This section includes information on Umbraco security, its various security options and configuring how authentication & authorization works in Umbraco
Umbraco Security overview
We have a dedicated security page on our main site which provides most of the details you may need to know about security within the Umbraco CMS including how to report a vulnerability: https://umbraco.com/products/umbraco-cms/security/
We highly encourage the use of HTTPS on Umbraco websites especially in production environments. By using HTTPS you greatly improve the security of your website.
Don't forget to configure your Umbraco when using HTTPS.
Authentication for backoffice users in Umbraco uses ASP.NET Identity which is a very flexible and extensible framework for authentication.
Out of the box Umbraco ships with a custom ASP.NET Identity implementation which uses Umbraco's database data. Normally this is fine for most Umbraco developers but in some cases the authentication process needs to be customized. ASP.NET Identity can be extended by using custom OAuth providers which is helpful if you want your users to authenticate with a custom OAuth provider like Azure Active Directory, or even Google accounts. ASP.NET identity is also flexible enough for you to override/replace any part of the process of authentication.
Custom OAuth providers
The Umbraco backoffice supports custom OAuth providers for performing authentication of your users. For example: Any OpenIDConnect provider such as Azure Active Directory or Identity Server, Google, Facebook, Microsoft Account, etc...
To install and configure a custom OAuth provider you should use the Identity Extensions package: https://github.com/umbraco/UmbracoIdentityExtensions
The installation of these packages will install snippets of code with readme files on how to get up and running. Depending on the provider you've configured and its caption/color, the end result will look similar to:
Auto-linking accounts for custom OAuth providers
Traditionally a backoffice user will need to exist first and then that user can link their user account to an OAuth account in the backoffice. In many cases however, the identity server you choose will be the source of truth for all of your users.
In this case you would want to be able to create user accounts in your identity server and then have that user given access to the backoffice without having to create the user in the backoffice first. This is done via auto-linking.
Read more about auto linking
Custom password check
You are able check the username and password against your own credentials store by implementing a new
Authenticating with Active Directory credentials
You want to connect the backoffice to Active Directory? Should be pretty straight forward with the
Sensitive data on members
Marking fields as sensitive will hide the data in those fields for backoffice users that have no business viewing personal data of members.
How to configure Umbraco to run on a FIPS compliant server.
Some security settings that can be used in Umbraco.