Setting Up Azure Active Directory for the Sitecore Login

Setting Up Azure Active Directory for the Sitecore Login

Sitecore Identity provides the mechanism to login into Sitecore. Sitecore 9.1 comes with the default Identity Server. It is built on the Federated Authentication, which was introduced in Sitecore 9.0. The Identity Server Integration in Sitecore allows you to use SSO across applications and services. Sitecore Identity uses a token-based authentication mechanism to authorize the users for the login. The default flow for the authentication using the Identity Server is as follows:

1. The client requests for the login and provides the required credentials.

2. Sitecore Identity Server authenticates the client and the identity information is displayed.

3. The token is renewed from the Identity Server.

4. Sitecore Service is called to demonstrate authorizing Sitecore Resource via Sitecore Identity.

The overall logic for authentication is that it can be managed by the implementer according to their needs and the provider they are using. Once authorized, the application is handled by source claims that are used to map the roles in Sitecore.

In this blog post, I’ll take you through the Azure AD integration with Sitecore. So, let’s dive into how we can achieve it!

Setting Up the Azure AD for Integration

1. In Azure AD, create a new Application Registration by going to the App Registrations tab and click on New Registration.

2. In the Azure Dialog, specify the Name for the App with the Redirect URL. Enter the base URL for your Identity Server followed by “signin-oidc” for the Redirect URL. It should look like this: https:///signin-oidc

3. Go to the Manifest tab and change the “GroupMembershipClaims” value from NULL to “SecurityGroup”. This will tell Azure AD to send back information about the Security Groups that the current user belongs to.

4. Once the above-mentioned steps are complete, you should be able to get the Application ID (Client ID) and the Directory ID (Tenant ID) for the Overview Tab of the newly registered application in the Azure AD.

5. Next, click on the Authentication tab and make sure that the ID Tokens checkbox is checked in the Advanced Settings section. If not, then check this checkbox so that the token-based authentication is enabled to communicate with Sitecore.

 

Note: Separate Azure Security Group for the Individual Sitecore Role is needed. If Groups are already associated with the account that is used for CMS, then those Group IDs are required to map the claim in Sitecore.

Keep the Client ID and Token ID with the developer for further mapping.

 

Setting Up Sitecore for AD Integration

 

After configuring Azure AD and setting up the App Registration, the next step is to configure the Identity Server. Follow the below steps for the configuration:

1. Navigate to the Identity Server Instance.

2. Open the /Sitecore/Sitecore.Plugin.IdentityProvider.AzureAd.xml file in notepad++ or App Service Editor (if Using PASS).

3. Under Settings: Sitecore: ExternalIdentityProviders: IdentityProviders: AzureAd, change the Enabled node to true.

4. In the ClientID and TenantID nodes, paste the GUIDs copied from the Azure AD Application created in the above steps.

5. Restart Sitecore Identity Application to reflect the changes. By doing the above steps you can now see the Azure AD button on your login screen.

But to achieve our objective we need to remove the default login from the login page as well

6. To Remove the default login open the \sitecore\Sitecore.Plugin.IdentityServer\Config file.

7. Under the setting: IdentityServer : AccountOptions, change AllowLocalLogin to False.

8. Again restart the Sitecore Identity Application. Now you can only see the Azure AD option on the login screen.

Mapping the Azure Role with Sitecore Role

After configuring the Active Directory to the identity server, the next step is to map the Azure Security role to Sitecore instance for proper authorization. To map the role follow the below steps:

1. Go to the Security Group in the Azure AD. Note the Object ID for the group. For this demo, we are using the Sitecore_Admin group for mapping to the Admin role in Sitecore.

 

2. Now open /Sitecore/Sitecore.Plugin.IdentityProvider.AzureAd.xml file, add the value of the group Id to the Source Claim.

Save your configured file and restart the application.

With all the above steps, you’re now all set with the Azure AD integration with the Sitecore.