Administration: Configure Single-Sign-On (SSO) between Sitefinity CMS instances

Sitefinity CMS authentication supports Single-Sign-On (SSO), based on OpenID Connect protocol. You can use Sitefinity CMS built-in OpenID Connect Security Token Service (STS) for any other applications using the OpenID Connect protocol.

Using one Sitefinity CMS instance as an STS, you can configure many Sitefinity CMS instances (or any other application) to authenticate with SSO provided by this single STS instance.

IMPORTANT: This feature only works with the OpenID protocol and is being deprecated.

You configure the Sitefinity CMS instance, which will act as a relying party, by configuring and OpenID Connect (OIDC) authentication provider in its local STS (Identity server). The external OIDC authentication provider authenticates to the STS Sitefinity CMS instance. To do so, follow the instruction in the article Administration: Configure the OpenID Connect provider. 

When configuring the provider, you need to make sure you provide the accurate values for the following parameters:

• issuer
  This parameter defines the absolute path to the STS endpoint of the Sitefinity CMS instance that acts as an STS. You can find the relative path to the endpoint in Advanced settings» Authentication » SecurityTokenService » ServicePath. For example, http://<your sts domain>/Sitefinity/Authenticate/OpenID
• redirectUri
  This parameter defines the absolute path to the STS of the relying party Sitefinity CMS instance. You can find the the relative path to the endpoint in Advanced settings» Authentication » SecurityTokenService » ServicePath. For exmaple, http://<your client domain>/Sitefinity/Authenticate/OpenID

Use the following procedure to configure the Sitefinity CMS instance that you want to use as Security Token Service. 

1. Navigate to Administration » Settings » Advanced.
2. In the left pane, expand Authentication » SecurityTokenService » IdentityServer » Clients.
3. For every client that you have created using the above procedure, create a new client with the following values:
   1. Select the Enabled checkbox.
      
   2. In Client flow dropdown box, select Implicit.
   3. Select Allow access to all scopes checkbox.
   4. Save your changes.
4. Expand each newly created client and:
   1. Click RedirectUris » Create new.
   2. Enter the value of the redirectUri parameter that you configured in the relying party Sitefinity CMS instance. For more information, see Configure the relying party Sitefinity CMS instance.
      
5. Restart the Sitefinity application.