My company has just obtained Kentico for some new applications. These applications will be going into production in about 2 weeks, so we are still fairly new with this. What we have are three ASP.NET MVC applications/sites that format and present content that is stored in Kentico. Additionally, we have specific users who will log into the Kentico9/Admin site to manage the content displayed by the MVC apps.
From a corporate standpoint, we also have Siteminder SSO enabled. When a user navigates to our Kentico9/Admin site, they are first authenticated by our corporate Siteminder SSO form using their corporate user id. When they are successfully authenticated, Siteminder redirects the user to the Kentico9/Admin site they originally requested and the user is presented with the standard Kentico login form. If the user has already logged in through Siteminder during another session, they only get presented with the Kentico login form. Otherwise, if this is their first time logging in, the user is required to login twice (once through Siteminder and again through Kentico).
What I want to do is bypass the standard Kentico login form and use the Siteminder information to Authorize the user to log them into the Kentico admin site. Siteminder adds the username and some other information to the HTTP request headers. Using C#, I can retrieve their corporate user id using the following: System.Web.HttpContext.Current.Request.Headers.Get("SM_USERID").
So, in a nutshell, I want to override Kentico's standard login form and write some code that will get the user id from the HTTP request header and authorize the user by looking up their userid in Kentico. If the user id is not found or is not active, present the user with the standard Kentico login form. Otherwise, if the user is a valid and active user, pull their user record and allow them to access Kentico.
I have found some tidbits of information and given enough time, I may be able to figure something out, but I am hoping someone has done something similar and can speed up my process. Any ideas on what I can do? I will also entertain anything that might have tighter integration with Siteminder, although it doesn't seem Kentico can handle Siteminder out of the box, but I am not sure about that.
Sounds like you might be able to create a custom webpart which you will place on a page and simply have Siteminder redirect the user to the page with that webpart on it and look for those header values on page load. If it finds them, perform your actions within Kentico to look that user up and authenticate them in Kentico as needed. If there are no header values or it can't find the Kentico info, simply send them to the regular login page.
You could also create a global event handler but that would require someone to click a button or such on your site after they have entered credentials.
Related
I have a link on my website that takes a user to the Azure AD edit profile page. I have customized that page by adding 2 links at the bottom. One is for the user to change their password and the other is to update a phone number. These are 3 different policies within Azure AD. When I initially link to the page from my site I am sending a clientID and a redirect_uri in the query string. Unfortunately this is getting converted to a csrf_token and those query string parameters are gone so I don't have access to them to include them in the change password and change phone number links. When the user clicks on the links obviously they fail. How do I link someone from one custom policy page to another page in Azure Active Directory? My custom page uses javascript, css, and html. No server side code other than what Microsoft injects.
You should have a link back to your application, and your application should understand that this route starts a new authentication journey with the appropriate authentication library with the desired policyId for this URL path. Do not link B2C journeys directly from within your custom HTML, you go via your application.
I am using oidc-token-manager with OAuth and identity server to setup authorization/authentication on my site. All the functionality is working fine . I am just wondering what the id parameter is that is being sent to identity server
https://foobar.net/identity/ui/login?id=216257a45dbd3041eee88fa8aa5d3b0cidc
and more specifically can i use that, in some form, to add a button on identity server to send the user back to the page that they came from. To be clear the post login redirect is working fine . once the user logs in with his/her credentials it automatically sends them back to the website. However there are 2 senarios that i want to take into account to extend the redirection.
case 1 : If the user clicks login from the website and then is like "nah dont really want to log in anymore have to afk and deal with some stuff just get me out of here will come back to it later"
case 2 : The user is not registered yet and clicks the login button from the website instead of the register button . On the login in page there is a "dont have an account? create one now" button. But in its current form it redirects to the registration with no way to set the same flow as the login where there is an automatic redirect back to the website, which will actually be a specific page that tells the user that he has registered and has a time period to check his email to authenticate himself to the site.
This is using an angular app with the set configuration for the OidcTokenManager as
var config ={
authorization_url:'https://foobar.net/identity/connect/authorize',
client_id:'foobar_id',
redirect_uri:'http://localhost:5060/callback.html', // for testing
response_type:'token token_id',
scope:'fooscopes',
authority:'https://foobar.net/identity',
popup_redirect_uri:'http://localhost:5060/login-dialog.html',
silent_renew: true
};
Any help would be awesome . thanks
The id parameter that is passed to the login page is part of how IdentityServer manages the state for pending authorization requests. It's the id of the cookie that holds the SignInMessage that IdentityServer uses internally.
For case 2 if you click one of the additional links the id is passed along. It is then the responsibility of the custom page to get the user back to the login page with that id. I believe we have samples showing this.
Is there any provision like, say for visitor user of web application. he is doing say search or trying any functionality, which is allowed for the visitor user and at certain action need to be logged in and if has no credential then need to sign up and return back to the same action page where he was before login/sign up. Is it possible to handle this at application or session level in mvc 5?
Yes, this is handled for you out of the box when you create a new ASP.NET MVC Project. To try this, do the following:
Create a new ASP.NET MVC 5 Project.
Open the Home Controller, and place an [Authorize] Attribute above the "About" action.
Navigate to the "About" menu option at /About.
You will automatically be redirected to the login page. Note that the login URL now reads "/Account/Login?ReturnUrl=%2FHome%2FAbout". This is how the initiating URL is passed into the login page.
Log into the site. After logging in, note that you are redirected back to the "/About" page that you were trying to initially access.
Of course this is not bullet proof. If you try to register before logging in you will notice that you are no longer redirected back to that initial page, but it is a start.
I wish to add Social Login feature to a Shopify store that I am building. (I'm using the professional plan.)
I explored a few of the available social-login apps on the Shopify App Store. Upon studying closely as to how they actually work - I have come to the following understanding of the general scheme being followed by all of them.
The Shopify shop owner sets up a social app (e.g. Facebook app) with their store identity, but configures the Callback-URL/Redirect-URL to one supplied by the App author (i.e. pointing to their infrastructure).
Upon successful login by a shop customer on the social platform (via a link/button inserted on the shop login page), the request gets redirected to the App.
The App retrieves the user's email address from the their social profile (that they now have access to).
They then lookup their own database to see if this is an existing customer. If so they go directly to step 7 below.
If it's a new customer, they use Shopify API to create a new 'customer' on the target Shopify store. They set the customer up with a randomly generated password.
At the same time they also make an entry of this customer account (email + generated password) in their own database.
They then redirect the request back to the Shopify store's login page but this time with the customer's email address (retrieved from social platform) and their password (from the App's own database) included as part of the data that comes back to the users browser as part of loading the login page.
Then the App's javascript embedded on the shop login page uses the customer email address and password to programmatically submit the login form - thus establishing a valid customer session on the Shopify shop.
My questions are as follows:
Has someone else also looked closely in to this, and thus can validate if my above understanding is correct or not?
If it is correct - is this the only way to achieve social login on Shopify (without using Shopify Plus/Enterprise plan)?
I am trying to understand if this indeed is the only way, because I strongly feel that this method is not at all secure. And thus I'd rather not use this method; or if I just have to - then I'd rather write my own (private) app for this so that at least I am in control of the security of the app/database that holds sensitive users credentials.
Would appreciate any help/thoughts I can get with this, please.
If you are rolling your own you probably want to look at Multipass. It would be the thing to use if you can set up another web service that handles the trusted partner registration process.
I got a requirement to dispatch users to different landing page per their user group immediately after login, it seems SharePoint does not supply an API regarding login event, so I implemented a web part and added it to homepage to handle the dispatch, this would work perfect util users logout and login, SharePoint has a history where users were in their last login, to be precise, a parameter in url named Source to handle the redirect after login, so users will on longer go to their customized landing page.
I searched a lot and found someone doing this with custom login from, this is way too complex and client won't let me touch their Active Directory.
I'm at my wit's end to know what to do, can someone shed some light on this, any help or advise is deeply appreciated
Why don't you use a delegate control in the masterpage, that checks a value in the session if you entered through the landing page. On the landing page you add the value to the session specifying that this user has entered through the landing page.