We spend so much time writing down dozens of passwords for each website we use. It can feel like every awesome website requires another registration and a new password to remember. Luckily, a modern WCM can solve that part of the customers’ journey with the help of Single-Sign-On (SSO), both on the frontend and for users of the administrative panel.
Progress Sitefinity supports SSO and is always working to make it easier and more secure. The engineering team has just improved the authentication mechanism to rely on the latest security and authentication concepts. Here are the three major aspects of it.
When building a stable security solution for a web application, developers often need to deal with multiple problems - authentication, SSO, federation, web API access and delegated authorization. OpenID Connect is the “tool” that does it all.
OpenID Connect, which is an authentication layer on top of OAuth2, allows end-users to verify their identity based on authentication performed by an authorization server and obtain basic profile information that will be used by the web application.
Sitefinity provides this protocol with the help of IdentityServer3, which is an open-source .NET/Katana-based framework and has large community of contributors keeping it up to date. By building upon it, Sitefinity users benefit from its high security standards.
SSO is actually the solution and it provides a mechanism to authenticate once and avoid further prompts of credentials each time you switch applications during the same browsing session. Additionally, end-users gain greater control of their identity and decide what information they want to share. A simple example is when you use your Google account to log into a 3rd party application like Pinterest.
However, now comes the question: how do you implement this feature? How can we facilitate our content editors and frontend users to seamlessly login to our website?
Writing this from scratch requires a deep understanding of authentication protocol schemes and a long tiresome selection of technologies.
To make this easier, Sitefinity provides a straightforward way to configure this out of the box. We can now facilitate our login process, and additionally relieve ourselves of the burden of having to store our users’ passwords, while still keeping security at a high level.
How does it work behind the scenes? Sitefinity first requests an JWT authentication token from the respective identity provider. Upon receiving a successful token, Sitefinity associates this token with a user which can utilize the full CMS capabilities, without keeping any login credentials stored in the database.
Let's jump in the specifics in how to setup SSO in Sitefinity with providers like Google, Facebook, Microsoft, GitHub, or any other custom provider your organization uses. The samples below show what the log-in for the backend users looks like, but the same configurations are valid for the frontend user, too.
Redirect URLs: https://www.<yourwebsite>.com/Sitefinity/Authenticate/OpenID/signin-microsoft
Application Id: <Application Id generated from Microsoft >
Application Secret: <Application Secret generated from Microsoft >
Valid OAuth redirect URIs: https://www.<yourwebsite>.com/Sitefinity/Authenticate/OpenID/signin-facebook
Application Id: <Application Id generated from Facebook>
Application Secret: <Application Secret generated from Facebook >
Application Id: <Application Id generated from Google>
Application Secret: <Application Secret generated from Google>
Note: The Authenticating user who is using the app must have the Google+ API enabled in their account, otherwise they will get an access_denied error. This can also be enabled in https://console.developers.google.com
Name: <Application Name>
Authorization callback URL : https://www.<yourwebsite>.com/Sitefinity/Authenticate/OpenID/signin-github
Application Id: <Application Id generated from Github >
Application Secret: <Application Secret generated from Github >
Note: The authenticating user must have a public Email as Sitefinity requires it. If the email is missing, an "External provider email is missing" error will be thrown. The email can be added in the basic profile.
Have you implemented a custom application that contains users that want to authenticate? You can use the application as an identity provider (just make sure the app provides OpenID connect endpoint and provides email as a scope!).
Client ID : unique ID from the app
Redirect URI: https:///<yourwebsite>//Sitefinity/Authenticate/OpenID/signin-custom
Note: The provider can be implemented for versions 10.0 and 10.1 however, it requires a custom class extension and is not provided out of the box.
All the external providers can be used on the frontend of the website as well as the backend.
Just place a login widget on your page and open its designer screen as shown below:
The buttons will appear next to the widget.
Authentication is one of the most important features of a modern web application. Sitefinity provides a straightforward way to implement SSO with popular external identity providers, so make sure to try them out to make your application accessible and secure.
View all posts from The Progress Team on the Progress blog. Connect with us about all things application development and deployment, data integration and digital business.
Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.Learn More
Subscribe to get all the news, info and tutorials you need to build better business apps and sites
You can also ask us not to share your Personal Information to third parties here: Do Not Sell or Share My Info
We see that you have already chosen to receive marketing materials from us. If you wish to change this at any time you may do so by clicking here.
Thank you for your continued interest in Progress. Based on either your previous activity on our websites or our ongoing relationship, we will keep you updated on our products, solutions, services, company news and events. If you decide that you want to be removed from our mailing lists at any time, you can change your contact preferences by clicking here.