I was wondering if anyone on the Telerik team or the community had any experience using Sitefinity in a site that is secured using claims-based authentication in Windows Identity Foundation. My experience with Sitefinity other than this forum post is extremely limited so I'm hoping that I'm giving enough detail here. Here's some high-technical details about how the site, its physical folder structure and our WIF considerations:
All pages and Sitefinity dynamic content in this directory should be unsecured allowing for anonymous access.
is a sub-folder off the parent application that we want to completely secure.
is a sub-folder off the parent application that we want to secure, but allow the dynamic Sitefinity content to be unsecured...
Windows Identity Foundation allows for some very specific configuration to allow access to particular folders using tags such as the following:
<allow users="*" />
This works very well for static content in your ASP.NET application, however the dynamic Sitefinity content is unable to be configured this way... Those resources simply assume the same type of security access that is assigned to the folder in which it's served from. In other words, all of the dynamic content in our developer folder is secured and we would prefer only the static .aspx files be secured.
Is there some other configuration that might work? We've tried multiple configurations for this... We've place the <microsoft.identityModel> (WIF) configuration at the site root level and then removed it to try and secure each of the folders with their own config file with <microsoft.identityModel> sections. I'm hoping that someone on the Telerik team can provide some best practice approaches for this type of thing since federated security and WIF are technologies that are quickly gaining momentum...
Thanks in advance for your help.