Authentication flow and certificates

Sitefinity CMS can serve both as Relying Party (RP) and Identity Provider (IP). Usually, these can be one web application on the same host, but with different URLs. However, in a Single-Sign-On (SSO) scenario, these can be on different servers (applications). In both cases the communication between IP and RP is via HTTP and goes trough the client. 

Authentication flow diagram

To ensure security, you must configure the following two types of certificates for Sitefinity CMS:

• SSL/TLS certificate for the site
  This certificate ensures the identity of the URL that is requested by the client (browser). It is used in all the steps from the above diagram.

  NOTE: Although Sitefinity works successfully on HTTP and HTTPS, we recommend to use SSL/TLS certificate for your site.

• Identity server signing certificate
  This certificate is used to verify the issuer of the authentication token – it is used by Sitefinity CMS Identity provider to sign the identity token (Step 4 in the diagram). It is also used by Sitefinity CMS Relying party to ensure that the authentication token has been issued by the correct Identity provider (Steps 6 in the diagram).

  You must configure this certificate, by navigating to Administration » Settings » Advanced » Authentication » SecurityTokenService » IdentityServer » SigningCertificate.

  NOTE: The certificate must have a private key and the application pool user that runs Sitefinity CMS identity provider must have rights to access it to use it for signing.