Sitefinity 5.x Claims Code Authentication (NOT User Interactive Authentication).
Hello community,
This is the story: we used to authenticate users automatically using 4.x previous API authentication (Forms) Telerik.Sitefinity.Security.SecurityManager.AuthenticateUser ( someUser, SomePass );
Now I've through this really good sample.. :
http://blog.falafel.com/Blogs/noel-rice/2012/03/28/using-sitefinity-5-claims-authentication
At the end I have a token but I cannot get further requests get authenticated.
Where do I need to persist the Token so Sitefinity recognizes all later requests as authenticated?
How can I sign the request? I tried adding a Global.asax file with this method but no luck:
protected void Application_AuthenticateRequest(object sender, EventArgs e)
if (!Request.IsAuthenticated)
if (!string.IsNullOrEmpty(_authenticationToken))
Request.Headers.Add("WRAP access_token",_authenticationToken);
There is also a : Telerik.Sitefinity.Security.SecurityManager.AuthenticateRequest() method but not sure if this is intended to work with Claims Authentication.
Thanks for your help.
Hello,
You should put the whole response of the STS as a query string to your next request. Sitefinity will persist authentication cookies with redirect to the same URL without the query string. After that every request is authenticated.
I recommend using SitefinityClaimsAuthenticationModule.GetIssuer() to get the STS URL.
Thanks for your explanation:
"You should put the whole response of the STS as a query string to your next request. Sitefinity will persist authentication"
This was the missing information. I couldn't find.
Thanks again.
Hi
Now I have problems with Claims SignOut.
I'm doing this:
var signoutmsg = SitefinityClaimsAuthenticationModule.Current.CreateSignOutRequest();HttpWebRequest signoutRequest = (HttpWebRequest)HttpWebRequest.Create(signoutmsg.RequestUrl);HttpWebResponse issuerResponse = (HttpWebResponse)signoutRequest.GetResponse();if (issuerResponse.StatusCode != HttpStatusCode.OK) throw new System.ApplicationException("Claims Logout failed.");Hi,
SitefinityClaimsAuthenticationModule.Current.CreateSignOutRequest() creates a request for signing out from the issuer. This is if the user has checked "remember me" then the issuer will forget the user after this request. Sitefinity's session is independent of this.
To logout from Sitefinity go to ~/Sitefinity/SignOut?sts_signout=true&return_url= ...
sts_signout=true tells Sitefinity to make this SignOutRequest to make the STS forget the user. If it is set to false then on the next login redirect a new security token will might be seamlessly issued without asking for credentials.
This is the same URL that is currently on the "Logout" link in the backend.
trying to do something similar and I have a depreciated attribute on the .Current of SitefinityClaimsAuthenticationModule in the 5.2 release.
I tried:
var sor = (new SitefinityClaimsAuthenticationModule()).CreateSignOutRequest(HttpContext.Current.Request.ApplicationPath);
and I get an exception "System.InvalidOperationException: ID1047" with no additional detail or inner exception.
What is the correct way to get the current claims module instance? The obsolete message just says that it is "no longer needed" with no indication of what replaces it.
Hi all,
With the latest implementation we have in 5.2 SecurityManager.AuthenticateUser and SecurityManager.Logout should provide the necessary functionality for logging in/out users programatically, without the need for making requests to the STS manually - this logic has already been handled internally.
Please do not hesitate to let us know if you observe a particular use case scenario where this does not work as expected, so we can inspect it in further details.
All the best,
Boyan Barnev
the Telerik team
As before, This seems to only work if the user did not select the "remember me on this computer" option. It deletes everything except the .ASPXAUTH cookie that gets created when that is checked.
How do we get them logged all the way off without the service request?
Also, the session does not seem to get cleared/reset. Is that expected behavior?
UPDATE:
also, when I log in in code my HttpContext.Current.User.Identity goes from being a:
Microsoft.IdentityModel.Claims.ClaimsIdentity
to a :
Telerik.Sitefinity.Security.UserIdentity
which I can cast to:
Telerik.Sitefinity.Security.SitefinityIdentity
and still find the claims, but that seems like it shouldn't be that way either. I am using this version of authenticate user:
public static UserLoggingReason AuthenticateUser(string membershipProviderName, string userName, bool persistent, out User user)
I still haven't found a way around this - anybody?
Hello Bill,
Can you please outline in details the exact steps you're taking so we can try to reproduce the problem locally.
Please note that when clicking the Remember me, indeed a Forms authentication cookie will be persisted, but when using Securitymanager.Logout() a separate call to the STS is done explicitly for removing this cookie as well.
The only case when this cookie does not get deleted is if you have setup SSO, for which we need the cookie present all the time.
All the best,
Boyan Barnev
the Telerik team
you come from the non-sitefinity part of the site and we used to just translate you formsauth, but now we sign you in like this:
public override void Authenticate(string userName, bool persist)
User u = new User();
var x = SecurityManager.AuthenticateUser("EIM", userName, persist, out u);
when you leave we log you out like this:
if (context == null)
context = HttpContext.Current;
if (context == null)
throw new Exception("Enable to get context for logout");
context.Session.Clear();
context.Session.Abandon();
var cookiename = ((SessionStateSection)WebConfigurationManager.GetSection("system.web/sessionState")).CookieName;
context.Response.Cookies.Add(new HttpCookie(cookiename, ""));
var temp = GetCurrentIdentity();
if (string.IsNullOrWhiteSpace(temp.UserName) || string.IsNullOrWhiteSpace(temp.ProviderName))
else
SecurityManager.Logout(temp.ProviderName, temp.UserName);
ClaimsManager.Logout();
var so = SitefinityClaimsAuthenticationModule.Current.CreateSignOutRequest(redirectUrl);
context.Response.Redirect(so.RequestUrl, false);