• Not Answered

Telligent Community not recognizing custom Auth Cookie โ€“ and not signing in User

I am working on a custom solution to provide Saml Authentication for a small pilot of users on a Telligent Community v7.6 site that is currently using Forms Authentication.   This application is currently running as a virtual IIS application, within the same domain โ€“ so it has access to the clientโ€™s domain.

While all of the custom and Saml logic is working correctly AND my code to write the cookie is successful, but Telligent Community does not recognize that the customer is logged in.   I am in the process of ruling out differences in machineKey settings, and believe this is an issue with how the Cookie is being written.

I used the 7.6 documentation and another blog post, but neither approaches seem to work.

Does anyone have experience (and possibly code samples) with writing the cookie so that Telligent Community recognizes it?  I would greatly appreciate the assistance.  

Thanks in advance.

8 Replies

  • Can you provide a link to the documentation you've tried so far?

  • In reply to Elijah Hardin:

    Sure.  

    First, I used guidance on the Cookie Authentication:  telligent.com/.../24252.cookie-authentication.aspx

    Then found your blog post was the second resource I used:  elijahhardin.com/.../telligent-community-5-single-sign-on-sso-forms-authentication

  • In reply to Scott Dockendorf:

    Are you writing the cookie from within the community application (even if it's your own code executing within Teligent),or are you doing from a totally separate website / application?  If the former, then you may be writing the cookie too late in the ASP.Net pipeline to be recognised.

    Can you also use Fiddler or the Chrome dev tools to verity that

    a) the cookie has been written and sent to the client

    b) the client returns the cookie to the server when you visit the community homepage

    One common mistake with cookie auth is to set the cookie in such a way that the browser will never send it back to the server (e.g. by setting the cookie domain to a domain other than the one being accessed).

  • In reply to Alex Crome:

    Hi, Alex.  Hope all is well.

    The custom application is an MVC app - running as an IIS application as a subdirectory within client's site.  I am writing the cookie and if successful, redirecting the customer to a page on Telligent Community.  Hope that helps.

  • In reply to Scott Dockendorf:

    Simply because you set the cookie in your MVC app doesn't mean the browser will send it back to the community to use for SSO.  A few examples in which this can happen:

    1. Setting a path on the cookie which doesn't match the community's directory exactly in case.
    2. Setting a domain on the cookie which is different to the one being accessed.  This can be particularly common when behind a reverse proxy where the internal host name is different to the external host name.
    3. Setting a cookie to expire past

    Can you verify using either fiddler or your browser dev tools, that once your code is redirecting a user back to the community, that the browser is sending the cookie back to the server.  I apologise if this sounds patronising, but I'be been bitten by issues of this kind too many times, so get a bit obsessive about ruling this issue out early on.

  • In reply to Scott Dockendorf:

    Here is the method in it's current state.   

    The challenge is that our client wants to have new set of users pilot this functionality, rather than opening this up to everyone.  As a result, I can't simply change the entire site to cookie authentication.   As a result, the custom app has to write the auth cookie just like Telligent Communty/Evolution does. 

            private void WriteFormsAuthCookieEx(CommunityUser _communityUser)
            {
    
                string username = _communityUser.UserName;
                string userData = "username=" + username;
                HttpContext context = System.Web.HttpContext.Current;
    
                FormsAuthenticationTicket authticket = new FormsAuthenticationTicket
                    (1, username, DateTime.Now, DateTime.Now.AddDays(14), true, userData);
    
                //TODO how to manually encrypt ticket????
                string encryptedTicket = FormsAuthentication.Encrypt(authticket);
                
                //HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
                HttpCookie authCookie = new HttpCookie(".Telligent.Evolution", encryptedTicket);
                
                    //if (chkBoxRememberMe.Checked)
                    //    authCookie.Expires = authticket.Expiration;
                authCookie.Expires = authticket.Expiration;
                authCookie.Domain = FormsAuthentication.CookieDomain;
    
                // added from above
                authCookie.Path = "/";
                //context.Response.Cookies["CSUser"]["roles"] = "Everyone, Registered Users";
    
                context.Response.Cookies.Add(authCookie);
    
    
                HttpCookie emailAddressCookie = new HttpCookie("CSUserProfile");
                emailAddressCookie.Values.Add("Email", _communityUser.PrivateEmail);
                emailAddressCookie.Values.Add("commonname", "My User");
                    //if (chkBoxRememberMe.Checked)
                    //    emailAddressCookie.Expires = authticket.Expiration;
                emailAddressCookie.Expires = authticket.Expiration;
                emailAddressCookie.Domain = FormsAuthentication.CookieDomain;
                context.Response.Cookies.Add(emailAddressCookie);
    
            }
    
  • In reply to Scott Dockendorf:

    So from the code you're using, it looks like you're using Forms SSO rather than Cookie SSO.

    So you want to be following the documentation at

    telligent.com/.../24253.forms-authentication.aspx instead of the lines you provided above.

    The one concern I have is that you're suggesting that you're only using partial SSO for this community.  Our SSO Modules are designed to be all or nothing - whilst you may be able to get them to work in a partial authentication scenario, they haven't really been designed for this scenario so your milage may vary.

  • In reply to Alex Crome:

    The client is currently using Forms authentication for their site, with Telligent Evolution controlling the authentication.   Does that help?

Related