Search Results for

    Show / Hide Table of Contents

    Episerver authentication

    You can configure ImageVault to use the same user catalog as configured in Episerver. You then manage all users and roles in your Episerver instance.

    Depending on how you configure the authentication in Episerver, you need to configure ImageVault authentication accordingly.

    Different types of Episerver user management

    Membership providers

    If you are using forms/windows authentication and utilizes old style Membership/Role providers then you can use the ImageVault proxy providers for Memberhip/role providers. Just follow the instructions below to set it up.

    AspNetIdentity

    Optimizely CMS 12

    Note

    The ImageVault.EPiServer.AspNetIdentity is not supported for CMS 12 so be sure to remove this package when upgrading to CMS 12.

    Instructions for how to configure the ImageVault plugin in Optimizely for AspNetIdentity can be found in the installation instructions.

    EPiServer CMS 10-11

    If your Episerver site uses the newer form of user management, AspNetIdentity, then you need to need to include the ImageVault.EPiServer.AspNetIdentity nuget package and add the follwing row in your Startup configuration.

    app.ActivateImageVaultIdentityProxy<ApplicationUser>();
    

    This row needs to be added just after the call to AddCmsAspNetIdentity, see example below.

    public void Configuration(IAppBuilder app)
    {
        // Add CMS integration for ASP.NET Identity
        app.AddCmsAspNetIdentity<ApplicationUser>();
        // Add ImageVault identity support for proxy endpoint
        app.ActivateImageVaultIdentityProxy<ApplicationUser>(); 
        ...
    }
    

    After that is done, follow the instructions below to set it up.

    Configure Episerver

    ImageVault needs to be able to communicate with Episerver using the imagevaultidentity handler. This is available when you install the ImageVault.Episerver.UI nuget package in your Episerver project.

    As default it is only accessible when called from the same server so if your ImageVault is running on the same server instance as the Episerver instance, then no further configuration is needed.

    If you are hosting Episerver and ImageVault in the cloud or on separate physical machines, you need to configure a secret that the ImageVault instance need to supply in order to communicate with the handler. This is done by setting the ImageVault_IdentityHandler_AuthKey app setting in web.config.

    <appSettings>
        <add key="ImageVault_IdentityHandler_AuthKey" value="superPassword"/>
    </appSettings>
    

    Also make sure that the imagevaultidentity path on the Episerver site allows anonymous access. This is added to the web.config by the ImageVault.Episerver.UI and should look like below.

    <location path="imagevaultidentity">
        <system.web>
            <authorization>
                <allow users="?" />
            </authorization>
        </system.web>
    </location>
    

    Configure ImageVault

    To enable ImageVault to use the same user catalog as Episerver you need to configure it to use the IdentityProxy membership and role provider.

    On each provider you need to specify the authKey and serviceUri attributes where authKey contains the same authkey as specified in the Episerver app settings above and serviceUri points to the url of the episerver site with the /imagevaultidentity/ suffix.

    <system.web>
        <authentication mode="None" />
        <membership defaultProvider="IdentityProxyMembershipProvider">
            <providers>
                <clear />
                <add name="IdentityProxyMembershipProvider"                 
                     type="ImageVault.UI.Mvc.Security.IdentityProxyMembershipProvider, ImageVault.UI.Mvc" 
                     authKey="superPassword" 
                     serviceUri="https://myepiserver.com/imagevaultidentity/"/>
            </providers>
        </membership>
        <roleManager defaultProvider="IdentityProxyRoleProvider" enabled="true">
            <providers>
                <clear />
                <add name="IdentityProxyRoleProvider"          
                     type="ImageVault.UI.Mvc.Security.IdentityProxyRoleProvider, ImageVault.UI.Mvc" 
                     authKey="superPassword"
                     serviceUri="https://myepiserver.com/imagevaultidentity/"/>
            </providers>
        </roleManager>
    </system.web>
    

    IdentityProxy configuration

    Here follows a list of all attributes that can be applied to both the IdentityProxyMembershipProvider and the IdentityProxyRoleProvider as described below.

    authKey

    The authentication key to use when communicating with the imagevaultidentity handler. Must match the value set in the Episerver web.config.

    serviceUri

    You can set the uri to the imagevault identity service manually by adding the serviceUri attribute. The uri must end with a / but can be either absolute or relative. If relative it will be converted to an absoute uri using the incoming request URI as base.

    <add name="IdentityProxyRoleProvider" 
         type="ImageVault.UI.Mvc.Security.IdentityProxyRoleProvider, ImageVault.UI.Mvc" 
         serviceUri="http://www.site.com/imagevaultidentity/"
         />
    
    Note

    If omitted, the relative path ../imagevaultidentity/ will be used.

    cacheDuration

    Each lookup to the imagevaultidentity service is cached for a period of time (default 10 min). You can control this by setting the cacheDuration attribute to the number of minutes that the lookup result should be cached. Set to 0 to disable the cache.

    <add name="IdentityProxyRoleProvider" 
         type="ImageVault.UI.Mvc.Security.IdentityProxyRoleProvider, ImageVault.UI.Mvc" 
         cacheDuration="3"
         />
    

    Single sign on

    Note

    Single sign on using forms/EPiServer authentication and the following instructions is only supported on CMS 11 or earlier (it requires .net framework). Even then, this is a workaround and a more recommended way is to use some kind of federated authentication.

    If you are using forms authentication SSO is achieved by checking the following list.

    • Both sites need to have a url with a common domain name. Like a.site.com and b.site.com or site.com.

    • The forms cookie needs to have the domain set to the common domain name.

      If you are running Episerver on site.com and ImageVault on iv.site.com, then use the domain name site.com.

    • Authentication in ImageVault web.config must be set to mode="Forms" for it to accept the cookie attributes.

    • The forms cookie need to have the same name on both sites.

    • Setting the same machine key in Episerver and ImageVault web.config.

    • You also need to make sure that Episerver and ImageVault are using the same Encryption compability mode

    For ImageVault you configure the forms cookie using the example below (substitute the values for domain and name with your actual values).

    <system.web>
        <authentication mode="Forms">
            <forms domain="site.com" name=".EPiServerLogin2" loginUrl="account/login" timeout="120" />
        </authentication>
    </system.web>
    
    Note

    Observe that you need to set authentication mode="Forms" for ImageVault to accept the cookie attributes.

    Note

    a tip is that if you change the domain value for a cookie, change its name as well, since it will force the client to login again and set the correct domain for the cookie.

    In Episerver you only modify the domain and name properties of the <form> element.

    Troubleshooting

    Encryption compability mode

    Make sure that Episerver and ImageVault are using the same encryption compability mode.

    <machineKey compatibilityMode="Framework45" />
    

    A mismatch can occur if one site declares running on targetFramework 4.5 and the other is using an earlier version.

    If this occur, the login won't work and you will repetedly be faced with the login page since the authentication cookie cannot be decrypted.

    To set the encryption mode, you can either set the targetFramework to 4.5. This is controlled in the system.web/httpRuntime.

    <system.web>
        <httpRuntime targetFramework="4.5" />
    

    Read more about the targetFramework and what impact it has in the following article. https://blogs.msdn.microsoft.com/webdev/2012/11/19/all-about-httpruntime-targetframework/

    In This Article
    Back to top (c) Meriworks 2002-2022