I am trying to get Sitefinity to work with MVC and JQuery Mobile and am having many issues....
The current issue is that I need to have users authenticate to access parts of the application. This authentication needs to be with an external service, the users logging into the front end will not be in the Sitefinity user base. I also need to have users who can log into the back-end to update the content, these users will be managed by Sitefinity.
To secure pages in MVC I add a authorize attribute on the controller. This needs to confirm the users on the front end have been authenticated by the external service, but still allow users logged into the back end to be able to updated content.
This is not working, when I hit the page with the authorize attribute on the front-end it is trying to take me to the sitefinity login. Has anyone found a way to make this work?
Well, I have a way to do it now, but I'm not all that excited with it...
I heard back from Sitefinity support and was given a few different ways to do this.
1) Create my own custom AuthorizeUser attribute, save the values when I authenticate to the session of a cookie, check for that value on the attribute...basically rewrite all the Authenticate functionality myself. - I'd really like to keep the Authenticate functionality as much as possible so I don't think I will do this.
2) Create a Custom Membership Provider, add this to the Sitefinity backend as a valid membership provider. This would be a good solution if I was wanting to store my users in a database and validate/update them. But, I am only validating against a service.
3) Create a dummy user in the Sitefinity backend with no access and definitely no backend access or admin access. After authenticating to my service if all is good then log into this user from the code. After this the [Authenticate] attribute finds that this user is logged in so all is good. As I do not need to check roles or claims in my app, just that user is logged in, this may work. It seems pretty ugly to me but I am assured that as long as the user does not have backend access or admin access it will not count to co-current users and many many users can be logged in as the same user.
I will go forward with option 3 and see how it goes and if I can get it past the architecture team.
here is the link where I found option 3 with some more info...
http://www.sitefinity.com/developer-network/forums/sitefinity-sdk/custom-authentication
James!
Not sure but I think your 3rd party service should use the Sitefintiy Single Sign On.
Maybe the following help topic on how to setup Sitefinity single sign on will be helpful:
http://www.sitefinity.com/documentation/documentationarticles/authentication-models-overview
Related
I'm looking for guidance as to how I should introduce authentication and authorization into my Rails application. I apologize if this gets long, but I'm trying to provide the context necessary to help me understand what roads I should go down to achieve this.
First off, my technologies:
Rails API BE
React FE
Business Requirements:
Invite only (Invite from root admin user)
Multiple types of users
Root Admin (invite users and assign types)
Users
Attorney, Paralegal, Client (each has different roles / capabilities)
Walkthrough
Root Admin User creates accounts for attorneys and paralegals. These accounts go out via an invitation to join.
Paralegals can create clients. When created, an invite goes out to the client to join the application. Paralegal assigns attorneys to be responsible for the clients.
Different Roles
Clients manage their own data
Paralegals can 'validate' client data
Attorneys can 'Approve' Paralegal changes
Bottom line:
We need each type of user to log into the application
Each user gets a role specific to their capabilities
These capabilities will involve different UI capabilities in React
React will need to know that
The user is authenticated
The user is authorized only for certain actions
These capabilities will involve REST calls to Rails
Rails will need to validate that
The user is authenticated
The user is authorized only for certain actions
I've done this in the past using Devise but am looking to move authentication and authorization to the cloud to allow for future app development ideas. That's where I'm not sure what to do. I've been reading a lot of different possibilities and at this point I'm just not sure which path I should choose. So I'm looking for advice how to pull authn/authz out of Rails and into the cloud.
After all this, I think my question is just -- could someone point me down which road I should go? AWS Cognito? Auth0? Stick with Devise? How does Rails work with cloud auth providers?
Really, just anything helps.
Any advice would be appreciated.
We have ASP.NET MVC applications. We have our own IdP for SSO, The IdP issues authentication ticket using OpenID Connect Protocol. Users can access all our applications by singing once.
We want to use JIRA ticketing system for users to create ticket.
We can create account for every user and provide link on UI to JIRA to create ticket. However that is not convenient if we have large number of users, and keep growing.
We can also create a form in our applications and then submit the form to JIRA using their API. However I am trying to avoid this option because then I have create form in every application and maintain it.
Ideal optional would be, when user clicks on the create ticket link, it should get redirected to JIRA ticketing system, MUST get authenticated implicitly (maybe using access token) and be able to create ticket using JIRA's ticketing system.
Is this possible? Can someone please provide guidelines
You should consider using JIRA's built-in IssueCollector.
This is super simple to set up, and you can find more info here
Unless you need to do something really custom, then this should work out of the box.
Cause i'm new to the whole angular (specific angular2) thing i wonder about something.
I want to build an "api" backend with rails 5 as they released the api mode and my frontend with angular2. Because i'm used to rails i wanted to implement a devise user authentication and because i'm new to angular2 i searched for a way to authenticate the user against my rails/devise backend.
But all i find are tutorials about angular2 and auth0, which i never heared before.
So my question is, is it "normal" to user angular2 with auth0 authentication?
And when i use auth0 my user data are not in my database right? So how do i create relationships with my rails models?
Would be great if someone can explain that to me or link me some article if they exists.
Auth0 is one of the many choices available to you. If you'd like to use Auth0 but store credentials in your own database, there is a tutorial for setting that up with Auth0.
So it can be normal to use Auth0, and you can also have your user data available in your own database-- do keep in mind you'll need to secure user credentials thoroughly when storing them yourself though!
I've also faced the same problem and considered Devise (going so far as setting up a Rails+Devise landing page that redirected users to the Angular app after successful login). After much pain I have come to the same recommendation as Kassandra, that using JWT authentication is the way to go.
However, if you plan to use Auth0 note that after 7000 users have signed up you will need to upgrade. This may not be a problem for you but since I plan to deploy something substantial it's a decision I had to think about.
The "dream" is to use WindowsAuthentication for an intranet site. However, we need to hit a 3rd party service to determine if the user has "permission" to use the site, thus "Roles". I have seen many examples that show how to add roles to the identity but they are all on "per request" basis. I don't want to do that. I would like for the user to hit the site once, I determine if the user has the permission, and add the role to the identity. The identity (with the role) sticks around for the session. I also don't want to have to cache users and their permissions. Is this doable or am I missing something?
Thanks.
The solution is to write your own Authentication and put caching in the middle. It is really easy to do as I have two methods of doing it.
Pre ASP.NET MVC 5
http://tech.pro/tutorial/1216/implementing-custom-authentication-for-aspnet
ASP.NET MVC 5+ OWIN
http://www.khalidabuhakmeh.com/asp-net-mvc-5-authentication-breakdown-part-deux
My posts describe the basics of writing your own authentication, but it is pretty easy to integrate a third party service once you understand the basics. Hope that helps :)
I'm working on an MVC4 site using SimpleMembership to handle user accounts and role based authentication. We have another site and we'd like to implement a single sign on system allowing users from the existing site to log in to the one I am building. What would be the best way to achieve this and hopefully leverage to the existing roles based authorization I'm using on the MVC4 site. Is it possible to have multiple membership providers (i.e. use the built in one and if the user is not found, attempt to authenticate via a custom provider that I'll write (once I work out how!). Or would it be better to abandon the built in membership/roles and roll my own?
I also thought of letting WebSecurity check the local database and if the user is not found, query the 2nd database and if the users credentials are valid, create a local account for them. One issue with this approach is if a user called Fred registers on the MVC site, and then a user from the other site called Fred logs in, we couldn't create them a local account with the same username. We could prefix/suffix the username with some text to indicate that they are from the other site but then we lose the single sign on feature.
We will also want to integrate AD authentication for staff in the future.
So essentially I'm looking for the best way to authenticate users from multiple databases and keep using roles based authentication?
I've also done a little digging was wondering if ADFS might be useful for this.
Any help or advice would be greatly appreciated!
I recommend the use of an Identity server to handle all your login request and switching to a claim based authentication instead of a role based authentication if you can.
I personally went with Thinktecture IdentityServer
pluralsight.com have a good course on it.
Thinktecture IdentityServer is build on top of simple Membership and it supports multiple protocol such as
WS-Federation
WS-Trust
OpenID Connect
OAuth2
ADFS Integration
Simple HTTP
I recommend checking it
Good Luck