External authentication providers
You can set up single sign-on (SSO) authentication using external providers.
Sitecore Content Hub is compatible with the following external authentication providers:
-
Azure AD
-
Google
-
Microsoft
-
OpenID Connect
-
SAML
-
Sitecore Identity
-
WS-Federation
-
Yandex
You configure the external authentication providers in the ExternalAuthenticationProviders
property:
"ExternalAuthenticationProviders": {
"global_email_claim_type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"global_username_claim_type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"google": [],
"microsoft": [],
"open_id_connect": [],
"saml": [],
"sitecore": [],
"ws_federation": [],
"yandex": []
}
global_email_claim_type
and global_username_claim_type
set the claim types to resolve the email addresses and usernames for all providers. You can override these properties for a specific provider.
The base configuration is similar for all service providers, but some of them also have specific properties.
The configuration example can help you configure the authentication provider you need.
Base configuration
The following code shows the base configuration for all providers:
{
"authentication_mode": "Passive",
"email_claim_type": "<ClaimTypeOverride>",
"external_user_creation_url": "https://www.registerme.com",
"is_enabled": true,
"messages": {
"signIn": "translationKey",
"signInDescription": "translationKey",
"signInTitle": "translationKey"
},
"provider_name": "<name>",
"username_claim_type": "<ClaimTypeOverride>",
"user_linking": {
"user_profile_property_name": "Email",
"claim_type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
}
}
Property |
Description |
---|---|
|
Can be |
|
Overrides the |
|
Overrides the |
|
Enables the provider. Only enabled providers are displayed and can be registered in the authentication pipeline. |
|
Modifies the default sign-in button display.
The values must be existing translation keys. |
|
Name of the external provider. This name:
|
|
Overrides the |
|
Lets you link different identity provider accounts to the same Content Hub user account. You can configure
Warning The login procedure will fail if:
If no user profile matches the specified claim type, the system will proceed by considering this user as a new user. |
Properties that pass claims to the authentication setting, such as the email_claim_type
and the user_claim_type
, can use a custom email claim as the email address (for example, "email_claim_type": "http://schemas.auth0.com/CustomEmailClaim"
.
The provider name is used to set up unique REST API callbacks to support multiple external authentication providers of the same type. Usually, this callback must be configured in the external authentication provider itself. Modifying the provider name requires changes to the external authentication provider as well. By default, the callback URL has the following format: /signin-{provider-name}
.
Provider-specific properties
The following table describes the properties specific to each external provider.
Full configuration examples are available for Azure AD and OpenID Connect.
Provider |
Property |
Description |
Mandatory |
---|---|---|---|
|
|
OAuth client ID. |
Yes |
|
OAuth client secret. |
Yes | |
Microsoft |
|
OAuth client ID. |
Yes |
|
OAuth client secret. |
Yes | |
|
Overrides the authorization endpoint. |
No | |
|
Overrides the token endpoint. |
No | |
|
Overrides the user information endpoint. |
No | |
SAML |
|
Path to the certificate that the identity provider uses to sign its messages. Only required if |
No |
|
Entity ID of the identity provider. |
Yes | |
|
URL of the source metadata endpoint for the identity provider (IdP). You can automatically generate the SP_metadata.xml file using the Important Do not copy the IdP metadata file or host it on Content Hub. |
Yes | |
|
Password used to access the certificate. |
No | |
|
Entity ID of the service provider. |
Yes | |
|
Application root relative path for SAML endpoints. Defaults to |
No | |
|
Binding type used when sending authentication requests to the identity provider. Accepted values are: |
No | |
|
Binding type the identity provider is requested to use when responding. Included in the |
No | |
Sitecore |
|
URL of the Sitecore Identity server instance to which users are redirected during the sign-in process. |
Yes |
|
OAuth client ID as known by the identity server. |
Yes | |
|
OAuth client secret as known by the identity server. |
Yes | |
WsFederation |
|
URL exposing the XML metadata of a WsFederation service provider. |
Yes |
|
URL of the requesting realm. |
Yes | |
Yandex |
|
OAuth client ID. |
Yes |
|
OAuth client secret. |
Yes |