculty and staff at our University. I understand how to do that with the built in security, however we need to implement an external signle sign-on system.
The way our external sign-on system works is that the user directed to an external login site. Once they authenticate, they are redirected back to our site with a secure token and an HTTP module does the work to decrypt the token and get the identity of the person.
I'm trying to determine the best way to implement this within Sitefinity. Its not clear that we can simply build a custom membership module as the documentation explains since we don't have access to anything like a list of users or anything. All we get is the identity of the person as a trusted employee since they authenticated.
I was considering the possibility of using the built-in security and when I get the identity of the person, simply checking if they have a user account and if not, create one via the API.
On to the questions:
Is there a way to override the default login screen and have the users directed to the external login page instead when it detects that the user needs to login? I found some reference to single sign-on for version 3.x in the forums, but not for 4.0. The way our HTTP module works is that a "login processing" page within the application would be marked as requiring authentication by our external HTTP module. WHen the page is accessed, the module intercepts the call and redirects them to the external site. After logging in, they are returned to the "same page" with the token and then that page would process their login to the Sitefinity application.
Any recommendation or resources on how to accomplish this?
How many users can the default "out of the box" security handle? I suspect that over time we will have tens of thousands of users, which I'm assuming will scale just fine.
Thanks,
Chris
Hi Christopher,
You can change the login url via configuration: /SecurityConfig/Permissions["Backend"]/LoginUrl and /SecurityConfig/Permissions["Backend"]/AjaxLoginUrl
The AjaxLoginUrl should automatically close (e.g. window.close() in JavaScript) when login is successfull.
Your plan is feasible - when you get enough information to judge that a user can login, create a Sitefinity user and log him/her in. To "login" a user, you will need something like
User sitefinityUser;string providerName = null; // using default providerbool rememberMe = true;UserLoggingReason result = SecurityManager.AuthenticateUser(providerName, "user name", "password", rememberMe, out sitefinityUser);bool authenticated = result == UserLoggingReason.Success;SecurityManager.Logout("provider name or null for default", "user name")Thanks for this information, I'll dig in and see how it goes. With regards to the maximum number of users, I am thinking that we will eventually have about 10,000 (we have 30,000 employees and perhaps 1/3 will visit the site). I can do some testing to see how it goes, but I was wondering how this plays out with the Telerik site. I believe the Telerik site is driven by Sitefinity and I would imagine that you have many more than 2,000 users. Does the Telerik site use the standard Sitefinity security or perhaps a custom security provider was built?
Just curious as I think about how to proceed....
Thanks,
Chris
Hello ,
The backend of Telerik.conm uses Sitefinity, the clients section is a custom implementation.
Kind regards,
Ivan Dimitrov
the Telerik team