Sitecore - Switching Provider for Role Provider not respecting domain

Question

We have multiple sites running off one instance of sitecore. One of the sites requires the users & roles to be managed through an external back end system and as such, we have configured custom membership & role providers along with domains for each site. However, for some reason the switcher on the role provider does not seem to be being respected. If I log into the CMS as sitecore user, it still calls my custom role provider to try and get roles for this user, despite the role provider being configured against a different domain?

The role provider is working fine when actual users log into the site, but it shouldn't be being hit when CMS users are editing pages etc.

Config in our Web.config:

<roleManager defaultProvider="sitecore" enabled="true" cookieRequireSSL="false" createPersistentCookie="false" cookieSlidingExpiration="true" cacheRolesInCookie="false">
  <providers>
    <clear />
    <add name="sitecore" type="Sitecore.Security.SitecoreRoleProvider, Sitecore.Kernel" realProviderName="switcher" raiseEvents="true" />
    <add name="sql" type="System.Web.Security.SqlRoleProvider" connectionStringName="core" applicationName="sitecore" />
    <add name="MyProvider" type="MyApp.Web.Infrastructure.Security.RoleProviders.MyProvider, MyApp.Web" applicationName="sitecore" />
    <add name="switcher" type="Sitecore.Security.SwitchingRoleProvider, Sitecore.Kernel" applicationName="sitecore" mappings="switchingProviders/roleManager" />
  </providers>
</roleManager>

Plus our patched in sitecore config:

<switchingProviders>
  <roleManager>
    <provider providerName="MyProvider" storeFullNames="false" wildcard="%" domains="mydomain" patch:after="provider[@providerName='sql']"/>
  </roleManager>
</switchingProviders>

Answer 1

This appears to be a quirk/bug of Sitecore. When you use the SwitchingRoleProvider the domain property is ignored and the implemented provider gets called across all domains.

There are 2 undocumented properties that are added when using this Role Provider:

ignoredUserDomains - comma separated list of domains that the provider won't be applied to.

and

allowedUserDomains - comma separated list of domains that the provider will only be applied to.

You can only specify one of these for the role provider, and providing both will throw an exception.

In the example you have used, the following should resolve your issue:

<switchingProviders>
  <roleManager>
    <provider providerName="MyProvider" storeFullNames="false" wildcard="%" allowedUserDomains="mydomain" patch:after="provider[@providerName='sql']"/>
  </roleManager>
</switchingProviders>

(source)