Administration: Configure Single-Sign-On (SSO) between Sitefinity CMS instances

Sitefinity CMS authentication supports Single-Sign-On (SSO), based on OAuth 2.0 and  OpenID Connect protocols. You can configure Sitefinity to act as Security Token Service (STS) or to consume third party applications or identity providers.

Using Sitefinity CMS as an STS, you can configure many Sitefinity CMS instances to authenticate with SSO provided by a single instance.

You configure the Sitefinity CMS instance, which will act as a relying party by registering a custom authentication provider in its local STS (Identity server). The custom authentication provider authenticates to the STS Sitefinity CMS instance.

You first register the provider in Sitefinity CMS backend and, then, implement the provider. To do so, follow the instruction in the following article: For developers: Configure custom external OpenID Connect provider. 

When registering the provider, you need to make sure you provide the accurate values for the following parameters:

• issuer
  This parameter defines the absolute path to the STS endpoint of the Sitefinity CMS instance that acts as an STS. You can find the relative path to the endpoint in Advanced settings» Authentication » SecurityTokenService » ServicePath. For example, http://<your sts domain>/Sitefinity/Authenticate/OpenID
• redirectUri
  This parameter defines the absolute path to the STS of the relying party Sitefinity CMS instance. You can find the the relative path to the endpoint in Advanced settings» Authentication » SecurityTokenService » ServicePath. For exmaple, http://<your client domain>/Sitefinity/Authenticate/OpenID

Use the following procedure to configure the Sitefinity CMS instance that you want to use as Security Token Service. 

1. Navigate to Administration » Settings » Advanced.
2. In the left pane, expand Authentication » SecurityTokenService » IdentityServer » Clients.
3. For every client that you have created using the above procedure, create a new client with the following values:
   1. Select the Enabled checkbox.
      
   2. In Client flow dropdown box, select Implicit.
   3. Select Allow access to all scopes checkbox.
   4. Save your changes.
4. Expand each newly created client and 
   1. Click RedirectUris » Create new.
   2. Enter the value of the redirectUri parameter that you configured in the relying party Sitefinity CMS instance. For more information, see Configure the relying party Sitefinity CMS instance.
      
      
5. Restart the Sitefinity application.