Legacy authentication

Overview

Sitefinity CMS's legacy authentication methods are no longer considered secure and it is recommended to switch to the Default authentication mechanism. For more information, see Default authentication.

Legacy authentication

IMPORTANT: This is legacy authentication, consider switching to the Default authentication protocol. For more information, see Default authentication protocol. 

The OpenID protocol uses claims authentication, implemented on top of IdentityServer3, certified by OpenID Foundation. It allows implementing single sign-on and access control for modern web applications and APIs. It uses OAuth2 and OpenID Connect protocols. This integration allows easy connection with clients such as mobile, web, SPAs ,and desktop applications. It is also extensible and allows integration in new and existing architectures. 

The authentication is designed and implemented as separate Microsoft OWIN / Katana component. It uses standard Microsoft.Owin.Security libraries and standard namespace System.Security. Additionally, there are some extensions to support external provider logins, such as Facebook or LinkedIn.

With the OpenID protocol, you also need to configure your Identity server signing certificate.

Configure identity server signing certificate

The Identity server signing certificate is used to verify the issuer of the authentication token – it is used by Sitefinity CMS Identity provider to sign the identity token . It is also used by Sitefinity CMS Relying party to ensure that the authentication token has been issued by the correct Identity provider.
This certificate is only necessary if you use the OpenID authentication mechanism. For more information, see Authentication.

To configure this certificate:

  1. Navigate to Administration » Settings » Advanced » Authentication » SecurityTokenService » IdentityServer » SigningCertificate.
  2. Fill out the fields and make sure the SubjectName field matches the subject name of the certificate.
    The Certificate store name is the location of the certificate, the store where it was installed.
    Store location can be either:
    • CurrentUser, which is the Current user certificate store that is local to a user account on the computer
    • LocalMachine, which is the Local machine certificate store, available to all users of the computer. 

  3. Restart Sitefinity CMS after configuring the certificate. 

If you have not configured the certificate, a default certificate for development and testing purposes is used and the System status dashboard widget displays a warning informing you that this is a security risk. For more information, see System status.

You can also check the error logs for information related to the warning displayed in the System status dashboard widget.

NOTE: The certificate must have a private key and the application pool user that runs Sitefinity CMS identity provider must have rights to access it to use it for signing.

Switch from forms to claims-based authentication

As of Sitefinity CMS 14.0, forms-based authentication is no longer supported. If your website uses forms-based authentication and you upgrade your project to Sitefinity CMS 14.x or above, claims-based authentication is not applied automatically. To configure your site to use claims-based authentication, perform the following: 

  1. Login to the backend of your website. 
  2. Click Administration » Settings » User Authentication
  3. In the dropdown box, select Claims based authentication and click Save changes
  4. Open the web.config file of your project and under the <systemwebserver> section add <remove name="FormsAuthentication"/>
  5. Under <system.web> section, change <authentication mode="None" />
  6. Save and close the web.config file. 
  7. Restart the application. 

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Get started with Integration Hub | Sitefinity Cloud | Sitefinity SaaS

This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.

Web Security for Sitefinity Administrators

This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?