Single Sign On and the Sitefinity STS project

Posted by Community Admin on 04-Aug-2018 18:22

Single Sign On and the Sitefinity STS project

Sitefinity - Front- & Back-End Development

All Replies

Posted by Community Admin on 03-Feb-2014 00:00

Hi

I have a site that has two sets of users, the clients employees, and external users who are invited to use this new system. The requirement is to use Window Authentication for the employees, and a login form taking credentials for the external users to log them into the Sitefinity system, so using the default Membership provider.

I have got the Windows authentication going quite well via the Sitefinity STS project and setting up a single sign on solution, and using the Ldap membership provider. Debugging through the STS project, it appears to me that the crucial piece of information is the users name.

When I alter the code to try and send down a username for a user that exists in the default membership provider, nothing works. I get 403 Forbidden on every page on the site, including ones that are available to everyone, such as the login page. It almost seems like that the user doesn't exist at all.

My plan (for background) is to set up the Windows Auth STS to redirect if the user is not authenticated like this:

if (winPrincipal != null && !winPrincipal.Identity.IsAuthenticated)

context.Response.Redirect("/agencyloginapplication/login.aspx?"+context.Request.QueryString);

//throw new ConfigurationException("This web site is not correctly configured for Windows authentication."); //this is the original line

This will redirect them to a different application which will be a modification of the STS code except it will check the username and password against a custom webservice which will internally call VerifyUser() on the UserManager class. If that succeeds (which is an area of uncertainty with me at the moment), the application will generate a token to pass back. The idea being that a user comes to the home page of the site, and will be signed in automatically if they are an employee on the network, and a login page if they are not on the network.

So, after writing this, I have two questions. The first, why can't I pass back a username from the STS project which exists in the default membership provider to access the site. The second, now with the site using an external source of authentication, will I be able to use the UserManager.VerifyUser() to check the credentials against the Sitefinity database?

Any help or suggestions gratefully received.

Cheers,

David Bigg

Posted by Community Admin on 04-Feb-2014 00:00

Hi

In answer to my question about the UserManager, and for future reference, the GetManager() method takes a string parameter providerName. So it looks like I can get a UserManager for the default provider and verify the user against that.

Cheers,
David

Posted by Community Admin on 06-Feb-2014 00:00

Hi

I think I have figured out why there was apparently no user what so ever after sending down a username that was in the default membership provider. At least I think this is the problem. When setting up the SecurityTokenIssuer, you specify the MembershipProvider. Obviously when I was feeding the name back, it couldn't find it in the specified membership provider.

Recording this for posterity.

Posted by Community Admin on 06-Feb-2014 00:00

Hello,

I am glad to hear the you manage to resolve the problem. Thank you for sharing this information with the community.

Regards,
Stefani Tacheva
Telerik

Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items

This thread is closed