You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is something I’ve come across and solved, and I’m posting for the benefit of people that might face the same issue (…and also because some of the Sitecore gurus watching this thread might have better solutions).
Basically, if you successfully authenticate against AD FS, but don’t have specific access to the secured page you’ve requested (because you don’t have the required [AD FS-mapped] Sitecore role), you’re stuck in an infinite loop.
So all I did is adding one extra check at the very end of point no. 8 of the SitecoreFederatedLogin/sitecoreOwinFederation/pipelines/HttpRequest/AuthenticationChecker.cs algorithm, which redirects the user to some “Access denied” page (N.B.This is by no means production-ready code!):
// 8 all identities available
// check if identity matches.
// if not: redirect. Otherwise: return
else if(!String.IsNullOrEmpty(key) && Context.IsLoggedIn && federatedUser != null)
{
var user = Context.User;
// compare identities
// if not equal, , there is a cookie mismatch:
// remove tokens,
// logout sitecore user and
// redirect to loginpage.
if (!user.Name.Equals(String.Format("{0}\\{1}", Context.Domain.Name, federatedUser.Identity.Name)))
{
LogoutAndRedirectToLogoutPage();
}
// If the requested page is not accessible by the user,
// redirect to Access Denied page
if (!this.CanRead(HttpContext.Current.Request.Url.AbsolutePath))
{
// TODO: return 403 - is it even possible?
WebUtil.Redirect(AccessDeniedPage, false);
}
}
where AccessDeniedPage is some suitable error page (say, "/accessdenied") and CanRead is simply (code below is not bullet-proof!)
The thing is: although I’m still very much in “PoC mode”, I’ve started refactoring things quite heavily in preparation for the move to our main code base, so it’s probably not too easy to merge the changes back in. :-/
I’d be more than happy to send you my whole solution, though, for you to pick whatever you might find useful…
This is something I’ve come across and solved, and I’m posting for the benefit of people that might face the same issue (…and also because some of the Sitecore gurus watching this thread might have better solutions).
Basically, if you successfully authenticate against AD FS, but don’t have specific access to the secured page you’ve requested (because you don’t have the required [AD FS-mapped] Sitecore role), you’re stuck in an infinite loop.
So all I did is adding one extra check at the very end of point no. 8 of the SitecoreFederatedLogin/sitecoreOwinFederation/pipelines/HttpRequest/AuthenticationChecker.cs algorithm, which redirects the user to some “Access denied” page (N.B. This is by no means production-ready code!):
where AccessDeniedPage is some suitable error page (say, "/accessdenied") and CanRead is simply (code below is not bullet-proof!)
WebsiteRoot being the root of your (micro)site, e.g. "sitecore/content/home".
The text was updated successfully, but these errors were encountered: