[Solved] Problem with Custom SSO

Posted by C Kiraly on 23-Mar-2020 16:57

Greetings All - 

Let me go through the prelims...
Sitefinity 12.0 / Custom SSO (Non-OAuth & Non-OpenID)

Created a custom C# control and placed on a new page (/login-landing-page) that has the following code in page_load:

protected void Page_Load(object sender, EventArgs e)
{
if (ClaimsManager.GetCurrentIdentity().IsAuthenticated)
{
SitefinityIdentity identity = ClaimsManager.GetCurrentIdentity();
//Response.Redirect(ConfigurationManager.AppSettings["SSOAuthRedirect"]);
}
else
{
string token = Request.QueryString["isgtoken"];

if (string.IsNullOrEmpty(token))
{
//Response.Redirect(ConfigurationManager.AppSettings["SSONoToken"]);
}
else
{
if (!Page.IsPostBack)
{
ProcessToken(token);
}
}
}
}

In basic - the landing page runs ClaimsManager.GetCurrentIdentity().IsAuthenticated to check if the user is authenticated - if so, it would redirect to the SSO User Account page (portal subdomain), if not, it would check the url for a specific query string, process said information, and then authenticate the user based on the processed information... I know it's not a ton of info - but the point on that is that THAT ALL WORKS.

The problem I'm having is if I go to the SSO User Account page, and then come back to the Sitefinity site, it doesn't see the user logged in.  If I manually go to the login-landing-page, with no query string in the url, it tries the ClaimsManager.GetCurrentIdentity().IsAuthenticated and comes back false.  If I enter the query string (copy and pasted) [isgToken is the parameter - so the url looks like site.org/login-landing-page?isgToken=value], even with a non-valid token, when the landing page loads and processes ClaimsManager.GetCurrentIdentity().IsAuthenticated it comes back as true and would then 'redirect' to the wanted page, showing the user as logged in...

So long as I stay on the Sitefinity site, it sees the user just fine.  When I go to any of the sso pages (portal.site.org/whatever) and then come back to sitefinity pages, it stops seeing the user authenticated unless I go to the landing page again...

I'm not sure if it's a cookie issue, or what, or if I've missed a setting from Dev to Live that i'm having an issue with, or if this is a Sitefinity setting or something on the SSO side...  I've been looking at this for days, and just need another opinion on what some possible solutions could be...

Thanks in advance for any help!

All Replies

Posted by jread on 23-Mar-2020 21:38

Instead of a full custom widget you may consider using a custom authentication provider as outlined here: www.progress.com/.../customize-authentication

Also it looks like the code you are executing is using WebForms you may also consider since you are using v12.x using MVC widgets rather than web forms.

Posted by C Kiraly on 02-Apr-2020 14:47

Firstly the SSO isn't doing anything that can be done through the customize-authentication, so the control was the best solution in a pinch.

Second, this issue specifically had to do with www.  If the user went to webpage.com, signed in to the sso, and was then coming back to www.webpage.com, Sitefinity wouldn't see 2 different sessions.  

Just modified the web.config to force all non-www pages to redirect to www. pages.

This thread is closed