I am working away at a Umbraco project, with the goal to be that the user is automatically logged into Umbraco based on their domain username. These are the steps I have so far:
I am hosting a test Umbraco site on IIS 7
The site settings have windows Authentication, meaning that you have to be logged into the domain to access the site
I have created a macro that identifies the current user as soon as someone accesses the page. If the user does not have a matching Umbraco Member Account, then one is automatically created, based on their domain user.
As it stands now, if someone on the domain accesses the Umbraco site, then they will have a Member with a matching username automatically created in Umbraco if it doesn't exist. This is done passively.
The last stage however is that I require that user to become the registered logged in Member. I know who the Umbraco Member is, I just need to have that member automatically logged into Umbraco.
Does anyone know how I can do this?
I'm coding in C#, but any form of documentation would be appreciated.
Many thanks.
The Umbraco members section uses the asp.net membership system, so you can just call the FormsAuthentication.SetAuthCookie() method to set the logged in user details. I think you also need to tell Umbraco to cache the member. This post on our.umbraco.org has some details.
Related
I have a .NET Framework 4.7.2 MVC 5 site that is using Windows Authentication to authorise access to actions based on AD group membership. This works fine for a single domain, but we have domain trusts in place and ASP does not seem to resolve memberships from other domains.
e.g.
Two domains: Parent and Leaf
The site runs in the Parent domain, which has local security groups setup: SiteAccess-L.
SiteAccess-L contains a single member Leaf\SiteAccess-G, which in turn has our user Leaf\User.
When I dump the contents of HttpContext.User.Identity.Groups (casting through WindowsIdentity), I can see all the Leaf domain groups that the user is a member of, but not any of the Parent domain groups. This only happens for remote users, if I access the site locally, it seems to work.
Running a simple C# app on the desktop of the web server with the same user account and calling WindowsIdentity.GetCurrent() will bring me back both domain group membership.
Does anybody know what gives here, and how I access the full cross-domain group memberships in MVC? If I use GetCurrent() in MVC, I get the service-account that the application pool is running under.
Thanks.
I finally got a resolution to this, but I don't fully understand why.
The issue it seemed to be with an SPN. When accessing the web page through a URL such as http://mysite.parent/ and a SPN was in place for this host, the issue described would occur.
Removing the SPN resolved the issue and all groups were viewable by the site. This is clearly Keberos related, but my understanding isn't deep enough to categorically say for sure.
In the end, the SPN wasn't needed so it could be removed to resolve the issue. Reference: https://www.aligrant.com/web/blog/2020-09-28_iis__do_i_need_to_use_a_spn
We have ASP.NET MVC applications. We have our own IdP for SSO, The IdP issues authentication ticket using OpenID Connect Protocol. Users can access all our applications by singing once.
We want to use JIRA ticketing system for users to create ticket.
We can create account for every user and provide link on UI to JIRA to create ticket. However that is not convenient if we have large number of users, and keep growing.
We can also create a form in our applications and then submit the form to JIRA using their API. However I am trying to avoid this option because then I have create form in every application and maintain it.
Ideal optional would be, when user clicks on the create ticket link, it should get redirected to JIRA ticketing system, MUST get authenticated implicitly (maybe using access token) and be able to create ticket using JIRA's ticketing system.
Is this possible? Can someone please provide guidelines
You should consider using JIRA's built-in IssueCollector.
This is super simple to set up, and you can find more info here
Unless you need to do something really custom, then this should work out of the box.
We're trying to setup IIS so that is uses its IIS AppPool identity when going against ACL permission checks (when getting static files from the filesystem) so that we don't have to add "everyone" or "authenticated" users to the main app folder or specific folders.
We've found that setting authenticatedUserOverride to UserWorkerProcessUser achieves the above, but no longer lets us access the specific windows user hitting the website from within the MVC application.
Is there a better way to accomplish this? Again, we're trying avoid having the specific user's credentials validated against ACLs when accessing files.
You can still get the authenticated user that is accessing the site using the LOGON_USER in the Request:
Request["LOGON_USER"]
Scott Forsyth details this on his blog under option #4 (http://weblogs.asp.net/owscott/iis-using-windows-authentication-with-minimal-permissions-granted-to-disk).
As for the best way to accomplish this, I think you are on the right path. I have used this approach along with the roles authorization aspect of ASP.NET to allow/deny access based on membership.
I am trying to get Sitefinity to work with MVC and JQuery Mobile and am having many issues....
The current issue is that I need to have users authenticate to access parts of the application. This authentication needs to be with an external service, the users logging into the front end will not be in the Sitefinity user base. I also need to have users who can log into the back-end to update the content, these users will be managed by Sitefinity.
To secure pages in MVC I add a authorize attribute on the controller. This needs to confirm the users on the front end have been authenticated by the external service, but still allow users logged into the back end to be able to updated content.
This is not working, when I hit the page with the authorize attribute on the front-end it is trying to take me to the sitefinity login. Has anyone found a way to make this work?
Well, I have a way to do it now, but I'm not all that excited with it...
I heard back from Sitefinity support and was given a few different ways to do this.
1) Create my own custom AuthorizeUser attribute, save the values when I authenticate to the session of a cookie, check for that value on the attribute...basically rewrite all the Authenticate functionality myself. - I'd really like to keep the Authenticate functionality as much as possible so I don't think I will do this.
2) Create a Custom Membership Provider, add this to the Sitefinity backend as a valid membership provider. This would be a good solution if I was wanting to store my users in a database and validate/update them. But, I am only validating against a service.
3) Create a dummy user in the Sitefinity backend with no access and definitely no backend access or admin access. After authenticating to my service if all is good then log into this user from the code. After this the [Authenticate] attribute finds that this user is logged in so all is good. As I do not need to check roles or claims in my app, just that user is logged in, this may work. It seems pretty ugly to me but I am assured that as long as the user does not have backend access or admin access it will not count to co-current users and many many users can be logged in as the same user.
I will go forward with option 3 and see how it goes and if I can get it past the architecture team.
here is the link where I found option 3 with some more info...
http://www.sitefinity.com/developer-network/forums/sitefinity-sdk/custom-authentication
James!
Not sure but I think your 3rd party service should use the Sitefintiy Single Sign On.
Maybe the following help topic on how to setup Sitefinity single sign on will be helpful:
http://www.sitefinity.com/documentation/documentationarticles/authentication-models-overview
I've asked similar question here because I thought the problem was in my custom membership provider.
Then I tried this:
I created two NEW asp.net MVC applications. In first one, I registered as new user using default membership provider. I closed this application, opened second one and ran it. In this application I was also logged in as user I created in first application. Logging in as user from other application doesn't work, but caching is remembered on this site. Why is it so? Is it a bug?
I think this can be expected behaviour:
If you open localhost/app1 and localhost/app2 you are on the same domain. So its valid that the same cookie is sent. I am not shure if localhost:5050 localhost:5060 are considered as the same domain. But I guess thats the case.
If the same cookie is sent the Memebershipsystem will evaluate this as the same user. Thats expected behaviour.
If you want to have these 2 webs use different pools of users you have to create a new application in the Mebershipsystem and configure it in web.config.
This will not affect the behaviour of a production system, because the 2 web will be on a different domain. each domain is only allowed to access its own cookies.