Login users to Sitefinity CMS when using custom authentication

By default, the Sitefinity CMS authentication mechanism requires users to provide a valid pair of user identifier (for example, username or email) and password to authenticate to the website. However, there are use case scenarios where an organization might be using a different mechanism for authenticating its users. Such mechanisms can be token-based authentication, fingerprint, and so on.

Using custom authentication with Sitefinity CMS

You can have your website users authenticate with mechanisms different than the Sitefinity CMS default one, by implementing a custom authentication logic. The custom authentication logic is not specific to Sitefinity CMS.It can be a custom login widget, an ASP.NET HttpHandler, Page, Module, and so on. It needs to take care of authenticating the users against an external system and returning an identifier (and a set of claims for the authenticated user). In your custom authentication logic, you must use the identifier, returned from the external system, and find a Sitefinity CMS user that corresponds to it (or create a new one). Finally, you must instruct Sitefinity CMS to log in that user

Logging in users to Sitefinity CMS without providing a password

This last stage of the process, where you have already authenticated the user successfully using the desired mechanism, and need to log them in to Sitefinity CMS, requires a special API, exposed on the Sitefinity CMS site. This API enables you to login users without providing a password. In other words, in the case where a custom external authentication is used, the users are bound to an external system and do not have a password. When you authenticate them successfully in the external system, you need to use a mechanism to tell Sitefinity CMS “I have already taken care of authenticating this user, skip authentication and log them in directly”. Sitefinity CMS makes this possible via exposing a password-less login API, where users can be logged in only using their user identifier (such as username or password).

The Sitefinity CMS API which facilitates password-less login is the static method SkipAuthenticationAndLogin and is part of the SecurityManager class. It requires you to specify the name of the membership provider where this user was created, the username, and whether to issue a persistent authentication cookie on the Identity provider and Relying parties for this user.

Additionally, the SkipAuthenticationAndLogin method requires you specify the successRedirectUrl and errorRedirectUrl parameters. These parameters specify the locations where you want Sitefinity CMS to redirect your user upon a successful or failed login attempt. Make sure to use an absolute URL address. The SkipAuthenticationAndLogin method returns a UserLoggingReason, which you can use in case you want to perform some additional action after the method has executed. For more information about the possible values of the UserLoggingReson enumeration, see Authenticate users.

Was this article helpful?