Welcome to the second installment of the series on the ACS Extensions for Umbraco, part of the big ACS launch wave!

This time I am going to assume that you succesfully installed the Extensions on your Umbraco instance, and you want to start accepting members from social & web identity providers. You’ll see how easy it is to stitch together the sign-up and sign-in machinery, I’d estimate 3 mins max, and how we integrated the classic email verification flow into our invitation engine.

As usual, I am going to paste here what we wrote in the docs. However, remember that one of the big success factors for Umbraco is its great flexibility: in the same spirit, feel free to tinker with the Extensions as well to add any extra feature you may need. Few suggestions: bulk invitations, self-registering pages, etc.

Access Control Service (ACS) Extensions for Umbraco

social-video
'Click here for a video walkthrough of this tutorial'

One of the main features of the ACS Extensions is the ability to add members to your Umbraco web site directly from social providers: people will be able to sign up to your web site without having to create a new account and remember a new password, an you will not need to maintain credentials, field calls for lost passwords and so on.

The ACS Extensions accomplish this by providing you with a workflow for inviting users via a simple email verification system. The ACS Extensions also provide you some UI macro which you can use for creating sign-in and sign-up pages in just few clicks. The sign-in and sign-up mechanisms are integrated with the role-based security supported natively by Umbraco, the member groups.

In the section below we will walk you through the process of enabling classic sign-in and sign-up authentication features in your web site: this will help you to understand how the various components of the ACS Extensions work, so that you will be able to devise your own flow.

 

Create Some Sample Members Groups

In order to add authentication capabilities to your Umbraco web site, you need to subdivide your users in member groups.

  1. Navigate to the Umbraco back-end and login as the user account you created during the configuration wizard.
  2. Go to Members section and right-click on Members->Members Groups node and select Create.
  3. Enter the Name of the member group and then click on Create button. For this tutorial we will need the “Power Members” group.

    33698430-31ef-4fb1-a5b4-98e6f8f3f0b1

    Figure 22 - Create Member Group popup dialog

  4. Repeat the process and create a new member group called “Common Members”. In this tutorial we will assign “Common Members” to everybody. “Power Members” will be reserved to those members which need access to restricted pages.

Create Login and Error Pages

In order to enable members to sign in using social providers, you need to add to your web site a login page that will display the appropriate choices, that is to say the list of social providers you selected when you set up the ACS Extensions. Thanks to the macro provided by the extensions, this task is very straightforward.

  1. From the Content section of the management UI, click on the “Simple Web Site” (or other “Homepage”) node at the top of the Content tree.
  2. Right-click on the Homepage node and select Create to add a new page in your web site.
  3. Write “Login” in the Name field and click on Create button.

    06e7bf11-6cbb-4b71-b83b-ae178923d21f

    Figure 23 - Create Content popup dialog

  4. Go to the right panel to edit the page.
  5. In the Content tab add a welcome sentence (e.g. “Welcome back! Please sign in with the provider you used for registering among the ones below”)
  6. Click on Insert Macro button from toolbar.

    9fe4895e-dce8-48c2-9455-3ceeb2384d9a

    Figure 24 - Insert Macro button

  7. Select the acsExtensions.loginMacro. That macro contains the necessary logic for rendering links to all the social providers (and other identity providers, more about that later), so that the user can click on the provider of choice and be redirected to authenticate there. acsExtensions.LoginMacro provides username and password fields as well, in case you want to support the traditional Umbraco member management side by side with the new federated authentication features.

    47f9d404-3c42-4c2e-a1d2-090558fb0f12

    Figure 25 - Insert macro popup dialog

  8. Go to the properties tab and check Hide in navigation, to prevent the page from appearing in the navigation bar.
  9. Click on the SaveandPublish button.

    5ff7968a-9391-4732-9d88-0975d085dbd4

    Figure 26 - Login Page Created

  10. Now that you have a login page, you need an error page to display in case something goes wrong. Right-click on the Homepage node and select Create once again.
  11. Enter “Unauthorized” in the Name field and click on Create.
  12. Go to the right panel to edit the page.
  13. In the Content tab add a suitable error message (e.g. “You are not authorized to access the page you requested.”)
  14. Go to the properties tab and check Hide in navigation.
  15. Click on the SaveandPublish button.

    You now have all the necessary assets to authenticate members: the next step is to wire them up to the content you want to protect.

Restrict Access to Content

Umbraco supports role-based authorization as the access control method for its content pages. When you elect to use role-based security with a given page, Umbraco will ask you to specify one login and one error page. The ACS Extensions snap in that mechanism by using a login page containing its macro, just like the page you created in the former task. In the steps below we will restrict access to one page in order to demonstrate the process.

  1. From the Content section right-click on the area (or page) that you want to secure and select Public Access. In this tutorial we are protecting the page “Go Further”.

    7ddff6b6-4af9-461d-a892-139b0ab1e29a

    Figure 27 - Public access menu item

  2. Choose the Role based protection option and click on Select button.

    489c2c18-014d-4cab-87cc-06515c0d5f51

    Figure 28 - Public access popup dialog | Choose how to restrict access to this page

  3. You’ll be presented with a dialog which allow you to choose which members group should have access to this page. Select the Power members and use the right arrow button to move it to the list on the right.
  4. In the Login Page area click Choose… to specify the page that Umbraco will display in case one unauthenticated user attempts to access the specified page. Pick the Login page you created earlier.

    24dc3124-142d-4cb4-9fda-92aa4d88ec15

    Figure 29 - Public access popup dialog | Role based protection

  5. Repeat the process Error Page area. This time, pick the Unauthorized page created earlier.

    6df61418-4fbb-443c-a8b1-7818260bb417

    Figure 30 - The end result in the public access popup dialog | Role based protection

  6. Click Update and close the dialog
  7. At this point we are ready to test the sign-in page. Navigate to your Umbraco web site

    b8b21e2e-1690-4d14-8877-51b4a91519c2

    Figure 31 - The Umbraco web site home page

  8. Click on Go further in the navigation bar. You will be redirected to the login page, as shown below. The list of the social providers is automatically obtained from ACS; the username and password fields are provided for compatibility with the native Umbraco membership management system

    fe68d691-e998-4d7b-865f-b75b09ae689e

    Figure 32 - The login page

    The login mechanism works, but at this point you don’t have any registered members yet. In the next task you will create the activation page that invited members will use for signing up to your Umbraco instance.

Create Activation Pages for Signing Up Social Members

In order to register new members from social providers, you need to create some pages that will allow them to sign up to your web site using their account of choice. In a later task you will learn how to invite users; in the steps below you will see how to build the assets that will support the member activation experience.

The infrastructure is pretty simple: you need one Activation page, which constitutes the landing page for new members who have been just invited to join the site; and one Signup page, which they will use to associate their account from their social provider of choice with the account on your web site.

  1. Using the procedure you have learned in the former tasks, add a new page in the content tree and call it Sign Up.
  2. Go to the right panel to edit the page.
  3. In the Content tab add a sentence which will clarify the purpose of the page (e.g. “Please choose from the list below which social provider account you want to use for registering with this web site”)
  4. Click on Insert Macro button from toolbar.
  5. Select the acsExtensions.federatedloginMacro. This macro behaves in the same way as the acsExtension.loginMacro you used when creating the sign in page, with the only difference that the username and password UI elements are omitted: in order to sign up with a social provider account, those elements would not be needed.

    8fc20176-3c85-4e7b-9597-1c5e5d67c6a4

    Figure 33 - Insert the federated login macro to list all configured social providers login links

  6. Go to the properties tab and check Hide in navigation, to avoid the page from appearing in the navigation bar.
  7. Click on the SaveandPublish button.
  8. The Sign Up page will be used to secure the invitations landing page. Create a new page and call it activation.

    noteNote:

    The default name and path for the activation page is “~/activation”. If you keep all the defaults it is important that you call the page “activation”, or the invitation mechanism will fail (see the next task).
    If you want to change the page name you use here to toehr than “activation”, you need to update the web.config file of your Umbraco web site (appSettings -> ActivationPage).

  9. Go to the right panel to edit the page.
  10. In the Content tab write an activation confirmation text like: “Your account was activated successfully!”

    0f2f2870-1566-469e-a8e7-58641e9df6b6

    Figure 34 - Edit activation page

  11. Go to the properties tab and check Hide in navigation, to avoid the page from appearing in the navigation bar.
  12. Click on the SaveandPublish button.
  13. Using the procedure you’ve learned in the Restrict Access to Content task, set the public access for the activation page to Role based protection. Assing Common Members as the member group authorized to see the page, set the Sign Up page as the login page and the Unauthorized page as the Error page.

    3d3ad8ae-f5a6-44e5-b9cc-ba0a623adcce

    Figure 35 - Permissions for the activation page

  14. Click on Save or Publish button.

    At this point you have everything you need to start inviting members from social providers.

Add and Manage Social Members

With the ACS Extensions you can add members directly from social providers such as Facebook, Windows Live ID, Google and Yahoo. The sign in and sign up pages you created in the two former steps provide the user experience elements to support the registration and authentication flow. In this task you will learn how to use the administrative features of the ACS Extensions to invite one new member. You will discover that the process is practically the same of creating traditional members, minus the pain of managing credentials.

  1. Go to Members section and right-click on Members->Members node and select Create.

    cf183863-a85b-4a1c-b09a-abac13340083

    Figure 36 - Create Member

  2. Choose the Social Member type, a special type added by the ACS Extensions. Complete the login name and the email fields and click on Create button. Make sure to use an working, actual email address as the member will need access to it in order to sign up.

    1f721859-7ec0-42fd-85be-83cee4da6386

    Figure 37 - The Create Member popup dialog

    note[1]Note:

    Note: As soon as you hit the Create button, the ACS Extensions create one invitation mail and send it to the user (using the SMTP you configured in the setup). That invitation contains a specially crafted activation link, which the member can use to associate his social account of choice with your web site using the activation assets you created in the former step.
    If you want to modify the template of the invitation email, you can do when creating a member from within the Create Member Dialog.
    The newly created member has some extra properties in respect to the default Umbraco member: one flag reporting if the invitation was sent, another if the account has been activated (false at the beginning, it flips when the user successfully signs up) and from which identity provider he is coming from (gets a value at activation time, according to the member’s choice).

  3. In the right panel you can assign the newly created member to the web site’s member groups. For the purposes of this tutorial, add the member to the Common Members group.

    bf576385-6166-403c-abae-f768ea959cbf

    Figure 38 - Edit Member panel

  4. Save the changes.

Let’s step for a moment in the shoes of the new member and see how the invitation and sign up experience looks like.

The flow begins when the prospect member receives the invitation mail, as shown below.

4cd1f742-5aec-4bcc-93ee-132db2617fee

Figure 39 - The default invitation mail

As mentioned above, the invitation email template can be configured to fit your preferences.

The URL has been constructed to trigger the activation process; the ticketnumber parameter is used for associating the member defined in Umbraco with this specific email verification transaction.

Following the link, the prospect member will land on the activation page, which in turn will redirect to the Sign Up page.

Figure 40 - The Sign UpPage

There the user can select the Identity Provider he wants to use for signing in the web site. That account will be mapped to the Social Member created in Umbraco, with all its properties (including the assigned roles). For the purpose of this tutorial, let’s assume that the use picks Windows Live ID and successfully authenticates.

cbbebbaf-84a8-4a7d-acce-d2ac59712cf7

Figure 41 - Activation Completed

As a result, Umbraco can finally serve the activation page.

Now, you may remember from the earlier steps that the current member has been assigned to the Common Members group; that’s not enough for accessing the Go further page, which you configure to be visible only to Power Members. If you click on Go further at this point, you will get redirected to the error page.

b8d27ba5-094a-45f5-8fa9-e1965264e4a9

Figure 42 - Unauthorized

  1. Let’s change the member groups settings for the member so that he can access the Go further page. Go back to the Member details in the backend and refresh the page. Notice that the Is Activated and Identity Provider fields have been updated.

    c4d23abf-1fdf-4f65-9234-c19ef0e62c98

    Figure 43 - Updated Member Details

  2. Add the user to the Power Members group, Save the changes and hit F5: now access to the restricted page will be granted.

    9a1cc911-468f-44dd-b544-2dd3007271a8

    Figure 44 - Access Granted.

There you have it: your Umbraco web site is now integrated with Windows Live ID, Facebook, Google, Yahoo and any other social provider the Access Control Service will support in the future! It takes much longer to explain how to do it than to do it: the average time for walking through this tutorial is consistently under the 20 minutes.