08 Jul 2015
04 Dec 2015
Link to this post
We are trying to create a new Sitefinity site (Kaplan Social) that will integrate with our Single Sign-On (SSO) system. This uses Microsoft’s Windows Identity Foundation. The process is:
Unauthenticated user visits a site and tries to access a protected page
User is redirected to our SSO
User validates, usually through username/password
If validation successful then claims are created with details of pertinent attributes of the user such as ID, email etc.
Claims are signed and encrypted to form SAML token (XML format)
User is redirected to original site along with token
Site recognises token, extracts claims and creates an authenticated user based on claims
If more information about user is needed we can use an identity service
We want to use this service with Sitefinity and also need a way to authorise users, various groups of users will have access to different parts of the site and within these sections they will need different permissions.
Sitefinity cannot directly use SAML tokens from external STS (is this true?) so for these sites we convert the SAML to a name value pair to add to the querystring, we also add a hash of the name value pairs. It’s a standard SWT implementation.
Our first question is that this looks insecure, what prevents a spoof attack by a user who has created own name value pairs and hashed them?
Also if a user’s request is intercepted their details will be visible, TLS (such as SSL) won’t prevent this as it’s the URL carrying the data.
Is multiple authentication mode supported in v8.x?
Secondly how do we deal with the authorisation problem, is there a preferred way to do this?
Do we need custom authorization for forum access?