Blog posts by Mahdi Shahbazi2019-02-01T02:14:00.0000000Zhttps://world.optimizely.com/blogs/mahdi-shahbazi/Optimizely WorldActive Directory role mapping strategy For Federation Security<p>When you are dealing with Active directory to handle your authentication you need to make sure that it passes right roles to your application. </p>
<p>In case of <strong>Federation Security</strong> you need to pass the roles as series of "role" claims. </p>
<p>Note: System.Security.Claims.ClaimTypes.Role represent "<a href="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"">http://schemas.microsoft.com/ws/2008/06/identity/claims/role"</a> value in dotnet.</p>
<p>You need to know that there is no concept of role in active directory. Instead we can use groups and map them to "role".</p>
<p>There are 2 main Roles in the episerver that you need to Consider them in the mappings:</p>
<ul>
<li>WebAdmins: <span>can access both admin and edit views and the administration interfaces for add-ons and visitor groups oes not provide editing access in the content structure by default.</span></li>
<li><span><span>WebEditors: </span></span>Users in This group will get access to <span>edit views</span>. Users in this group are editors and often organized in other groups according to content structure or languages and won't have edit access until they get access based on another role or direct access based on username(which is not recomanded).</li>
</ul>
<p>In Active directory you must define two groups which later will map to WebAdmins and WebEditors. The group’s name shouldn't necessarily be the same since later the Active directory admin will map them to these names when they setup the <strong>Transform Rules</strong>.</p>
<p>These links might be helpful if you have no idea about Transformation in ADFS</p>
<p><a href="https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-send-group-membership-as-a-claim">https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-send-group-membership-as-a-claim</a></p>
<p><a href="https://support.zendesk.com/hc/en-us/articles/203663896-Mapping-attributes-from-Active-Directory-with-ADFS-and-SAML-Professional-and-Enterprise-">https://support.zendesk.com/hc/en-us/articles/203663896-Mapping-attributes-from-Active-Directory-with-ADFS-and-SAML-Professional-and-Enterprise-</a></p>
<p>If you define “SiteA” group as a member of “WebEditors” and then define “Site A Digital Banking” group as a member of “WebEditors”, any member of “Site A Digital Banking” will get following roles [WebEditors, SiteA, SiteADigitalBanking].</p>
<p> </p>
<p>If you define “Marketing” group as a member of “WebEditors”, any member of “Marketing” will get following roles [WebEditors, Marketing].</p>
<p> </p>
<p>If you define “Employees” group, any member of “Employees” gets [Employees] role. Obviously if he is not member of “<strong>WebEditors</strong>, <strong>WebAdmins</strong>” he won’t be able to go to CMS admin and edit Area and</p>
<p>If a user is a member of multiple groups, they get all the roles. For instance, a user in employee group and marketing group, will get [WebEditors, Marketing, Employees] roles.</p>
<p><img src="/link/2d9a645242f845f2975067266438f299.aspx" /></p>
<p>Keep in mind that you need to have a <strong>Transformation Rule</strong> for each group you need to map them to corresponding role. And also, you need to define those roles in EPiServer, beside <strong>WebEditors</strong>, <strong>WebAdmins</strong> which are already defined.</p>
<p> Note: Transformation can convert a group to a role. For example you can have epi.cms.webcontenteditor group in Active Directory and map them to “WebEditors”.</p>
<p>to define a role in EpiServer you can go to CMS Administrative area=> CMS => Admin => Admin => Administrater Group</p>
<p><img src="/link/42031f9e441245fbb974dfd0db6fabfd.aspx" width="1343" height="535" /></p>2019-02-01T02:14:00.0000000ZBlog postHow to resolve "The request queue limit of the session is exceeded. System.Web.HttpException at System.Web.SessionState.SessionStateModule.QueueRef"<p>If you use DXC, this error might hide behind CDN 524 error page, you should check the error in application insight and if it was the case this is the solution.</p>
<p>If you are using episerver with .net 4.7 you might get <strong>"The request queue limit of the session is exceeded. System.Web.HttpException at System.Web.SessionState.SessionStateModule.QueueRef"</strong> in you log or application Insight. the exprieve will be awefull and you need to clear your cache or use incongnito mode to see the page again.</p>
<p>So what is the cause of the issue?</p>
<p>In the .NET Framework 4.6.2 and earlier, ASP.NET executes requests with the same Sessionid sequentially, and ASP.NET always issues the Sessionid through cookies by default. If a page takes a long time to respond, it will significantly degrade server performance just by pressing F5 on the browser. In the fix, we added a counter to track the queued requests and terminate the requests when they exceed a specified limit. The default value is 50. If the limit is reached, a warning will be logged in the event log, and an HTTP 500 response may be recorded in the IIS log.(https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/retargeting/4.5.2-4.7)</p>
<p>so what is the soloution? the only suloution I have in mind is to back to previouse behaviour which can be done by installing "Microsoft.AspNet.SessionState.SessionStateModule" NuGet package and adding following settings in web.config</p>
<pre class="language-markup"><code><appSettings>
<add key="aspnet:RequestQueueLimitPerSession" value="2147483647"/>
<add key="aspnet:AllowConcurrentRequestsPerSession" value="true" />
</appSettings></code></pre>2018-10-25T02:10:53.0000000ZBlog postHow to Check Visitor Group Criteria In Code<p>If you want to check if a contentAreaItem is match current user all visitor group criteria you can use the following Methods:</p>
<pre class="language-csharp"><code> public static bool IsMatchCriteria(ContentAreaItem contentAreaItem)
{
var result = true;
contentAreaItem.AllowedRoles.ForEach(role =>
{
result = result && IsMatchCriteria(role);
});
return result;
}
public static bool IsMatchCriteria(string guid)
{
var visitorGroupGuidId = new Guid(guid);
var visitorGroupRepository = ServiceLocator.Current.GetInstance<IVisitorGroupRepository>();
var user = HttpContext.Current.User;
var vgHelper = new VisitorGroupHelper();
var visitorGroup = visitorGroupRepository.Load(visitorGroupGuidId);
return vgHelper.IsPrincipalInGroup(user, visitorGroup.Name);
}</code></pre>
<p><span>[Pasting files is not allowed]</span><span>[Pasting files is not allowed]</span><span>[Pasting files is not allowed]</span><span>[Pasting files is not allowed]</span></p>2017-01-04T11:22:29.4770000ZBlog post