Sitecore Virtual Users – authenticate users from external systems

One of the very old Sitecore features popped up yesterday. My team and I are working on moving our 550.000+ users from the .NET Membership Provider to an external system, possibly .NET Identity.

.NET Identity will authorize the users, but we still need a Sitecore Membership User for authentication. To do this job, Sitecore created the Virtual User. A Virtual User is in effect a one-time, memory only Sitecore User than can be created on the fly without the use of a password.

Once the user have been authorized (username/password matches) by the external system, we can create a virtual user that Sitecore will recognize as a normal user:

// Create virtual user
var virtualUser = Sitecore.Security.Authentication.AuthenticationManager.BuildVirtualUser("extranet\\", true);

// You can add roles to the Virtual user

// You can even work with the profile if you wish
virtualUser.Profile.SetCustomProperty("CustomProperty", "12345");
virtualUser.Profile.Email = "";
virtualUser.Profile.Name = "My User";

// Login the virtual user

After the user have been authenticated using the LoginVirtualUser function, Sitecore will assume the identity of this user:

// This will return TRUE

// This will return "extranet\"

// This will return "My user"

// This will return "1"

// This will return "12345"

Please note that Sitecore states that if you use the User.Profile, they cannot guarantee that they will not write to the ASP.Net Membership database, although this cannot be confirmed with my current version 8.0 of Sitecore. I did not get anything written to my CORE database.



About briancaos

Developer at Pentia A/S since 2003. Have developed Web Applications using Sitecore Since Sitecore 4.1.
This entry was posted in c#, Sitecore, Sitecore 5, Sitecore 6, Sitecore 7, Sitecore 8 and tagged , , , . Bookmark the permalink.

9 Responses to Sitecore Virtual Users – authenticate users from external systems

  1. João Sousa says:

    Unlike the normal user, the virtual user login doesn’t have a persist option. How do you use “Remember me” with virtual users?


  2. briancaos says:

    With the virtual user, you don’t get things like persisting for free. You would have to do that yourself. Create a cookie, and on the first session start, check the cookie and do the login once again.
    You can use the httpRequestProcessed pipeline in Sitecore, as this is fired after httpRequestBegin AND Session_Start(). Read more here:


  3. esbenbugge says:

    Hi Brian. You write that the virtual user is a “memory only Sitecore user”. So it is stored in server memory, right? Do you know if there are any security problems in storing confidential data in the virtual user profile, when the profile is stored in memory?


  4. briancaos says:

    No the virtual user is no different between ordinary and virtual users, apart from the fact that the virtual user does not exist in the membership database.


  5. superted911 says:

    Is there a limit to the number of custom properties you can store in a virtual user profile? I seem to have issues if I store more than 5 or so – on the next page load I lose the virtual user login entirely and it’s reset back to the anonymous user.


  6. briancaos says:

    There is no intentional limit to the number of custom properties. Maybe the problem is not that you add custom properties, but that you do not persist the user in a cookie because of SSL restrictions?


  7. Amit Thakur says:

    Sitecore.Security.Accounts.User vuser =
    Sitecore.Security.Authentication.AuthenticationManager.BuildVirtualUser(“athakur”, true);
    i am Getting the below error.
    Expecting state ‘Element’.. Encountered ‘Text’ with name ”, namespace ”.


  8. Pingback: IdentityServer use IdentityModel to get user token and user info | Brian Pedersen's Sitecore and .NET Blog

  9. Pingback: Which of my old Sitecore posts are still valid in Sitecore 9? | Brian Pedersen's Sitecore and .NET Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.