+1-888-365-2779
Try Now
More in this section

Forums / General Discussions / Is it possible to do a custom single sign on implementation?

Is it possible to do a custom single sign on implementation?

4 posts, 0 answered
  1. Jamie
    Jamie avatar
    25 posts
    Registered:
    07 Aug 2012
    04 Sep 2013
    Link to this post
    I've spent a few days trying to get Sitefinity to work in an SSO environment (Azure ACS or Thinktecture) with little success. In frustration I tried to use brute force to implement SSO in the same manner as our custom ASP.NET MVC applications. I upgraded the project to .NET 4.5, added system.identityModel sections to web.config, created a custom ClaimsAuthenticationManager, and commented out the corresponding Telerik modules.

    And it works, sort of. I get redirected to my STS, login, and it sends a SAML token back to Sitefinity. But at that point I get a 403. In the ClaimsAuthenticationManager I am trying to find the right combination of claims. This is what I have now:

    public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
    {
        if (incomingPrincipal != null && incomingPrincipal.Identity.IsAuthenticated)
        {
            var claimsIdentity = (ClaimsIdentity)incomingPrincipal.Identity;
            claimsIdentity.AddClaim(new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "jide"));
            claimsIdentity.AddClaim(new Claim("http://schemas.sitefinity.com/ws/2011/06/identity/claims/domain", "Default"));
            claimsIdentity.AddClaim(new Claim("http://schemas.sitefinity.com/ws/2011/06/identity/claims/role", "Administrators"));
        }
        return base.Authenticate(resourceName, incomingPrincipal);
    }

    Is this even possible? If so, what's the magic combination of claims?
  2. Stefani Tacheva
    Stefani Tacheva avatar
    718 posts
    Registered:
    06 Dec 2016
    05 Sep 2013
    Link to this post
    Hi,

    In the future there will be an integration with the most popular public authentication providers. Please see the feature request in PITS on the following URL.  Under the feature request there is a solution from a client. However this scenario is not tested and supported from Sitefinity.

    Furthermore, you could review these article:

    http://www.sitefinity.com/blogs/svetla-yankovas-blog/2013/05/28/single-sign-on-between-sitefinity-and-3rd-party-applications-part-1---the-basics

    http://www.sitefinity.com/blogs/svetlayankova/posts/svetla-yankovas-blog/2013/07/02/single-sign-on-between-sitefinity-and-3rd-party-applications-part-2-using-wif


    You could find a working sample in the following URL:

    https://github.com/Sitefinity/Sitefinity-External-STS-Integration


    Regards,
    Stefani Tacheva
    Telerik
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  3. Patrick
    Patrick avatar
    18 posts
    Registered:
    31 Mar 2015
    28 Apr 2015 in reply to Stefani Tacheva
    Link to this post

    Hi Stefani.

    I have my Sitefinity app working with an external STS and I am now trying to see if i can add claims as shown in the Svetla blog you referred to. The blog says:

    Sitefinity actually has schemas for a couple of other claims we use internally and just for your information here you can see all their types:
    public const string TokenId = "http://schemas.sitefinity.com/ws/2011/06/identity/claims/tokenid";
     public const string UserId = "http://schemas.sitefinity.com/ws/2011/06/identity/claims/userid"

    ...

    public const string Role = "http://schemas.sitefinity.com/ws/2011/06/identity/claims/role";​

    However besides Name and Domain, which I already have in the token, and which allow me to log into the SF site, what other claims can I add that will show in SF? When I tried adding a Role, I get the error "FormatException: Guid should contain 32 digits with 4 dashes". Which makes me wonder if it is possible at all to pass claims from my external IdP on to the SF app and be able to make use of them there.
  4. Stefani Tacheva
    Stefani Tacheva avatar
    718 posts
    Registered:
    06 Dec 2016
    30 Apr 2015
    Link to this post
    Hi,

    Here is how the GetRoleInfo method looks like:

    protected virtual RoleInfo GetRoleInfo(string value)
           {
               var props = value.Split(';');
               return new RoleInfo()
               {
                   Id = Guid.Parse(props[0]),
                   Name = props[1],
                   Provider = props[2]
               };
           }

    Most probably the error is coming at the last line Provider = props[2] as it expects that there will be a value for the provider in the string. Please add one when you are constructing the claim.

    Here is how Sitefinity builds the role claims out of the box for reference:

    public virtual Claim CreateRoleClaim(RoleInfo roleInfo)
            {
                var value = String.Concat(roleInfo.Id, ";", roleInfo.Name, ";", roleInfo.Provider);
                var issuer = this.GetClaimsIssuer();
                return new Claim(SitefinityClaimTypes.Role, value, ClaimValueTypes.String, issuer, issuer);
            }

    Next it adds this newly created Claim to the ClaimsCollection.

    Regards,
    Stefani Tacheva
    Telerik
     
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
     
4 posts, 0 answered