We’ve configured SharePoint 2016 FBA with the DUO WebSDK and its works well except for one aspect regarding FBA authentication.
login page 1.) authenticate the username and password using FBA-LDAP.
login page 2.) load the duo web iframe
The method that authenticates the username and password on login page 1 is the SPClaimsUtility.AuthenticateFormsUser which persists a cookie to the site.
If the user fails the DUO authentication on login page 2, they still have an authenticated session to the site. We can force a signout and clear session cookies, but I was hoping for a cleaner approach.
Please assist with any ideas.
Thanks!
We resolved this by validating credentials on the first login page with Membership.ValidateUser which validates against the user store without creating a persisted cookie. On the second page once the user has successfully passed DUO authentication we used the SPClaimsUtility.AuthenticateFormsUser. Hope this helps anyone out there! Have a good one.
Related
Once the user logout he still see all list of accounts which were recently logged in. Is there any way to clear the list and cache completely. I am using .Net core razor pages
Below is the screen he sees after logout. So i want page to appear without any recently logged in account
This is happening because the session cookie of user information is still saved for your browser.As the Gaurav mentioned in the comment adding prompt=login in your login URL will always help in forcing the user to new login page without display of user information as it will clear the session cookie.
I have integrated alfresco in liferay.
Also i am using the third party that is CAS.
Now the questions comes when i clicked on sign in button then it goes to cas login page , now when i put the username and password then it login but the alfresco that i had integrated it is not logged in.
kindle tell me how do i put the authentication so that once i login with cas automatically it should also login.
How can i auto login of alfresco in liferay?
Check your CAS log files, it will clearly give you the details like after CAS login whether is called your alfresco or not, if not chech your client implementation in alfresco.
I have a ASP.NET MVC5 web app that uses Identity Framework 2.0 for user administration. On the authenticated side of our app, the users fill out a series of forms, and then are sent through a Docusign in-session powerform. (Docusign Embedded Signing, powerform, url) When the users are finished signing I have set-up callback url's for successful signature and declined to sign events. The successful signature callback is located in the area of my app that requires users to be authenticated, once they get redirected to my site though they are logged out, although they were logged in before they left. I have persistent logins set to true in my login and register action methods, as well as sliding expiration set up on my cookies. Fiddler indicates that when the users are called back from docusign the .AspNet.ApplicationCookie has a different value than before they left.
This only occurs the FIRST time the users are sent to docusign. If a user repeats the process for a second time they are already logged into my site when they get redirected by docusign and the cookie is unaltered.
I'll be closely monitoring this thread, if you have any questions or need clarification or code examples I will gladly provide.
Thank You Wiktor Zychla for pointing out cross-site scripting rules regarding domains and cookies.
The issue was with 30x redirects and set-cookie.
Safari has a bug - documented here
and SO has questions regarding it here
I was having Docusign redirect back into an authenticated area of my site, without the cookies the users were not authenticated therefor they were prompted to login. This did not occur any time there-after because the cookie was already set in place.
My solution was to redirect from external to a public landing page, which then redirected them to the intended authorized page. (since the cookies were set on the public page, they get passed to the authorized page, and the persisted login succeeds)
I also got tripped up with cookies and domains (I was redirecting to www.mysite.com instead of mysite.com)
I would like to make a login page where users provide credentials and then have other pages check if the user is authenticated before serving those internal pages in Undertow.
While the example shows how to authenticate a user (for what will eventually turn into a login page), if the user were to navigate to another page after authenticating, how do I test if that new page request was been made by the authenticated user?
I have referenced http://undertow.io/documentation/core/security.html and https://github.com/undertow-io/undertow/tree/master/examples/src/main/java/io/undertow/examples/security/basic.
This is an ancient question no one answered, but I did manage to learn about Keycloak which is Wildfly (Undertow) + SSO/Secure login.
Log In site designed using ThinkTecture Identity server API.
LogIn site and customer site are hosted as Azure WebRoles.
After successful Login, its redirecting to customer site. Here i am getting the Logged in user.
var emaild = System.Web.HttpContext.Current.User.Identity.Name.
After few hours I checked the site, Still I was getting the logged In user. I dont know when this Current user session will get expired? If anyone knows please share your views.
Thanks In Advance.
The session has by default the same lifetime as the initial token - which is 10 hours by default. You can change that in idsrv config.