Configure a Sitecore instance and Sitecore Identity server

Version: 10.4

To configure a Sitecore instance to use Sitecore Identity (SI) server authentication you must:

For more information about the Sitecore Identity Server components, see Sitecore Identity Structure.

Configure the Sitecore instance

To configure the Sitecore instance, enable every Sitecore instances that uses SI server authentication with:

  • The absolute URL of the SI server (Authority in OpenId Connect terminology). You set this in the $(identityServerAuthority) configuration variable. It is specified in the deployment process.

  • The ID of the registered client. Sitecore has a default client configured in SI server with ID Sitecore. Sitecore stores this ID in the

    FederatedAuthentication.IdentityServer.ClientId setting.

  • The ID of a dedicated client for the custom Resource Owner Password flow. Sitecore uses a custom Resource Owner Password flow for internal purposes. The FederatedAuthentication.IdentityServer.ResourceOwnerClientId setting  specifies the ID of this client. The default value is SitecorePassword.

Sitecore connects the SI server according to the federated authentication configuration

Configure the Sitecore Identity server

The Sitecore Identity server must contain the configuration of all its clients (see Duende IdentityServer client). 

To configure  the Sitecore Identity server:

  1. Set the client secret in the Sitecore:IdentityServer:Clients:PasswordClient:ClientSecrets: ClientSecret1 setting in the Config\Sitecore.IdentityServer.Host.xml file on the Sitecore Identity server. 

    It must be the same as the client secret in the App_Config\ConnectionStrings.config file, in the sitecoreidentity.secret connection string, on the Sitecore instance.  

    When you install Sitecore XP, the client secret is set to Sitecore Identity Server by default and you do not need to perform this step.

  2. To allow Sitecore users to sign in, in the Config\Sitecore.IdentityServer.Host.xml file, in the Sitecore:IdentityServer:SitecoreMembershipOptions:ConnectionString setting, configure the connection string to the Security database.

  3. To allow users to recover their passwords, in the Config\Sitecore.IdentityServer.Host.xml file, configure the Sitecore:IdentityServer:AccountOptions: PasswordRecoveryUrl setting.

    When you install Sitecore XP, the link to the Sitecore instance is used by default and you do not need to perform this step.

  4. Use either the Sitecore:IdentityServer:Clients section to configure clients, or use dependency injection.

    Each client configuration node contains a number of properties that are bound to properties of the Duende.IdentityServer.Models.Client class. In most cases, the names of class properties and configuration properties are matched. Alternatively, you can use dependency injection to access the whole set of Duende IdentityServer options.

    Note

    There is a predefined client called Sitecore  (Sitecore:IdentityServer:Clients:DefaultClient).

  5. To reuse the default Sitecore client declaration, extend the lists of allowed RedirectUris, PostLogoutRedirectUris, and AllowedCorsOrigins values to contain the appropriate values for your application.

    You can use the {AllowedCorsOrigin} special token in RedirectUris and PostLogoutRedirectUris lists, as in the following example (this is in the Config\Sitecore.IdentityServer.Host.xml file:

    RequestResponse
    <?xml version="1.0" encoding="utf-8"?>
<Settings>
  <Sitecore>
    <IdentityServer>
      <Clients>
        <DefaultClient>
          ...
          <RedirectUris>
            <RedirectUri1>{AllowedCorsOrigin}/identity/signin</RedirectUri1>
            <RedirectUri2>{AllowedCorsOrigin}/signin-oidc</RedirectUri2>
          </RedirectUris>
          <PostLogoutRedirectUris>
            <PostLogoutRedirectUri1>{AllowedCorsOrigin}/identity/postexternallogout</PostLogoutRedirectUri1>
            <PostLogoutRedirectUri2>{AllowedCorsOrigin}/signout-callback-oidc</PostLogoutRedirectUri2>
          </PostLogoutRedirectUris>
          ...

  6. To  specify a protocol+domain+port part of URLs only in the AllowedCorsOrigins section, use the {AllowedCorsOrigin} token:

    RequestResponse
    <?xml version="1.0" encoding="utf-8"?>
<Settings>
  <Sitecore>
    <IdentityServer>
      <Clients>
        <DefaultClient>
          ...
          <AllowedCorsOrigins>
            <AllowedCorsOriginsGroup1>https://host1|http://host1</AllowedCorsOriginsGroup1>
            <AllowedCorsOriginsGroup2>https://host2</AllowedCorsOriginsGroup2>
            <AllowedCorsOriginsGroup3>https://host3</AllowedCorsOriginsGroup3>
          </AllowedCorsOrigins>
          ...

    Sitecore expands the RedirectUri* and PostLogoutRedirectUri* node values with {AllowedCorsOrigin} tokens to be allowed for every origin specified in the AllowedCorsOrigins list.

Do you have some feedback for us?

If you have suggestions for improving this article,