Sitecore Experience Management

Configure a Sitecore instance and Sitecore Identity server

Abstract

How to configure Sitecore instances and Sitecore Identity server

To configure a Sitecore instance to use Sitecore Identity (SI) server authentication you must:

To configure the Sitecore instance:

  1. Enable all Sitecore instances with SI server authentication with the following:

    • The absolute URL of the SI server (Authority in OpenId Connect terminology). You set this in the $(identityServerAuthority) configuration variable. It is specified in the deployment process.

    • The ID of the registered client. Sitecore has a default client configured in SI server with ID Sitecore. Sitecore stores this ID in the

      FederatedAuthentication.IdentityServer.ClientId setting.

    • The ID of a dedicated client for the custom Resource Owner Password flow. Sitecore uses a custom Resource Owner Password flow for internal purposes. The FederatedAuthentication.IdentityServer.ResourceOwnerClientId setting  specifies the ID of this client. The default value is SitecorePassword.

  2. Set a client secret that you store in the sitecoreidentity.secret connection string in the Sitecore instance, and which is represented in the SI server in the secrets list of PasswordClient client here: Sitecore:IdentityServer:Clients:PasswordClient:ClientSecrets:....

Sitecore connects the SI server according to the federated authentication configuration

The SI server must contain the configuration of all its clients (see IdentityServer4 client). 

To configure  the Sitecore Identity server:

  1. Use either the Sitecore:IdentityServer:Clients section to configure clients, or use dependency injection.

    Each client configuration node contains a number of properties that are bound to properties of the IdentityServer4.Models.Client class. In most cases, the names of class properties and configuration properties are matched. Alternatively, you can use dependency injection to access the whole set of IdentityServer4 options.

    Note

    There is a predefined client called Sitecore  (Sitecore:IdentityServer:Clients:DefaultClient).

  2. To reuse the default Sitecore client declaration, extend the lists of allowed RedirectUris, PostLogoutRedirectUris, and AllowedCorsOrigins values to contain the appropriate values for your application.

    You can use the {AllowedCorsOrigin} special token in RedirectUris and PostLogoutRedirectUris lists, as in the following example:

    <?xml version="1.0" encoding="utf-8"?>
    <Settings>
      <Sitecore>
        <IdentityServer>
          <Clients>
            <DefaultClient>
              ...
              <RedirectUris>
                <RedirectUri1>{AllowedCorsOrigin}/identity/signin</RedirectUri1>
                <RedirectUri2>{AllowedCorsOrigin}/signin-oidc</RedirectUri2>
              </RedirectUris>
              <PostLogoutRedirectUris>
                <PostLogoutRedirectUri1>{AllowedCorsOrigin}/identity/postexternallogout</PostLogoutRedirectUri1>
                <PostLogoutRedirectUri2>{AllowedCorsOrigin}/signout-callback-oidc</PostLogoutRedirectUri2>
              </PostLogoutRedirectUris>
              ...
  3. To  specify a protocol+domain+port part of URLs only in the AllowedCorsOrigins section, use the {AllowedCorsOrigin} token:

    <?xml version="1.0" encoding="utf-8"?>
    <Settings>
      <Sitecore>
        <IdentityServer>
          <Clients>
            <DefaultClient>
              ...
              <AllowedCorsOrigins>
                <AllowedCorsOriginsGroup1>https://host1|http://host1</AllowedCorsOriginsGroup1>
                <AllowedCorsOriginsGroup2>https://host2</AllowedCorsOriginsGroup2>
                <AllowedCorsOriginsGroup3>https://host3</AllowedCorsOriginsGroup3>
              </AllowedCorsOrigins>
              ...
    

    Sitecore expands the RedirectUri* and PostLogoutRedirectUri* node values with {AllowedCorsOrigin} tokens to be allowed for every origin specified in the AllowedCorsOrigins list.