Any new information on this? I see that this post has been last updated on 1/25/2013:
Securing a Sitefinity Backend with SSL
...and I was initially comforted to finally see an official set of instructions on this from Telerik, but alas, it didn't work. :-(
First, the instructions weren't clear on whether you should leave "https://localhost/etc." or change to "https://www.mysite.com/etc." (in steps 1 and 2). After I changed those from localhost to www.mysite.com it started looking more promising. I got the login page. However, after authenticating succesfully, I receive the error:
Missing configuration for the requesting relying party "http://www.mysite.com".
Upon closer inspection, the URL in the address bar is:
Changing that manually to
...seems to work, and I'm able to get past the login screen. I tried editing a page. It switches back to http, but upon publishing, goes back to https when displaying the backend. I suppose that's OK.
The main concern for me is to protect the login page (even if the rest of backend goes over HTTP). It seems weird that we should be having to beg and plead Telerik to allow us to log in our site editors SECURELY. I've been with Sitefinity since version 3.2, and this STILL hasn't been addressed. At least back then, I could insert my own code into Login.aspx and enforce ssl. Now, that's a lot more complicated.
So... Long story short... Is it still preferred to do IP white-listing or should we follow the instructions outlined by Telerik at the link above? If latter, then how should those settings be changed so that they work correctly?