Single sign-on

Jan 20, 2011 at 8:27 AM

Hi,

Our system (other than Orchard) is set up with a single sign-on solution where we have our own STS (WIF) behaving similar to Windows Live ID. Does anyone have any pointers as to how to implement federated authentication on Orchard?

Thanks,

Morten

Developer
Jan 20, 2011 at 2:11 PM

I've been working on similar SSO integration a while ago. Although I was integrating Orchard with CAS authentication server, but maybe my experiences on the subject can be helpful:)

This can be achieved in couple of ways. I've created a custom action filter attribute which handles the whole authentication process and helps keep things clean. The filter, after the authentication process, generates and passes an object describing a user to the corresponding action (action has to take such parameter). Then, I created a custom AccountController in my module (with IOrchardServices and IAuthenticationService injected in the constructor) and decorated the LogOn action (as to keep naming similar to Orchard.Users, but it's nothing but my convention) with the attribute. Inside the action body I handled the appropriate redirection/automatic user creation based on the provided user object. I checked whether user with the same name existed in Orchard (by using content query by IOrchardServices.ContentManager) and called IAuthenticationService to log in this user. If the user didn't exist I had three options - to provision a new account (redirecting user to pre-filled with user Id registration form), to provision the account automatically or to return an error (or something).

This, of course could be better handled by the filter too so to keep Controller clean. I think I'll do that soon. 

After some time spent developing Orchard modules I can say that it's not the best-practice-like solution, although works without problems. The problem with attributes is that you can't pass objects to the constructor at runtime (so working with Autofac container is really tricky and needs several more or less dirty workarounds:/).

If I was to write the authentication now I'd rather stick to implementing IAuthenticationService and handle all authentication logic there. It would replace the default FormsAuthenticationService. I couldn't do it this way then, because I had to allow admin users to log on locally by Orchard.Users module.

Cheers, Piotr

Coordinator
Jan 20, 2011 at 6:30 PM

Piotr, do you have a blog, I'd like to read article on how you are doing those amazing modules !

Coordinator
Jan 20, 2011 at 7:48 PM

+1. It's pretty clear that you need a blog if you don't have one already. We have this nice aggregation service on the home page of orchardproject.net where I'd love to see that stuff ;)

Developer
Jan 22, 2011 at 12:08 AM

Thanks for the good words, but first of all great thanks to you for such an awesome framework:)

I was thinking about running a blog/website for a long time, but somehow I've never had enough time to seriously focus on this task. I wanted to run a blog under Orchard from its very beginning but it lacked some functionalities I needed. Writing those took some time and I'm currently adding finishing touches. So the blog will surely come up in a matter of days, maybe a week:) And, of course, I'd be happy to contribute my bits to the gallery.

Cheers, Piotr

Jan 24, 2011 at 3:06 PM
pszmyd wrote:

 was to write the authentication now I'd rather stick to implementing IAuthenticationService and handle all authentication logic there. It would replace the default FormsAuthenticationService. I couldn't do it this way then, because I had to allow admin users to log on locally by Orchard.Users module. 

 

Thanks for the insight into this Piotr. We will have this SSO for all our user types, include site admins, editors etc, so implementing the IAuthenticationService and just provide our admins and editors with the proper claims from our STS will probably be the route we take.

Morten

Jan 25, 2011 at 8:58 AM
Edited Jan 25, 2011 at 8:58 AM

Hi again,

I am considering giving one of my devs the task of creating an IAuthenticationService implementation (and maybe an IAutorizationService if needed) that works against a standard WIF implementation of an STS. But before I do that I would like to know if someone else is working on the same thing. If something is planned to be finished within the next couple of months, I will just wait for this instead.

Thanks,

Morten

Developer
Feb 5, 2011 at 3:59 AM

Hi!

Just a small announcement. I just (at last) managed to finally make my blog up and running and wrote 2 articles about module development. I'd be happy if you could take a look:)

I'm going to write a series of articles about advanced Orchard module development scenarios, not covered in docs yet. Do you have any ideas on what scenarios should I best focus in next few weeks? Custom authentication? Maybe there is something community needs (or sth not documented well) I don't know about - I'd be glad to help:)

Cheers, Piotr