Home » Community » Developer Space » Community Server 2008 » Forms Authentication: How to specify new user's Roles?

Forms Authentication: How to specify new user's Roles?

Open Support Ticket

Call Support:
Direct: (214) 420-1337
Toll Free: (877) 522-6334

Monday through Friday
8 a.m. to 6 p.m. Central (GMT-6)

Join our Community
Details
  • 10 Replies
  • 0 Subscribers
  • Postedover 3 years ago
Options

Forms Authentication: How to specify new user's Roles?

This question is answered
PeterB
Posted by
on Wed, Jan 7 2009 2:28 AM
I can correctly configure Form Auth with a "userProfileCookie" with the user's email and use the "allowAutoUserRegistration" property to automatically register users. However I wish to specify which roles the user should be in when registering. How can I specify the user's forum roles when auto-registering a new user?
Roles Forms Authentication Extension AD Groups Forms Authentication Authorization
Verified Answer
  • Ken Robertson
    Posted by
    on Mon, Jan 12 2009 12:13 PM
    Verified Answer
    Verified by

    The cookie that you create and specify in the "userProfileCookie" setting is basically just a key/value pair of the user's properties you can update.  To pass along which roles the user should have, just add a "roles" key with a comma separated list of the users roles ("Sales,Support,Staff"), no spaces.
  • Ken Robertson
    Posted by
    on Thu, Jan 15 2009 10:59 AM
    Verified Answer
    Verified by

    By default, it will only update the values from the cookie once a week.

    You wouldn't want to validate everything on every single request, since that will result in a lot of wasted effort and would slow the site down.  With SSO, there is no concept of "logging in" and there is no tracking when they first access the site or anything like that, and that is kind of arbitrary anyway since you could leave the computer on and browser open for days.

    Instead, it only does the update at a particular interval.  By default, it updates once a week (full 7 days since it last updated).  If you're on CS 2008.5, you can adjust it by adding a "profileRefreshInterval" setting to the FormsAuthentication extension module section in the communityserver.config.  It is the number of days between updates, so you could set it to 1 and it will update every 24 hours.
All Replies
  • Danny Hansen
    Posted by
    on Thu, Jan 8 2009 7:05 AM
    Suggested Answer

    In communiyser.config in the section <core>


            defaultRoles = "Everyone;Registered Users;"

    We use this option to give the users default roles during registration
  • PeterB
    Posted by
    on Thu, Jan 8 2009 4:55 PM

    Thanks Danny,

    This is fine for the default roles, but I need to add/remove users from their roles over time as they are added/removed from external features which are linked to the forum.

    Some questions:

    • Can I use the CS API to add/remove users from roles?
    • Should I simply write a HTTP Module which checks the user's roles when visiting the given forum?
    • Are there other strategies for role management?

    Ideally CS would support Forms Authentication against Active Directory so the roles flow-through automatically, however this unfortunately seems lacking.

    Cheers,

    Peter

     

    Active Directory HTTP Module CS API
  • Danny Hansen
    Posted by
    on Fri, Jan 9 2009 1:58 AM

    Yes you can use the api to add remove roles.

    You should get the SDk for your version and see what it has to offer

    For example I have used the SDK to write a module that puts a user in a specific group after registering.

    In the aspx files you can place a c# code block and call the methods to check

     

    I would use the CS api for custom role management
  • Alex Crome
    Posted by
    on Sat, Jan 10 2009 7:12 AM

    CS supports authentication against Active Directory.  Have a look at the Windows Authentication Single Sign On Modules.

    Since you're using AD, I expect you're in an intranet senario.  I'd suggest that you look at using Community Server Evolution if you're in that senario as Evolution more specifically targets that senario.

    @afscrome | Linked In
  • Ken Robertson
    Posted by
    on Mon, Jan 12 2009 12:13 PM
    Verified Answer
    Verified by

    The cookie that you create and specify in the "userProfileCookie" setting is basically just a key/value pair of the user's properties you can update.  To pass along which roles the user should have, just add a "roles" key with a comma separated list of the users roles ("Sales,Support,Staff"), no spaces.
  • PeterB
    Posted by
    on Mon, Jan 12 2009 4:59 PM

    Sorry Alex, I'm using it in an Internet scenario. Our external users are all in an external AD, which strangely isn't the normal practice.

    We'd love to use CS in an external capacity with SharePoint integration, but unfortunately it seems Evolution is Intranet-only for the time-being.

    Cheers.

    evolution SSO Intranet Internet SharePoint AD
  • PeterB
    Posted by
    on Mon, Jan 12 2009 5:03 PM

    Thanks Ken, I'll give this a go.

    Cheers.

    Roles Forms Authentication Extension AD Groups userProfileCookie
  • PeterB
    Posted by
    on Tue, Jan 13 2009 11:51 PM

    Ken Robertson

    The cookie that you create and specify in the "userProfileCookie" setting is basically just a key/value pair of the user's properties you can update.  To pass along which roles the user should have, just add a "roles" key with a comma separated list of the users roles ("Sales,Support,Staff"), no spaces.

    Hi Ken,

    This worked the first time I set the roles for the user - the user was added with the roles - however subsequent changes to the roles value in the cookie did not update their roles. Deleting the user and re-running correctly reset their roles, however we need to dynamically update the user's role.

    As per your post above - should CS be updating the roles based on the cookie value?

    Thanks. 

    Roles userProfileCookie Dynamically Set Roles
  • Ken Robertson
    Posted by
    on Thu, Jan 15 2009 10:59 AM
    Verified Answer
    Verified by

    By default, it will only update the values from the cookie once a week.

    You wouldn't want to validate everything on every single request, since that will result in a lot of wasted effort and would slow the site down.  With SSO, there is no concept of "logging in" and there is no tracking when they first access the site or anything like that, and that is kind of arbitrary anyway since you could leave the computer on and browser open for days.

    Instead, it only does the update at a particular interval.  By default, it updates once a week (full 7 days since it last updated).  If you're on CS 2008.5, you can adjust it by adding a "profileRefreshInterval" setting to the FormsAuthentication extension module section in the communityserver.config.  It is the number of days between updates, so you could set it to 1 and it will update every 24 hours.
  • PeterB
    Posted by
    on Thu, Jan 15 2009 5:59 PM

    Thanks Ken,

    I'm thinking the ideal for those wishing to perform forms-based auth against AD, would be that CS could support the Memership and Role Provider models (like SharePoint's LDAPMembershipProvider and LDAPRoleProvider) and possibly remove the need to use the userProfileCookie. Not sure of the security architecture changes required to support this in a product as large as CS though.

    I'll now investigate the CS API for role management as per Danny's response above - any tips are kindly received.

    Cheers.

    Roles userProfileCookie Authorisation MembershipProvider LDAPRoleProvider profileRefreshInterval