Sitefinity CMS supports two modes of authentication:
You can change the authentication model by changing the Security settings in the Advanced Settings page. You can also edit additional settings such as UserIsOnlineTimeWindow and BackendUsersSessionTimeout in the Security page. For more information, see Settings and configurations page.
Sitefinity CMS version 4.x has been using an implementation of Forms-based authentication in order to verify a user’s identity and log them in. Forms authentication was conducted in the following way:
The mechanism, which authenticates the user, and the procedures of storing and retrieving the information of the user’s identity in the cookie were built into Sitefinity’s core and follow a specific proprietary implementation.
Sitefinity CMS supports the implementation of forms authentication for backward compatibility and for users who want to explicitly keep using it, but also adds an alternative method of authentication – claims-based authentication.
Claims-based authentication relies on a more robust mechanism of authentication, by which details about the user’s identity are encoded into a digitally signed string referred to as a token.
The token is issued once the user’s identity is determined by a dedicated service – Security Token Service (STS). The STS can run from within Sitefinity CMS, but can also run separately, and may even be a trusted third party.
Sitefinity’s implementation of claims-based authentication is based on Microsoft’s Windows Identity Foundation, which is built on top of the .NET framework.
Following is a scheme of how a token service works:
With claims-based authentication with single sign-on, once a user logs in and retrieves a valid token from the STS, the encrypted credentials are stored in the standard forms authentication cookie.
There are several immediate advantaged for using claims-based authentication:
Following is a scheme of how claims-based authentication works:
Sitefinity’s implementation of claims-based authentication complies with the Federal Information Processing Standards (FIPS).
The identity token is being digitally signed using SHA-256 hash algorithm.
Back To Top