There are cases in which the client might request that users which are part of an external system (for example the company’s internal system) should be able to login into the CMS. The fastest and the simplest way is to do it via custom login form and virtual users.
By taking this approach there is no need for custom pipelines, handlers, data providers etc. The other plus is that there is a clear separation between the Sitecore membership and the external system membership, because the virtual users are not stored in Sitecore. In fact the virtual users are not stored anywhere and every time a user uses the login screen – the virtual user is recreated.
To achieve this create a simple Web Form that will have two textboxes (for username and password) and a login button (You can see what I did with my amazing front end skills).
Place the following code in the code behind.
namespace Sandbox.External
{
using System;
using Sitecore.Security.Authentication;
public partial class Login : System.Web.UI.Page
{
// The domain for external users
private const string Domain = "external";
// The role for the external users
private const string DomainRole = @"external\editor";
// Redirect to Sitecore if the user is already logged in
protected void Page_Init(object sender, EventArgs e)
{
if (AuthenticationManager.GetActiveUser().IsAuthenticated)
{
Response.Redirect(Sitecore.Constants.SitecoreShellPath);
}
}
protected void ButtonLogin_OnClick(object sender, EventArgs e)
{
string username = TextBoxUsername.Text;
string password = TextBoxPassword.Text;
if (!string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(password))
{
// Authenticate Against the External System
MyExampleAuthenticationProvider authenticationProvider = new MyExampleAuthenticationProvider();
if (authenticationProvider.Authenticate(username, password))
{
// Create virtual user
Sitecore.Security.Accounts.User user =
AuthenticationManager.BuildVirtualUser(string.Format(@"{0}\{1}", Domain, username), false);
if (user != null)
{
// Assign roles to the user
if (Sitecore.Security.Accounts.Role.Exists(DomainRole))
{
user.Roles.Add(Sitecore.Security.Accounts.Role.FromName(DomainRole));
}
// Assign more roles or edit the user profile
user.Profile.FullName = "Your User Full Name";
// Login the user
AuthenticationManager.LoginVirtualUser(user);
// Redirect to Sitecore shell
Response.Redirect(Sitecore.Constants.SitecoreShellPath);
}
}
}
}
}
}
In the Page_Load event the code checks if the user is already authenticated and in case he is – he gets automatically redirected to the shell site.
The button click tries to authenticate the user against the external system. If the user is successfully authenticated it builds a virtual user, assigns roles to him and redirects to the shell site. Please keep in mind that it is a good practice to create a separate domain that you are going to use for thеse users (in the example – “external”), but the standard extranet domain can be used as well.
There is an option to make the user administrator (which is not recommended even when using the standard Sitecore create user form) by setting the following property:
user.RuntimeSettings.IsAdministrator = true;
Happy authenticating !
Sitecore Corner 
Hi,
Can we use virtual user to authenticate by using SAML2 in sitecore?so when we login to cms it would check it with external system and return with saml response and then create virtual user to login to content tree based on the role assigned.
Hi Vish !
It should be totally possible to implement this solution. Just keep in mind that virtual users are not persistent and you will have to recreate them every time. If you want to persist them you might want to create a connector to your SAML2.