SSO Implementation in Sitecore with External Identity Provider using SAML2.0/ AzureAD
Hello Friends,
In this blog we will be Implementing SSO in Sitecore 10.x using AzureAD and External Identity Provider
Implementing SSO using SAML2.0
- Setting Up an Identity Provider: You establish a connection with an external provider, essentially allowing them to vouch for users. Think of it as specifying which external source's "VIP passes" Sitecore should recognize.
- Determining Sitecore User Names: You decide how Sitecore should assign names to users logging in through the external provider. This could involve using their email addresses, usernames, or other criteria.
- Associating Claims and Roles: You define how the attributes or roles assigned by the external provider should translate into permissions and roles within Sitecore. It's like saying, "People with 'Gold Membership' from the external provider should have 'Gold Access' in Sitecore."
- Mapping Additional Properties: Beyond basic user information, you specify what other details Sitecore should collect from the external provider, such as profile pictures or addresses.
- Linking User Accounts: When a user logs in with their external provider credentials, Sitecore needs to link this login to an existing Sitecore account or create a new one. It's akin to giving them a reserved spot at the party.
- Configuring Virtual and Persistent Users: You decide whether users logging in through the external provider should be temporary guests (virtual users) or have ongoing access like regular members (persistent users).
- Generating Sign-In Links: To make user access seamless, you provide specific links that act as entry points to Sitecore. Each user with credentials from the external provider gets their unique link, serving as their "ticket" to enter.
In Sitecore 9
By default, Sitecore Federated Authentication is disabled. You can enable it just by renaming the patch file located at /AppConfig/Include/Examples/Sitecore.Owin.Authentication.Enabler.config.example with Sitecore.Owin.Authentication.Enabler.config
For Sitecore 9.1 to Sitecore 10.3
Federated authentication is enabled by default.
Step 1 - Configure an identity provider
To set up an identity provider, follow these steps. The specific configuration process may vary depending on the provider you are using:
1. Patch the Identity Provider Configuration:
- Navigate to the configuration/sitecore/federatedAuthentication/identityProviders section.
- Create a new node with the name "identityProvider."
- Specify values for the "id" and "type" attributes.
- The "type" attribute should refer to a class that implements the abstract class "Sitecore.Owin.Authentication.Configuration.IdentityProvider." Sitecore offers a default implementation named "Sitecore.Owin.Authentication.Configuration.DefaultIdentityProvider."
- Under the newly created "identityProvider" node, provide values for the following child nodes: "param," "caption," "domain," "clearroleswhensignin," and "transformations."
2. Configure Identity Providers per Sites:
- Within the configuration/sitecore/federatedAuthentication/identityProvidersPerSites section, add a new node named "mapEntry."
- Set values for the "name" and "type" attributes.
- The "name" attribute should be unique for each entry.
- The "type" should be "Sitecore.Owin.Authentication.Collections.IdentityProvidersPerSitesMapEntry" or a class that inherits from it.
- Set the "resolve" attribute to "true" for this entry.
3. Specify Provider and Site Details:
- Under the "mapEntry" node, provide values for the following child nodes:
- "sites": List the sites where this provider will be active.
- "identityProviders": List the identity providers associated with this entry.
- "externalUserBuilder": Create nodes for each external user builder and set the "resolve" attribute to "true" for each of them.
In summary, configuring an identity provider involves defining the provider's settings in Sitecore by creating nodes with specific attributes and values. Additionally, you need to configure how these providers are associated with specific sites and specify how user information is handled through external user builders. The exact setup may vary depending on your chosen identity provider.
I've made an config for Facebook Identity Provider with other code also.
GitHub Config code : IdentityProviderFacebook.config
Explaination of <transformations hint="list:AddTransformation">
Within the <transformations hint="list:AddTransformation"> section, you have the ability to perform transformations on the claims that are received from the external identity provider. These transformations help standardize and normalize the claims so that they can be consistently used across different identity providers.
Here's an example to illustrate the purpose of these transformations:
Imagine you have two different identity providers. One of them provides a claim for a user's role with a specific identifier (e.g., http://example.com/roles), while the other uses a different non-standard identifier (e.g., http://otherprovider.com/role). This can cause inconsistencies when trying to handle roles in your application.
To address this, you can use transformations to map these incoming claims to a common identifier (e.g., http://commonprovider.com/role). This way, regardless of which identity provider the user comes from, you can work with a consistent set of claims in your application.
These standardized claims can then be used for various purposes, such as mapping user properties or making access control decisions within your application. The key is to ensure that the claims from different identity providers are transformed into a common format, making it easier to work with them uniformly across your system.
Step 2 - Add code for the provider
To add a custom identity provider in Sitecore, you'll need to create a new processor for the owin.identityProviders pipeline. Follow these steps:
Create a Custom Processor: Begin by crafting a custom processor specific to your identity provider.
Inherit from IdentityProvidersProcessor: In your custom processor class, inherit from the Sitecore.Owin.Authentication.Pipelines.IdentityProviders.IdentityProvidersProcessor class.
Specify IdentityProviderName: Override the IdentityProviderName property with the same name you defined for your identity provider in Sitecore's configuration. This links your custom processor to the correct identity provider.
Customize the ProcessCore Method: Within the ProcessCore method, you can insert your custom logic. This method dictates the actions to be taken when your identity provider is invoked during the authentication process.
Here is the Code for Authenticator.cs File, Ive added more Authenticator code for Google, Twitter, Facebook, Azure AD.
Github : FacebookAuthenticator.cs
Step 3 : Integrate with the owin.identityProviders pipeline
Next, you must integrate the code into the owin.identityProviders pipeline.
Github : OwinIntergration.config
I have all code for every identity provider including SAML2.0 in this github branch
Github Branch : Code for All Identity Provider
Thats All,
Implementing SSO using AzureAD
- Navigate to the identity server instance and go to this path \sitecore\Sitecore.Plugin.IdentityProvider.AzureAd\Config.
- Open Sitecore.Plugin.IdentityProvider.AzureAd.xml for edit. You can change the display name. Give the values of client ID and Tenant ID which we noted down from Azure AD. Don’t forget to change Enabled to true.
Comments
Post a Comment