Disable anonymous user in Sitecore

Question

I'm using an 3rd party external authentication/Single-Sign-On server with Sitecore that returns tickets back to a web server.

The integration documentation recommends that when you get the authorised response back from the server you create your own FormsAuthenticationTicket, then you can access user UserData entered in the ticket like this:

FormsAuthenticationTicket ticket = ((FormsIdentity)   HttpContext.Current.User.Identity).Ticket;

if (ticket != null)
{
  string UserData = ticket.UserData;
  ...
}

The issue I have is that the User.Identity will always be the extranet\Anonymous User.

Is there any way to stop the anonymous user from being used as the current user. Or will I have to create my own membership provider in order for this to work?

Answer 1

You might be able to avoid creating a custom membership provider by using the Sitecore.Security.Authentication.AuthenticationManager to build a virtual user and assign that user to a real role in Sitecore. This way you can restrict access for unauthenticated users (by denying read access to the extranet\anonymous user account and enabling read access for your custom extranet role. The code (after validating username/password) would be something like this:

using Sitecore.Security.Authentication;

var user = AuthenticationManager.BuildVirtualUser("someone", isAuthenticated: true);
user.RuntimeSettings.AddedRoles.Add("extranet\\some role");
AuthenticationManager.LoginVirtualUser(user);

Answer 2

I've done something similar using the WIF module. When I received the ticket back from the system, I extracted the data about the user from the ticket. I then created/updated a Sitecore user for that account (I could have used virtual users, but in this case I wanted the accounts to be true Sitecore accounts).

The final step was to call the Login explicitly to ensure the current context user is the newly created user.