Add new OpenID Connect external authentication provider

The following article demonstrates the minimum configuration required to successfully authenticate a user in Sitefinity CMS STS, using Implicit flow. You first implement the provider  and then register it in Sitefinity CMS backend.

You implement and configure the custom external authentication provider. You create a custom AuthenticationProvidersInitializer where you configure the external provider and then register the initializer in the ObjectFactory. 

You implement and configure the custom external authentication provider. You create a custom AuthenticationProvidersInitializer where you configure the external provider and then register the initializer in the ObjectFactory. 

Once a user logs via SSO with the STS in the relying party instance, in case there is no user previously authenticated with the same email, a new local user account is automatically created. The profile fields of the account are populated with the information provided by the STS in the claims that are returned. Profile fields of the local account (in the relying party instance) are updated only when they are empty and only from the claims received by the STS. Thus, if you edit your first name in the relying party instance, the change is not synced with the first name on the STS. Once the account is created locally, it is bound to the identity authenticated via email by the STS. If the email is modified either in the STS, or in the local profile in the relying party instance, a new account is once again created for the external user when they log in. If this is the case, all local profile information and local application roles are lost.

Use the following sample:

NOTE: Due to nonce validation, this sample works only under HTTPS. You can disable nonce validation with code to work under HTTP for development and testing purposes. For more information, see Troubleshooting Authentication.

Register the initializer the following way:

To do this, perform the following:

1. Navigate to Administration » Settings » Advanced.
2. In the left pane, expand Authentication » SecurityTokenService » AuthenticationProviders.
3. Click Create new » OpenIDConnectAuthenticationProviderElement.
4. Enter the Name and the Title of the provider. The Name must match exactly the name you used when you registered it in the code.
   In this example, enter MyOIDC.
   
5. Select Enabled checkbox.
   
6. Save your changes.
   The provider is created.
   If required, you can configure additional parameters of the provider, instead of hard coding them.
   
7. Under the newly created provider, expand Parameters and create the following parameters:

   Key	Value
   clientId	The client ID configured in the external STS.
   issuer	The absolute path to the external STS.
   redirectUri	The absolute path to the local STS. NOTE: Make sure the path is added in the external STS during client registration.The path, configured in the external STS, must be identical to the value of theredirectUriparameter.
   responseType	Set the value to"id_token"
   scope	Set the value to"openid profile rememberMe email"
   caption	The text that is displayed on the login button. If you do not enter text, the button is not displayed.

8. Save your changes.

If you want to extend the default implementation you can do so by implementing a new class and configuring it in the NotificationsType field in the configuration.

Custom OIDC handler sample:

Sitefinity CMS backend configuration

1. Navigate to Administration » Settings » Advanced.
2. In the left pane, expand Authentication » SecurityTokenService » AuthenticationProviders » OpenIDConnect.
3. In NotificationsType field add the class and namespace of you custom handler.
   In this example, SitefinityWebApp.MyCustomOIDCHandler,SitefinityWebApp.
4. Click Save changes.