Posted 12th of April 2012 by Kern Herskind Nightingale

I was recently asked by my friends over at to look into using Windows Identity Foundation to do claims based authentication for Sitecore. WIF comes pre-packed with all you need to do federated security and you can use the components either as they are or customise them to meet your specific requirements.

WIF integrates nicely with ASP.Net and most websites could easily be adapted to use Passive STS for authentication. Unfortunately this is not true for Sitecore websites (current version 6.5). WIF uses a set of HTTP modules to handle the authentication. The authentication is synchronised to the AuthenticateRequest event which is bad news as Sitecore’s UserResolver is executed in the httpRequestBegin pipeline which is synchronised to the BeginRequest event (yes - just _before _the AuthenticateRequest event). The WIF authentication does happen before the your Layouts and Sublayouts are rendered and Sitecore.Context.IsLoggedIn will return true. On the surface it looks like all is good but it is important to realise that you need the WIF authentication to take place before the UserResolver pipeline step so that security can be applied correctly when ItemResolver executed.

I asked Sitecore support to look into it but they drew a blank. I do hope that Sitecore will address this out in a future release now that WIF is being merged into the .Net framework. In the mean time as workaround you can override UserResolver and manually read the SessionToken, authenticate it and ask the Sitecore API to login the user for the current request.

blog comments powered by Disqus

About the author

Kern is a Sitecore Specialist with more than 10 years experince achitecting and developing Sitecore solutions. Kern was awarded Sitecore MVP in 2009, 2011 and again in 2015.
Currently Kern is helping the Sitecore Product team in shaping the future of the platform.

Kern Herskind Nightingale