Sitefinity CMS supports the following modes of authentication:
You can change the authentication model by changing the Security settings in the Advanced Settings page. You can also edit additional settings such as UserIsOnlineTimeWindow and BackendUsersSessionTimeout in the Security page. For more information, see Settings and configurations page.
Sitefinity CMS version 4.x has been using an implementation of Forms-based authentication in order to verify a user’s identity and log them in. Sitefinity CMS supports the implementation of forms authentication for backward compatibility and for users who want to explicitly keep using it. For more information, see Administration: Switch to forms authentication.
Forms authentication was conducted in the following way:
The mechanism, which authenticates the user, and the procedures of storing and retrieving the information of the user’s identity in the cookie were built into Sitefinity CMS core and follow a specific proprietary implementation.
Sitefinity CMS supports the implementation of SWT for backward compatibility and for users who want to explicitly keep using it. For more information, see Administration: Switch to Claims-based SWT authentication.
Compared to Forms, Claims-based authentication relies on a more robust mechanism of authentication, by which details about the user’s identity are encoded into a digitally signed string referred to as a token.
The token is issued once the user’s identity is determined by a dedicated service – Security Token Service (STS). The STS can run from within Sitefinity CMS, but can also run separately, and may even be a trusted third party.
The implementation of claims-based SWT authentication is based on Microsoft’s Windows Identity Foundation, which is built on top of the .NET framework.
Following is a scheme of how a token service works:
With claims-based authentication with single sign-on, once a user logs in and retrieves a valid token from the STS, the encrypted credentials are stored in the standard forms authentication cookie.
There are several immediate advantaged for using claims-based authentication:
Following is a scheme of how claims-based authentication works:
Sitefinity’s implementation of claims-based authentication complies with the Federal Information Processing Standards (FIPS).
The identity token is being digitally signed using SHA-256 hash algorithm.
Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.
This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.
This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.
The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.
To submit feedback, please update your cookie settings and allow the usage of Functional cookies.
Your feedback about this content is important