External authentication providers

You can set up single sign-on (SSO) authentication using external providers.

Sitecore Content Hub is compatible with the following external authentication providers:

  • Azure AD
  • Google
  • Microsoft
  • OpenID Connect
  • SAML
  • Sitecore Identity
  • WS-Federation
  • Yandex

You configure the external authentication providers in the ExternalAuthenticationProviders property:

"ExternalAuthenticationProviders": {
    "global_email_claim_type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "global_username_claim_type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
    "google": [],
    "microsoft": [],
    "open_id_connect": [],
    "saml": [],
    "sitecore": [],
    "ws_federation": [],
    "yandex": []

global_email_claim_type and global_username_claim_type set the claim types to resolve the email addresses and usernames for all providers. You can override these properties for a specific provider.

The base configuration is similar for all service providers, but some of them also have specific properties.


The configuration example can help you configure the authentication provider you need.

Base configuration

The following code shows the base configuration for all providers:

  "authentication_mode": "Passive",
  "email_claim_type": "<ClaimTypeOverride>",
  "external_user_creation_url": "https://www.registerme.com",
  "is_enabled": true,
  "messages": {
    "signIn": "translationKey",
    "signInDescription": "translationKey",
    "signInTitle": "translationKey"
  "provider_name": "<name>",
  "username_claim_type": "<ClaimTypeOverride>"
authentication_modeCan be Active or Passive. If a provider is set as Active, the system automatically redirects users to the login page of that provider if they are not yet authenticated. You must ensure that only one provider is set as Active at a time. Users can also log in through the local account page by navigating to: https:///en-us/account?forcePassive=true, without you making changes to the authentication configuration.
email_claim_typeOverrides the global_email_claim_type property for this provider.
external_user_creation_urlOverrides the AutoCreateUsers property and redirects to the provided URL.
is_enabledEnables the provider. Only enabled providers are displayed and can be registered in the authentication pipeline.
messagesModifies the default sign-in button display.
  • signIn - button message.
  • signInTitle - helptext shown when hovering the mouse over the button.
  • signInDescription - description shown next to the button.
The values must be existing translation keys.
provider_nameName of the external provider. This name:
  • Is mandatory
  • Must be unique.
  • Must be alphanumeric.
  • Is case-insensitive.
  • Can be no longer than 50 characters.
username_claim_typeOverrides the global_username_claim_type property for this provider.

The provider name is used to set up unique REST API callbacks to support multiple external authentication providers of the same type. Usually, this callback must be configured in the external authentication provider itself. Modifying the provider name requires changes to the external authentication provider as well. By default, the callback URL has the following format: /signin-{provider-name}.

Provider-specific properties

The following table describes the properties specific to each external provider.


Full configuration examples are available for Azure AD and OpenID Connect.

Googleclient_idOAuth client ID.Yes
client_secretOAuth client secret.Yes
Microsoftclient_idOAuth client ID.Yes
client_secretOAuth client secret.Yes
authorization_endpointOverrides the authorization endpoint.No
token_endpointOverrides the token endpoint.No
user_information_endpointOverrides the user information endpoint.No
SAMLcertificatePath to the certificate that the identity provider uses to sign its messages. Only required if AuthnRequestsSigned is true in the the service provider metadata file.No
idp_entity_idEntity ID of the identity provider.Yes
metadata_locationURL of the source metadata endpoint for the identity provider (IdP). You can automatically generate the SP_metadata.xml file using the /AuthServices-{providerNameInTheAuthenticationSettings} endpoint. This file contains the IdP configuration information and is used for Single Sign-On (SSO) authentication. Its contents remain unchanged unless the environment URL is modified. The metadata_location is accessed during every login, and the XML file containing the IdP configuration is not cached by Content Hub. Therefore, if your IdP endpoint is updated or modified, the configuration changes will apply immediately.

Do not copy the IdP metadata file or host it on Content Hub.

passwordPassword used to access the certificate.No
sp_entity_idEntity ID of the service provider.Yes
module_pathApplication root relative path for SAML endpoints. Defaults to /AuthServices- followed by the provider name in lowercase. It is case-sensitive and must be unique.No
bindingBinding type used when sending authentication requests to the identity provider. Accepted values are:
  • HttpRedirect (default)
  • HttpPost
  • Artifact
  • No
    authn_request_protocol_bindingBinding type the identity provider is requested to use when responding. Included in the ProtocolBinding attribute of the authentication request. Accepted values are:
  • HttpPost
  • Artifact
  • No
    Sitecoreidentity_server_urlURL of the Sitecore Identity server instance to which users are redirected during the sign-in process.Yes
    client_idOAuth client ID as known by the identity server.Yes
    client_secretOAuth client secret as known by the identity server.Yes
    WsFederationmetadata_addressURL exposing the XML metadata of a WsFederation service provider.Yes
    wtrealmURL of the requesting realm.Yes
    Yandexclient_idOAuth client ID.Yes
    client_secretOAuth client secret.Yes

    Do you have some feedback for us?

    If you have suggestions for improving this article,