New external user via claims-based auth is not allocated a site

David Wilkinson asked on October 31, 2016 13:44

Hi, I have a multi-site (2 two) kentico 9 installation that uses claims-based authentication via Windows Server 2012 ADFS.

Once the user is authenticated via ADFS the account is created within Kentico, however the user has no site associated with it.

Each site is set-up within IIS with there own SSL and each have there own claim rule within the ADFS.

Has anybody had this problem? - is there a fix ? or "default" site that you can allocate to a user via the claim from the ADFS ?

Thanks for any help


Recent Answers

David Wilkinson answered on October 31, 2016 16:00

Gave up and wrote a SQL trigger on cms_user table.

0 votesVote for this answer Mark as a Correct answer

Trevor Fayas answered on October 31, 2016 21:24

Hey David,

First off, i would highly recommend you DELETE that SQL trigger, never never never want to mess with SQL triggers as you can run into a lot of problems.

You have the right idea, just wrong execution, instead us Kentico's global events hooks, then you can have a User Create event hook and see if they are domain or not, and assign the users to the site that way.

You can either use the CMS.Membership.SecurityEvents.Authenticate / MultiFactorAuthenticate to get when the user logs in and then check if they are assigned to sites (if not assign) or the general CMS.DataEngine.ObjectEvent.Insert and check the object class, if it's CMS.User then it's inserting a user and you can do the logic there.

0 votesVote for this answer Mark as a Correct answer

Trevor Fayas answered on October 31, 2016 21:26

Lastly, back to the original question, what module are you using to authenticate? usually external authentication requires custom code that SHOULD include in it the logic to set the Site, but i have a feeling that's a marketplace module that wasn't built by Kentico.

0 votesVote for this answer Mark as a Correct answer

David Wilkinson answered on November 1, 2016 13:00

Hi Trevor,

Thanks for your input I will have a look at implementing that see if it will serve the purpose. (nothing ventured nothing gained...)

I am just using the claims-based authentication within kentico (Settings - Security & Membership - Authentication - Claims-based Authentication (standard, no changes) without inheriting settings but using the same identity provider. I have done the same with other sites, however external users get assigned a site (default and only site). The site I am working on has 2 sites within 1 kentico environment, 2 different domain suffixes and with roles defining if you allowed cross site access. (its a training website with 2 different products(sites))

I understand the issues with triggers and peoples reluctance to use them but used correctly they can and do work without problems (lots of if statements and rollbacks)

One slight problem I have is this site will not build within VS and throws up many errors. (had some custom code built for a kentico V5.5r2 shoe-horned into the build) so I may have some problems getting some global events to work etc.

The token that come from the ADFS will not show domain as we are using forms authentication not windows authentication, so there is limited information I can gather to check. We can set up custom claims rule but then the whole thing gets more complex when all I want is when someone gets authenticated, they get allocated a site or two. I would have thought Kentico out of the box could handle such a simple thing - they do it with 1 site, why not 2!

I will update this when I have progressed further.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.