Forums / Developing with Sitefinity / Sitefinity 5.x Claims Code Authentication (NOT User Interactive Authentication).

Sitefinity 5.x Claims Code Authentication (NOT User Interactive Authentication).

12 posts, 1 answered
  1. Ronnie
    Ronnie avatar
    31 posts
    Registered:
    20 Jul 2011
    30 Jul 2012
    Link to this post

    Hello community,

    This is the story: we used to authenticate users automatically using 4.x previous API authentication (Forms) Telerik.Sitefinity.Security.SecurityManager.AuthenticateUser ( someUser, SomePass );

    Now I've through this really good sample.. :
    http://blog.falafel.com/Blogs/noel-rice/2012/03/28/using-sitefinity-5-claims-authentication 
    At the end I have a token but I cannot get further requests get authenticated.

    Where do I need to persist the Token so Sitefinity recognizes all later requests as authenticated?

    How can I sign the request?  I tried adding a Global.asax file with this method but no luck:

    protected void Application_AuthenticateRequest(object sender, EventArgs e)
    {
           if (!Request.IsAuthenticated)
            {
                    if (!string.IsNullOrEmpty(
    _authenticationToken))
                    {
                        Request.Headers.Add("WRAP access_token
    ",_authenticationToken);
                   }
            }
    }

    There is also a : Telerik.Sitefinity.Security.SecurityManager.AuthenticateRequest() method but not sure if this is intended to work with Claims Authentication.

    Thanks for your help.

  2. Boyko Karadzhov
    Boyko Karadzhov avatar
    51 posts
    Registered:
    24 Sep 2012
    02 Aug 2012
    Link to this post
    Hello,

     You should put the whole response of the STS as a query string to your next request. Sitefinity will persist authentication cookies with redirect to the same URL without the query string. After that every request is authenticated.

    I recommend using SitefinityClaimsAuthenticationModule.GetIssuer() to get the STS URL.

    Regards,
    Boyko Karadzhov
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
    Answered
  3. Ronnie
    Ronnie avatar
    31 posts
    Registered:
    20 Jul 2011
    03 Aug 2012
    Link to this post
    Thanks for your explanation:
    "You should put the whole response of the STS as a query string to your next request. Sitefinity will persist authentication"
    This was the missing information. I couldn't find.
    Thanks again.
  4. Ronnie
    Ronnie avatar
    31 posts
    Registered:
    20 Jul 2011
    09 Aug 2012
    Link to this post
    Hi
    Now I have problems with Claims SignOut.
    I'm doing this:

    var signoutmsg = SitefinityClaimsAuthenticationModule.Current.CreateSignOutRequest();
    HttpWebRequest signoutRequest = (HttpWebRequest)HttpWebRequest.Create(signoutmsg.RequestUrl);
    HttpWebResponse issuerResponse = (HttpWebResponse)signoutRequest.GetResponse();
    if (issuerResponse.StatusCode != HttpStatusCode.OK)
    {
        throw new System.ApplicationException("Claims Logout failed.");
    }

    It returns OK but ..
    I have a set of secure pages that explicitly deny access to anonymous users.
    After the signout I can still navigate to secure pages like if my session/token is still valid.

    What is the proper way of logging-out programmatically ?
    Thanks for your help.

  5. Boyko Karadzhov
    Boyko Karadzhov avatar
    51 posts
    Registered:
    24 Sep 2012
    13 Aug 2012
    Link to this post
    Hi,

     SitefinityClaimsAuthenticationModule.Current.CreateSignOutRequest() creates a request for signing out from the issuer. This is if the user has checked "remember me" then the issuer will forget the user after this request. Sitefinity's session is independent of this.

    To logout from Sitefinity go to ~/Sitefinity/SignOut?sts_signout=true&return_url= ...
    sts_signout=true tells Sitefinity to make this SignOutRequest to make the STS forget the user. If it is set to false then on the next login redirect a new security token will might be seamlessly issued without asking for credentials.

    This is the same URL that is currently on the "Logout" link in the backend.

    Greetings,
    Boyko Karadzhov
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  6. Ronnie
    Ronnie avatar
    31 posts
    Registered:
    20 Jul 2011
    13 Aug 2012
    Link to this post

    Hi,

    I was doing a HTTP GET to this address: "http://localhost/MyClaimsApp3/Sitefinity/Authenticate/SWT?sign_out=true&realm=http%3a%2f%2flocalhost%2fMyClaimsApp3%2f&redirect_uri="

    Then I switched to your recommended url. "
    ~/Sitefinity/SignOut?sts_signout=true&return_url="

    But still no luck....  I was able to navigate back to my secure pages.

    At the end Sitefinity Support Team told me to add a call to:
    ClaimsManager.Logout();
    And that did the trick.
    Doing both things really sign-out the user.

    Thanks again for your help...

  7. Bill
    Bill avatar
    26 posts
    Registered:
    18 Jul 2012
    01 Nov 2012
    Link to this post
    trying to do something similar and I have a depreciated attribute on the .Current of SitefinityClaimsAuthenticationModule in the 5.2 release.

    I tried:

    var sor = (new SitefinityClaimsAuthenticationModule()).CreateSignOutRequest(HttpContext.Current.Request.ApplicationPath);

    and I get an exception "System.InvalidOperationException: ID1047" with no additional detail or inner exception.

    What is the correct way to get the current claims module instance?  The obsolete message just says that it is "no longer needed" with no indication of what replaces it.
  8. Boyan Barnev
    Boyan Barnev avatar
    1413 posts
    Registered:
    24 Sep 2012
    05 Nov 2012
    Link to this post
    Hi all,

    With the latest implementation we have in 5.2 SecurityManager.AuthenticateUser and SecurityManager.Logout should provide the necessary functionality for logging in/out users programatically, without the need for making requests to the STS manually - this logic has already been handled internally.

    Please do not hesitate to let us know if you observe a particular use case scenario where this does not work as expected, so we can inspect it in further details.

    All the best,
    Boyan Barnev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  9. Bill
    Bill avatar
    26 posts
    Registered:
    18 Jul 2012
    05 Nov 2012 in reply to Boyan Barnev
    Link to this post
    As before, This seems to only work if the user did not select the "remember me on this computer" option.  It deletes everything except the .ASPXAUTH cookie that gets created when that is checked.

    How do we get them logged all the way off without the service request?

    Also, the session does not seem to get cleared/reset.  Is that expected behavior?

    UPDATE:
    also, when I log in in code my HttpContext.Current.User.Identity goes from being a:
    Microsoft.IdentityModel.Claims.ClaimsIdentity

    to a :
    Telerik.Sitefinity.Security.UserIdentity

    which I can cast to:
    Telerik.Sitefinity.Security.SitefinityIdentity

    and still find the claims, but that seems like it shouldn't be that way either.  I am using this version of authenticate user:

    public static UserLoggingReason AuthenticateUser(string membershipProviderName, string userName, bool persistent, out User user)
  10. Bill
    Bill avatar
    26 posts
    Registered:
    18 Jul 2012
    26 Nov 2012 in reply to Bill
    Link to this post
    I still haven't found a way around this - anybody?
  11. Boyan Barnev
    Boyan Barnev avatar
    1413 posts
    Registered:
    24 Sep 2012
    30 Nov 2012
    Link to this post
    Hello Bill,

    Can you please outline in details the exact steps you're taking so we can try to reproduce the problem locally.

    Please note that when clicking the Remember me, indeed a Forms authentication cookie will be persisted, but when using Securitymanager.Logout() a separate call to the STS is done explicitly for removing this cookie as well.

    The only case when this cookie does not get deleted is if you have setup SSO, for which we need the cookie present all the time.

    All the best,
    Boyan Barnev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  12. Bill
    Bill avatar
    26 posts
    Registered:
    18 Jul 2012
    30 Nov 2012 in reply to Boyan Barnev
    Link to this post
    you come from the non-sitefinity part of the site and we used to just translate you formsauth, but now we sign you in like this:

            public override void Authenticate(string userName, bool persist)
            {
                User u = new User();
                var x = SecurityManager.AuthenticateUser("EIM", userName, persist, out u);
            }



    when you leave we log you out like this:

                if (context == null)
                    context = HttpContext.Current;

                if (context == null)
                    throw new Exception("Enable to get context for logout");

                context.Session.Clear();
                context.Session.Abandon();
                var cookiename = ((SessionStateSection)WebConfigurationManager.GetSection("system.web/sessionState")).CookieName;
                context.Response.Cookies.Add(new HttpCookie(cookiename, ""));

                var temp = GetCurrentIdentity();
                if (string.IsNullOrWhiteSpace(temp.UserName) || string.IsNullOrWhiteSpace(temp.ProviderName))
                {
                }
                else
                {
                    SecurityManager.Logout(temp.ProviderName, temp.UserName);
                    ClaimsManager.Logout();
                }

                var so = SitefinityClaimsAuthenticationModule.Current.CreateSignOutRequest(redirectUrl);
    context.Response.Redirect(so.RequestUrl, false);
12 posts, 1 answered