Sitecore Experience Management

Sitecore Identity

Abstract

Sitecore Identity provides a mechanism for Sitecore login.

Sitecore Identity (SI) is a mechanism to log in to Sitecore. It was introduced in Sitecore 9.1. It builds on the Federated Authentication functionality introduced in Sitecore 9.0 and the Sitecore Identity server, which is based on IdentityServer4. It provides a separate identity provider, and makes it possible for you to set up SSO (Single Sign-On) across Sitecore services and applications.

When you use Sitecore Identity, the following describes the sign-in flow:

  • You are an authorized user in Sitecore:

    Then you have access.

  • You are not authenticated in Sitecore:

    Then you are redirected to the SI server.

    • If you are not authenticated in the SI server yet:

      Then you are prompted to enter your sign-in credentials on the SI server login page. After that, you are redirected back to the Sitecore Client. You are now authenticated in Sitecore Client.

      Note

      If users do not have permission to access Sitecore Client, then the system redirects them back to the SI server login page and displays a warning message.

      The SI server login page looks like /sitecore/login used to but, in addition, you can now also see the currently authorized user in the top-right corner.

    • If you are already authenticated in SI server:

      Then you are redirected back to Sitecore Client. You are now authenticated in Sitecore Client.

You use the SI server to request and use identity, access, and refresh tokens. Sitecore Identity uses these tokens for authorizing requests to Sitecore services. Sitecore users can sign in to various sites and services that are hosted separately even when they do not have a running instance of Sitecore XP.

SI replaces the default login pages of the Sitecore Client, so you must update your browser bookmarks from https://{domain}/sitecore/login to https://{domain}/sitecore.

Note

When SI is enabled, an old /sitecore/login page redirects users. However, you can still use an old login page.