I have a site where I want to only use active directory for the front end. For the backend, I want to continue to use the default provider. I went through the process of setting up active directory STS and it works. If I leave the federation URL pointed to localhost, you do get the SF login box where you select Default or LDAP. However, I would like it to log you in automatically if you visit a front-end page that requires a specific LDAP group.
Is this possible? The main reason is that many of my active directory users will be backend users but only use it rarely. They will visit the website every day and if they are automatically logged in, we will quickly exceed the 5 concurrent user login limit even though they aren't using the backend tools. My plan would be is they would have a different login for the backend.
I wanted to post what I've done in the interim to see if there is a long-term issue associated with it.
I setup active directory as a Sitefinity provider but I left the URL in the federation tag of the web.config as localhost. I think created a front-end login page that detects if the person is logged in. If the person is not logged in, I redirect them to my STS AD site and they get returned correctly logged in. There is a log out button on the front end and if the person navigates to /Sitefinity, they can login with their Sitefinity default provider login to update content.
I am new to Sitefinity, in my company all of our users are in AD and as per our IT policy to implement SSO with Windows Authentication for all the implemented systems.
Therefore I need to implement SSO with Windows authentication, I have followed the documentation and I managed to make it work for the backend with SSO.
However I need to implement it for the frontend as well, but when I added the Login widget and set its provider to LdapUsers it authenticates the users but users have to supply their credentials but SSO doesn't work like the backend login. We need the website to recognize the users automatically (SSO) without them pressing anything or providing their credentials.
So, any help on how to do that.
Thanks in advance.