With Sitefinity CMS, you can configure the out-of-the-box OpenID Connect provider and its parameters and enable authentication via OpenID protocol with third party Security Token Issuer (STS) that supports the protocol.
PREREQUISITES: Configure your application as a client in an external STS.
IMPORTANT: The OpenID Connect provider only supports the implicit client authentication flow.
To configure the OpenID Connect provider, perform the following:
id_token
openid email
Enter the absolute URL from where to retrieves the OpenID metadata.
If you leave it empty, the default URL is used: {Authority}/.well-known/openid-configuration
where:
<yoursitefinitysite>
<sts-endpoint-relative-path>
<custom-signin-path>
NOTE: Make sure the path is added in the external STS during client registration. The path, configured in the external STS, must be identical to the value of the Redirect URI parameter.
Redirect URI
/Sitefinity/Authenticate/OpenID/signin-custom
NOTE: Each external provider has a unique endpoint.
NOTE: This must be a URL from your site.
Specify whether requests must require OpenIdConnect.nonce cookie for authentication. This option allows local development when browsers require secure transport of cookies with SameSite attribute set to None. For more information, see OpenIDConnect.nonce cookie and SameSite cookie attribute.
IMPORTANT: To avoid security risks, set Enabled before deploying your project to a live environment.
Disabled If you do not want any requests to require OpenIdConnect.nonce cookie for authentication, select Disabled.
IMPORTANT: Use this option only for local development under HTTP.
RemoteOnly This is the default option. If you want remote requests to require the OpenIdConnect.nonce cookie for authentication over HTTPS, but do not want it required for requests to localhost, select RemoteOnly.
NOTE: The cookie is not required only for requests to localhost, other local domains still require the cookie.
This option, specifies whether you want to use the email address, provided by the external provider to map external users to Sitefinity CMS users.
Select this checkbox, if you want users to be able to login, only if their valid email is included in the provided claim.
This checkbox sets to true or false MapUsersViaEmail property. By default, it is selected.
MapUsersViaEmail
SameSite
Strict
Lax
None
Secure
The cookie is not sent to any cross-site context, if the value is set to Strict. When the SameSite attribute is set to Lax, which is the default value and most browsers consider cookies without a SameSite value to be set to Lax, the cookie can be sent to cross-site context only in the headers, which means that POST requests are rejected by the browser. In Sitefinity CMS. this prevents the implementation of the OpenID Connect provider as an external authentication provider, because the implementation requires to send the OpenIDConnect.nonce cookie in a cross-site context with a POST request.
To allow the OpenIDConnect.nonce cookie to be sent with cross-site requests, Sitefinity CMS automatically changes the value of the attribute from Lax to None and sets the Secure flag to true. This, in turn, prevents development and testing under localhost or any other domains that do not use an encrypted transport layer and require the cookie to be sent in cross-site context.
You can continue to develop and test with the OpenID Connect provider set as an external authentication provider by using the Validate OpenIDConnect.nonce cookie configuration. For more information, see Validate OpenIDConnect.nonce cookie.
You can create a claims map that will map claims of the external provider to the respective Sitefinity profile properties. The list defines claims to property fields mapping in the following format: Key – profile field, Value – claim name.
There are some preconfigured mappings, you can add more by performing the following:
NOTE: Custom profile fields have to be created first and then mapped. For more information, see User profiles.
EXAMPLE: You can also map fields from custom profile types. For example if you have created a custom profile type, called AzureInfo, and want to create a mapping for its FullName field to a claim called user_fullname, in Step 4, enter AzureInfo.FullName and in Step 5, enter user_fullname
Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.
This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.
This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.
The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.
To submit feedback, please update your cookie settings and allow the usage of Functional cookies.
Your feedback about this content is important