+1-888-365-2779
Try Now
More in this section

Forums / General Discussions / Backend SSO for Windows users

Backend SSO for Windows users

7 posts, 0 answered
  1. Bil
    Bil avatar
    51 posts
    Registered:
    27 Aug 2012
    07 May 2015
    Link to this post

    Hi guys,

    We've been reading through the various security documents and it's not clear to me how to configure security on azure.

    For internal users (those on our network) we want them to access the backend area using their domain accounts (through adfs or something, we have federation in the cloud already). When you setup sitefinity it's username/password based yet looks like when I go into the User Authentication section in settings it's already selected Claims based authentication.

    It not clear to me how to setup SSO for users visiting the site from our network when it's running in azure. Is this even supported? All of the SSO/security documentation I see talks about an STS site but these are websites, not cloud services. We have the site up and running on Azure but I'm not seeing how to change the authentication to SSO for domain users.

    Thanks

  2. Junior Dominguez
    Junior Dominguez avatar
    115 posts
    Registered:
    23 Sep 2016
    12 May 2015
    Link to this post
    Hi Bil,

    The steps should be the same. Please refer to the following documentation for more details:

    http://docs.sitefinity.com/administration-set-up-sso-with-windows-authentication

    Best Regards,
    Junior Dominguez
    Telerik
     
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
     
  3. Bil
    Bil avatar
    51 posts
    Registered:
    27 Aug 2012
    13 May 2015 in reply to Junior Dominguez
    Link to this post

    Junior,

    Please explain to me how an Azure cloud service (and the associated sitefinity app) will recognize users. It can't. This document only works for on-prem installs in your own domain. You can't use Windows Authentication with an Azure site, it has to use ADFS (or something similiar) in order to recognize users, kick off the appropriate token exchange, etc. to identify a user. So these documents are fine for on-prem but useless for Azure deployments, unless I'm reading them wrong.

    Thanks

  4. Junior Dominguez
    Junior Dominguez avatar
    115 posts
    Registered:
    23 Sep 2016
    15 May 2015
    Link to this post
    Hi Bil,

    We do support ADSF with Sitefinity’s STS application. It could be on Azure, Amazon or another place since this is not something specific to the cloud. The ADSF is a standardized type of authentication.

    3 components are necessary:

    1.    Sitefintiy
    2.    ADFS server that issues tokens
    3.    Sitefinity STS


    Sitefintiy is not able to read directly ADFS and vice versa, because we have our own tokens (even registering them in ADFS, they are not translated correctly back inside Sitefinity). This is why they need to use the STS application as a bridge that reads the tokens from ADFS and then pass them to Sitefintiy. 

    Best,
    Junior Dominguez
    Telerik
     
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
     
  5. Bil
    Bil avatar
    51 posts
    Registered:
    27 Aug 2012
    15 May 2015 in reply to Junior Dominguez
    Link to this post
    Thanks for the info. I'll look at the STS application. Still not sure based on the existing documentation how this works in Azure with ADFS as the docs seem to be focused on Windows Authentication and has documentation examples for Facebook and Google+ but not sure how this will work with ADFS and Azure.
  6. Jared
    Jared avatar
    122 posts
    Registered:
    04 Apr 2013
    03 Jun 2015 in reply to Junior Dominguez
    Link to this post
    I am looking for some documentation for ADFS Integration.  Can you direct me to the location of this?
  7. Atanas Valchev
    Atanas Valchev avatar
    414 posts
    Registered:
    04 Jan 2016
    08 Jun 2015
    Link to this post
    Hello,

    Here are the configuration steps that are needed for the general setup using the standard ADFS for Windows.

        

            ADFS

     

    1.       STS url has to be registered in ADFS

     

          SitefinityWebApp

     

    1.       Inside AppSettings add the <relyingParties> security key that you can get from SecurityConfig.config

     

         <appSettings>

                    <add key="https://sitefinitysite/" value="52ACD69BD85C96F08C74762ED247A4AAFD2174E6B3E7F700630C2DAC5E169D21" />

     

    2.       Modify     <microsoft.identityModel> section

     

      <microsoft.identityModel>

        <service>

          <claimsAuthenticationManager type="Telerik.Sitefinity.Security.Claims.SFClaimsAuthenticationManager, Telerik.Sitefinity" />

          <securityTokenHandlers>

            <add type="Telerik.Sitefinity.Security.Claims.SWT.SWTSecurityTokenHandler, Telerik.Sitefinity" />

          </securityTokenHandlers>

          <audienceUris mode="Never">

          </audienceUris>

          <federatedAuthentication>

            <wsFederation passiveRedirectEnabled="true" issuer="https://stsapplication/mysts.ashx" realm="https:// sitefinitysite " requireHttps="false" />

            <cookieHandler requireSsl="false" />

          </federatedAuthentication>

          <issuerNameRegistry type="Telerik.Sitefinity.Security.Claims.CustomIssuerNameRegistry, Telerik.Sitefinity">

            <trustedIssuers>

            </trustedIssuers>

          </issuerNameRegistry>

          <issuerTokenResolver type="Telerik.Sitefinity.Security.Claims.SWT.WrapIssuerTokenResolver, Telerik.Sitefinity" />

        </service>

      </microsoft.identityModel>

     

    3.       Change  request limits  based on this article

    http://docs.sitefinity.com/administration-set-up-sso-with-windows-authentication

     

     

         STS application configuration

     

    1.       Add the <relyingParties> security key

    <appSettings>

    <add key="https://sitefinitywebsite/" value="52ACD69BD85C96F08C74762ED247A4AAFD2174E6B3E7F700630C2DAC5E169D21" />

     

    ADFS related keys

       <add key="ida:FederationMetadataLocation" value="https://fs.youradfs.com/FederationMetadata/2007-06/FederationMetadata.xml" />

        <add key="ida:Issuer" value="https://fs. youradfs.com/adfs/ls/" />

        <add key="ida:ProviderSelection" value="productionSTS" />

     

     

    2.       Add FederationMetadata location

     

      <location path="FederationMetadata">

        <system.web>

          <authorization>

            <allow users="*" />

          </authorization>

        </system.web>

     </location>

     

     

    3.       Add the following configurations in the web.config

     

      <system.identityModel>

        <identityConfiguration>

          <!--Set website and sts hosts-->

          <audienceUris>

           <add value="https://sitefintiywebapp/" />

          </audienceUris>

          <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">

            <authority name="http://fs. youradfs.com/adfs/services/trust">

              <keys>

                <add thumbprint="6A9494A7D1C15ADB3868A34F9386F322243B15BA " />

              </keys>

              <validIssuers>

                <add name="http://fs. youradfs.com/adfs/services/trust" />

              </validIssuers>

            </authority>

          </issuerNameRegistry>

          <!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->

          <certificateValidation certificateValidationMode="None" />

        </identityConfiguration>

      </system.identityModel>

      <system.identityModel.services>

        <federationConfiguration>

          <cookieHandler requireSsl="false" />

          <!--set realm to sts host-->

          <wsFederation passiveRedirectEnabled="true" issuer="https://fs. youradfs.com/adfs/ls/" realm="https://sitefintiywebapp" requireHttps="false" />

        </federationConfiguration>

      </system.identityModel.services>

     

    4.       Add FederationMetadata.xml under

    https://yoursts/FederationMetadata/2007-06/FederationMetadata.xml

     

    5.       From STS/SimpleWebTokenHandler.cs comment the following lines

       

    var winPrincipal = context.User as WindowsPrincipal;

            if (winPrincipal == null || !winPrincipal.Identity.IsAuthenticated)

                 throw new ConfigurationException("This web site is not correctly configured for Windows authentication.");




    Regards,
    Author nickname
    Telerik
     
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
     

7 posts, 0 answered