Episerver authentication

You can configure ImageVault to use the same user catalog as configured in Episerver. You then manage all users and roles in your Episerver instance.

Depending on how you configure the authentication in Episerver, you need to configure ImageVault authentication accordingly.

Different types of Episerver user management

Membership providers

If you are using forms/windows authentication and utilizes old style Membership/Role providers then you can use the ImageVault proxy providers for Memberhip/role providers. Just follow the instructions below to set it up.

AspNetIdentity

If your Episerver site uses the newer form of user management, AspNetIdentity, then you need to need to include the ImageVault.EPiServer.AspNetIdentity nuget package and add the follwing row in your Startup configuration.

app.ActivateImageVaultIdentityProxy<ApplicationUser>();

This row needs to be added just after the call to AddCmsAspNetIdentity, see example below.

public void Configuration(IAppBuilder app)
{
    // Add CMS integration for ASP.NET Identity
    app.AddCmsAspNetIdentity<ApplicationUser>();
    // Add ImageVault identity support for proxy endpoint
    app.ActivateImageVaultIdentityProxy<ApplicationUser>(); 
    ...
}

After that is done, follow the instructions below to set it up.

Configure Episerver

ImageVault needs to be able to communicate with Episerver using the imagevaultidentity handler. This is available when you install the ImageVault.Episerver.UI nuget package in your Episerver project.

As default it is only accessible when called from the same server so if your ImageVault is running on the same server instance as the Episerver instance, then no further configuration is needed.

If you are hosting Episerver and ImageVault in azure or on separate physical machines, you need to configure a secret that the ImageVault instance need to supply in order to communicate with the handler. This is done by setting the ImageVault_IdentityHandler_AuthKey app setting in web.config.

<appSettings>
    <add key="ImageVault_IdentityHandler_AuthKey" value="superPassword"/>
</appSettings>

Also make sure that the imagevaultidentity path on the Episerver site allows anonymous access. This is added to the web.config by the ImageVault.Episerver.UI and should look like below.

<location path="imagevaultidentity">
    <system.web>
        <authorization>
            <allow users="?" />
        </authorization>
    </system.web>
</location>

Configure ImageVault

To enable ImageVault to use the same user catalog as Episerver you need to configure it to use the IdentityProxy membership and role provider.

On each provider you need to specify the authKey and serviceUri attributes where authKey contains the same authkey as specified in the Episerver app settings above and serviceUri points to the url of the episerver site with the /imagevaultidentity/ suffix.

<system.web>
    <authentication mode="None">
    <membership defaultProvider="IdentityProxyMembershipProvider">
        <providers>
            <clear />
            <add name="IdentityProxyMembershipProvider"                 
                 type="ImageVault.UI.Mvc.Security.IdentityProxyMembershipProvider, ImageVault.UI.Mvc" 
                 authKey="superPassword" 
                 serviceUri="https://myepiserver.com/imagevaultidentity/"/>
        </providers>
    </membership>
    <roleManager defaultProvider="IdentityProxyRoleProvider" enabled="true">
        <providers>
            <clear />
            <add name="IdentityProxyRoleProvider"          
                 type="ImageVault.UI.Mvc.Security.IdentityProxyRoleProvider, ImageVault.UI.Mvc" 
                 authKey="superPassword"
                 serviceUri="https://myepiserver.com/imagevaultidentity/"/>
        </providers>
    </roleManager>
</system.web>

IdentityProxy configuration

Here follows a list of all attributes that can be applied to both the IdentityProxyMembershipProvider and the IdentityProxyRoleProvider as described below.

authKey

The authentication key to use when communicating with the imagevaultidentity handler. Must match the value set in the Episerver web.config.

serviceUri

You can set the uri to the imagevault identity service manually by adding the serviceUri attribute. The uri must end with a / but can be either absolute or relative. If relative it will be converted to an absoute uri using the incoming request URI as base.

<add name="IdentityProxyRoleProvider" 
     type="ImageVault.UI.Mvc.Security.IdentityProxyRoleProvider, ImageVault.UI.Mvc" 
     serviceUri="http://www.site.com/imagevaultidentity/"
     />

Note: If omitted, the relative path ../imagevaultidentity/ will be used.

cacheDuration

Each lookup to the imagevaultidentity service is cached for a period of time (default 10 min). You can control this by setting the cacheDuration attribute to the number of minutes that the lookup result should be cached. Set to 0 to disable the cache.

<add name="IdentityProxyRoleProvider" 
     type="ImageVault.UI.Mvc.Security.IdentityProxyRoleProvider, ImageVault.UI.Mvc" 
     cacheDuration="3"
     />

Single sign on

If you are using forms authentication SSO is achieved by checking the following list.

  • Both sites need to have a url with a common domain name. Like a.site.com and b.site.com or site.com.

  • The forms cookie needs to have the domain set to the common domain name.

    If you are running Episerver on site.com and ImageVault on iv.site.com, then use the domain name site.com.

  • Authentication in ImageVault web.config must be set to mode="Forms" for it to accept the cookie attributes.

  • The forms cookie need to have the same name on both sites.

  • Setting the same machine key in Episerver and ImageVault web.config.

  • You also need to make sure that Episerver and ImageVault are using the same Encryption compability mode

For ImageVault you configure the forms cookie using the example below (substitute the values for domain and name with your actual values).

<system.web>
    <authentication mode="Forms">
        <forms domain="site.com" name=".EPiServerLogin2" loginUrl="account/login" timeout="120" />
    </authentication>
</system.web>

Note: Observe that you need to set authentication mode="Forms" for ImageVault to accept the cookie attributes.

Note: a tip is that if you change the domain value for a cookie, change its name as well, since it will force the client to login again and set the correct domain for the cookie.

In Episerver you only modify the domain and name properties of the <form> element.

Troubleshooting

Encryption compability mode

Make sure that Episerver and ImageVault are using the same encryption compability mode.

A mismatch can occur if one site declares running on targetFramework 4.5 and the other is using an earlier version.

If this occur, the login won't work and you will repetedly be faced with the login page since the authentication cookie cannot be decrypted.

To set the encryption mode, you can either set the targetFramework to 4.5. This is controlled in the system.web/httpRuntime.

<system.web>
    <httpRuntime targetFramework="4.5" />

Read more about the targetFramework and what impact it has in the following article. https://blogs.msdn.microsoft.com/webdev/2012/11/19/all-about-httpruntime-targetframework/

comments powered by Disqus