Vulnerability in EPiServer.Forms
We are trying to setup federated security at a customer with a multi site solution. We have followed the documentation here:
We have got it working in the test enviroment, but I have some questions about what is possible and not with ADFS.
Lets say we have site A and site B. I visit https:///episerver/cms. I get redirected to the ADFS, because of access denied when trying to access edit mode, and type in username and password at the ADFS login page. After I click "Sign in", I get redirected back to https:///episerver/cms and I'm in editor mode. So far so good.
I now visit https:///. The site doesn't see that I'm authenticated, but after I visit https:///episerver/cms I get redirected to the ADFS and right away back to https:///episerver/cms/ without having to type my username and password again. Thats great!
But is it possible to sign in on Site A and automatically be authenticated when I visit Site B? Without triggering the jump to and from the ADFS? Both Site A and Site B will allow anonymous visitors.
Site A and Site B are running the same code base, but with different web.configs. Because of:
The OWIN provider for WS Federation does not support multi-tenancy so each site must run in it's own web application for authentication to work on all URL's (the WtRealm configuration specified in the example below cannot vary per request). The OWIN provider for OpenID connect can work with multiple URL's, see integration with Azure Active Directory.
Kind regards / Henric
You can probably play a bit with the cookies to make it work decently as long as you are on the same domain but it's probably not a good idea. Not allowing anon users will of course automatically trigger the login process.
I would definitely recommend sticking to letting the users click the login button... :) SSO is tricky enough as is without custom solutions that you don't expect...
You are looking for a SSO solution, (From saved references on this topic, http://sveinaandahl.blogspot.co.uk/)
I'm setting my multi-sites to work with ADFS: mysite.se, mysite.fi ,... but got the problem that wrealm always the same like in the limited support said.
Do you know the solution to solve it?