More in this section
Forums / Developing with Sitefinity / Questions on authentication and authorisation using single sign-on

Questions on authentication and authorisation using single sign-on

The forums are in read-only mode. In case that you want to directly contact the Progress Sitefinity team use the support center. In our Google Plus group you can find more than one thousand Sitefinity developers discussing different topics. For the Stack Overflow threads don’t forget to use the “Sitefinity” tag.
2 posts, 0 answered
  1. Joe
    Joe avatar
    1 posts
    08 Jul 2015
    04 Dec 2015
    Link to this post
    We are trying to create a new Sitefinity site (Kaplan Social) that will integrate with our Single Sign-On (SSO) system. This uses Microsoft’s Windows Identity Foundation. The process is:
    Unauthenticated user visits a site and tries to access a protected page
    User is redirected to our SSO
    User validates, usually through username/password
    If validation successful then claims are created with details of pertinent attributes of the user such as ID, email etc.
    Claims are signed and encrypted to form SAML token (XML format)
    User is redirected to original site along with token
    Site recognises token, extracts claims and creates an authenticated user based on claims
    If more information about user is needed we can use an identity service
    We want to use this service with Sitefinity and also need a way to authorise users, various groups of users will have access to different parts of the site and within these sections they will need different permissions.
    Our Problems
    Sitefinity cannot directly use SAML tokens from external STS (is this true?) so for these sites we convert the SAML to a name value pair to add to the querystring, we also add a hash of the name value pairs. It’s a standard SWT implementation.
    Our first question is that this looks insecure, what prevents a spoof attack by a user who has created own name value pairs and hashed them?
    Also if a user’s request is intercepted their details will be visible, TLS (such as SSL) won’t prevent this as it’s the URL carrying the data.

    Is multiple authentication mode supported in v8.x? 

    Secondly how do we deal with the authorisation problem, is there a preferred way to do this?
    Do we need custom authorization for forum access?

  2. Arnob Makhlaqur
    Arnob Makhlaqur avatar
    41 posts
    06 Sep 2017
    10 Dec 2015
    Link to this post
    Hello Joe,

    SWT / SAML token or any other custom format can be used by integrating Sitefinity External STS and using this as a translator. 

    Please read this article and see if this can help you for your use case:

    And also the following documentations might be helpful:

    Arnob Makhlaqur
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
2 posts, 0 answered