Site icon Assurex

Using Single Sign-On for Sitecore Apps

Sitecore recently introduced Single Sign-on allowing users to log on to Sitecore apps with existing identity providers. At Assurex we love to work on the upcoming features of the Sitecore platform and were invited by Sitecore to try this new feature and share our thoughts about it.

First impression, the integration was straightforward and quick took me a couple of hours to get it working.

And here is the blog post to share my experience and walkthrough of the steps involved.

How has it worked until now?

Until recently Sitecore allowed you to log on to its systems using the Sitecore Authentication using the account you created with Sitecore i.e. using a traditional Username and password.

What has changed?

Now Sitecore has introduced a feature that allows you to choose your own identity provider and allows you to invite users with specific domains to use their credentials to log onto Sitecore Apps.

Let’s set it up

Let’s now look at the steps to enable this feature in your Sitecore Cloud tenant. To setup and enable the Single Sign-on you would need to configure OpenId Connect.

OpenID Connect is an authentication protocol that builds upon the OAuth 2.0 framework. It provides a standardized way for users to authenticate and authorize access to their resources on different websites or applications without sharing their credentials (such as username and password) directly with the relying parties.

Prerequisites to configure the SSO:

  1. Valid Organisation Admin or Organisation role access on Sitecore Cloud.
  2. Access to MS Azure.
  3. Access to the Domain Name System of the organization you are trying to configure SSO on.

Here is the overview of the steps needed to set up the SSO

  1. Register your Sitecore Cloud Portal with your OIDC identity provider.
  2. On the Sitecore cloud add a new SSO connection.
  3. Test your newly added SSO connection using built-in capabilities.
  4. Verify the domain to the mapped connection.
  5. Enable the connection.
  6. Test with real users.

Let’s look at each one of these in detail:

Register your Sitecore Cloud Portal with your OIDC identity provider

The first step is to register your Sitecore Cloud Portal with the OIDC identity provider. You can select one of the following OpenID Connect identity providers –

  1. Azure Active Directory
  2. Okta
  3. Auth0
  4. Or, any other identity provider that supports the OpenID framework.

In this post, I covered the setup using Azure Active Directory and integration using other providers will be the subject of another post.

Create an Application in Azure Active Directory

  • Select App registrations from the left pane.
  • Click on the + New registration from the right pane, as marked in the below snapshot.
  • You will navigate to the following page, and enter the below information.
  • Click on the Register button.
  • After Registration, you will navigate to the following page. Click on the Certificates & Secrets from the left pane.
  • Next, click on the + New client secret on the middle pane and add the client secret key (you can add any name of your choice) as shown below.
  • After adding the Client secret key you will navigate to the below page, capturing the client-secret value.
  • Prepare the following set of data to create a new SSO connection on Sitecore Cloud.
  • Client Id and Tenant Id are available in the overview section, as shown in the below snapshot.
  • Client Secret is available in the Certificates and Secrets pane.
  • Well-known/Issuer can be configured through Tenant ID https://login.microsoftonline.com/<TenantID>/v2.0/.well-known/openid-configuration

On Sitecore cloud add a new SSO connection

Click on Add SSO connection and select OpenID Connect from the context menu.

Fill the following detail:

Email DomainDomain Name of the organisationSample: xxxxxxx.co
Connection NameProvide name forSample: SitecoreSSO
Connection typeSelect Back Channel from dropdownBack Channel
Issue URLThe URL of the discovery document of the identity provider you want to connect withSample: https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/.well-known/openid-configuration
ScopesScope items to be requested during authentication processopenid profile email
Client IDThe client Id of the app, created in Identity providerSample : 3efbf90d-c392-4fa6-9893-7def0d516232
Client SecretThe client secret of the app, generated through Certificates and secrets.Sample : bHu8Q~Wc8p43fWtemUtCkeAtcnW2Doty9Vhbodu-
Callback URLThe address where the identity provider will send the authentication responsehttps://auth.sitecorecloud.io/login/callback

After that click on Save button.

Test your newly added SSO connection using built-in capabilities.

If all settings are correct, you will get the following screen, in case of failure revalidate all the settings and try again.

Verify the domain to mapped the connection

Enable the SSO connection

  1. Once you’ve verified the domain and tested your newly added SSO connection, you can enable it.
  2. To enable the SSO connection, navigate to the https://portal.sitecorecloud.io/organization/members/sso locate the SSO connection you want to enable, and click Enable.

Test with real users

To verify the newly setup SSO connection, navigate to Admin page from header and select Team members from User Management section.

Click on Invite button, to invite team members.

Invite any invalid user, as shown in below snapshot:

Invite any valid user, as shown below :

Now that you have configured SSO What’s going to happen to existing users, pending invites or non-SSO users?

Log Ins –

Invitations

What if I want to delete the integration –

Team Members

Invitations

This concludes the post about how to enable and use SSO on the Sitecore cloud using Azure Active Directory. I would love to hear your thoughts, feedback, and questions.

Did you find this useful? If so, please share with your connections.
Exit mobile version