Topics

All topics

Development

Implement custom external identity providers
Development

This article contains
NEW TO SITEFINITY?

The following article demonstrates the minimum configuration required to successfully authenticate a user in Sitefinity CMS STS, using Implicit flow. You first register the provider in Sitefinity CMS backend and, then, implement the provider.

You implement and configure the custom external authentication provider. You create a custom AuthenticationProvidersInitializer where you configure the external provider and then register the initializer in the ObjectFactory. 

Register custom external identity provider

 To do this, perform the following:
  1. Navigate to Administration » Settings » Advanced.
  2. In the left pane, expand Authentication » SecurityTokenService » AuthenticationProviders.
  3. Click Create new » AuthenticationProviderElement.
  4. Enter the Name and the Title of the provider.
    In this example, enter CustomSTS
  5. Select Enabled checkbox.
  6. Save your changes.
    The provider is created.
    If required, you can configure additional parameters of the provider, instead of hard coding them.
  7. Under the newly created provider, expand Parameters and create the following parameters:
    Key Value 
    clientId  The client ID configured in the external STS. 
    issuer  The absolute path to the external STS.
    redirectUri  The absolute path to the local STS.

    NOTE: Make sure the path is added in the external STS during client registration. The path, configured in the external STS, must be identical to the value of the redirectUri parameter.
    responseType Set the value to "id_token"
    scope  Set the value to "openid profile rememberMe email"
    caption  The text that is displayed on the login button.
    If you do not enter text, the button is not displayed.
  8. Save your changes.

Implement the external identity provider

You implement and configure the custom external authentication provider. You create a custom AuthenticationProvidersInitializer where you configure the external provider and then register the initializer in the ObjectFactory. 

Once a user logs via SSO with the STS in the relying party instance, in case there is no user previously authenticated with the same email, a new local user account is automatically created. The profile fields of the account are populated with the information provided by the STS in the claims that are returned. Profile fields of the local account (in the relying party instance) are updated only when they are empty and only from the claims received by the STS. Thus, if you edit your first name in the relying party instance, the change is not synced with the first name on the STS. Once the account is created locally, it is bound to the identity authenticated via email by the STS. If the email is modified either in the STS, or in the local profile in the relying party instance, a new account is once again created for the external user when they log in. If this is the case, all local profile information and local application roles are lost.

Use the following sample:

NOTE: Due to nonce validation, this sample works only under HTTPS. You can disable nonce validation with code to work under HTTP for development and testing purposes. For more information, see Troubleshooting Authentication.

using Microsoft.IdentityModel.Protocols;
using Microsoft.Owin.Security.Notifications;
using Microsoft.Owin.Security.OpenIdConnect;
using Owin;
using System;
using System.Collections.Generic;
using System.Security.Claims;
using System.Threading.Tasks;
using Telerik.Sitefinity.Authentication;
using Telerik.Sitefinity.Authentication.Configuration;
using Telerik.Sitefinity.Authentication.Configuration.SecurityTokenService.ExternalProviders;
using Telerik.Sitefinity.Configuration;
using Telerik.Sitefinity.Security.Claims;
public class AuthenticationProvidersInitializerExtender : AuthenticationProvidersInitializer
{
public override Dictionary<string, Action<IAppBuilder, string, AuthenticationProviderElement>> GetAdditionalIdentityProviders()
{
var providers = base.GetAdditionalIdentityProviders();
// 'CustomSTS' is the name of the external authentication provider as configured in the Advanced settings
providers.Add("CustomSTS", (IAppBuilder app, string signInAsType, AuthenticationProviderElement providerConfig) =>
{
var clientId = providerConfig.GetParameter("clientId");
var issuer = providerConfig.GetParameter("issuer").Trim('/');
var redirectUri = providerConfig.GetParameter("redirectUri");
var responseType = providerConfig.GetParameter("responseType");
var scope = providerConfig.GetParameter("scope");
var caption = providerConfig.GetParameter("caption");
var localStsRelativePath = Config.Get<AuthenticationConfig>().SecurityTokenService.ServicePath.Trim('/');
var options = new OpenIdConnectAuthenticationOptions()
{
ClientId = clientId,
Authority = issuer + "/",
AuthenticationType = providerConfig.Name,
SignInAsAuthenticationType = signInAsType,
RedirectUri = redirectUri,
ResponseType = responseType,
Scope = scope,
Caption = caption,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
SecurityTokenValidated = n => this.SecurityTokenValidatedInternal(n),
}
};
app.UseOpenIdConnectAuthentication(options);
});
return providers;
}
private Task SecurityTokenValidatedInternal(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
var identity = notification.AuthenticationTicket.Identity;
var externalUserEmail = identity.FindFirst("email");
if (externalUserEmail != null)
identity.AddClaim(new Claim(SitefinityClaimTypes.ExternalUserEmail, externalUserEmail.Value));
var externalUserId = identity.FindFirst("sub");
if (externalUserId != null)
identity.AddClaim(new Claim(SitefinityClaimTypes.ExternalUserId, externalUserId.Value));
var externalUserFirstName = identity.FindFirst("given_name") != null ? identity.FindFirst("given_name").Value : string.Empty;
identity.AddClaim(new Claim("ClaimsMapping:SitefinityProfile.FirstName", externalUserFirstName));
var externalUserFamilyName = identity.FindFirst("family_name") != null ? identity.FindFirst("family_name").Value : string.Empty;
identity.AddClaim(new Claim("ClaimsMapping:SitefinityProfile.LastName", externalUserFamilyName));
var externalUserFullName = externalUserFirstName + " " + externalUserFamilyName;
identity.AddClaim(new Claim(SitefinityClaimTypes.ExternalUserName, externalUserFullName));
var externalUserNickName = identity.FindFirst("nickname") != null ? identity.FindFirst("nickname").Value : string.Empty;
identity.AddClaim(new Claim(SitefinityClaimTypes.ExternalUserNickName, externalUserNickName));
var externalUserPicture = identity.FindFirst("picture");
if (externalUserPicture != null)
identity.AddClaim(new Claim(SitefinityClaimTypes.ExternalUserPictureUrl, externalUserPicture.Value));
return Task.FromResult(0);
}
}
view raw AuthenticationProvidersInitializerExtender.cs hosted with ❤ by GitHub

Register the initializer in the Global.asax

Register the initializer the following way:

using System;
using Telerik.Microsoft.Practices.Unity;
using Telerik.Sitefinity.Abstractions;
using Telerik.Sitefinity.Authentication;
namespace SitefinityWebApp
{
public class Global : System.Web.HttpApplication
{
protected void Application_Start(object sender, EventArgs e)
{
AuthenticationModule.Initialized += this.AuthenticationModule_Initialized;
}
private void AuthenticationModule_Initialized(object sender, EventArgs e)
{
ObjectFactory.Container.RegisterType<AuthenticationProvidersInitializer, OIDCAuthenticationProvidersInitializerExtender>(new ContainerControlledLifetimeManager());
}
}
}
view raw AuthenticationProvidersInitializerExtender_Bootstrapped_Global.asax.cs hosted with ❤ by GitHub

Want to learn more?

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Get started with Integration Hub | Sitefinity Cloud | Sitefinity SaaS

This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.

Web Security for Sitefinity Administrators

This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?

Next article

Add and validate custom claims to Simple Web Tokens