Sitecore Identity structure

Current version: 9.1

Sitecore Identity (SI) provides interactions between the following components:

  • Sitecore Identity server - an OpenID Connect-compliant security token service.

  • Sitecore Identity clients - these are individual applications that can request security tokens from the SI server. The Sitecore instance itself is also an SI client.

The Sitecore Identity server

The SI server is a standalone ASP.NET Core application based on IdentityServer4. It acts as an OpenID Connect compliant security token service (STS). It is deployed as a separate website during Sitecore deployment, and the default URL is https://{instanceName}.identityserver.

Note

The SI server only works under the HTTPS protocol, but it can support SI clients under both HTTP and HTTPS as long as they are configured properly in the SI server configuration.

The SI server exposes some IdentityServer4 configuration to the config files. For advanced IdentityServer4 configuration, you must use runtime plugins and change the IdentityServer4 configuration using dependency injection. This makes the IdentityServer4 configuration fully configurable.

Sitecore Identity clients

An SI client is any application that authenticates users who are using the SI server. You must register every SI client in the SI server before the client can use the SI server. An SI client can request security tokens, validate them, and create context users from these tokens. Alternatively, it can use them as bearer tokens to make authorized requests to other services that are configured to accept such tokens. Examples of clients are web applications, native mobile or desktop applications, and server processes.

You configure the SI server in the Sitecore instance in the \App_Config\Sitecore\Owin.Authentication.IdentityServer\Sitecore.Owin.Authentication.IdentityServer.config configuration file.

The Sitecore instance is also an SI client, and it is registered in the SI server by default. The Sitecore instance knows about the SI server because the SI server is an identity provider in the sitecore/federatedAuthentication/identityProviders node.

Note

You can have authentication using the SI server in your own projects. You enable SI server authentication and make it possible to request access tokens for Sitecore ASP.NET Core-based projects with the Sitecore.Plugin.Authentication.OpenIdConnect NuGet package. You enable bearer token authentication for Sitecore ASP.NET Core-based projects with the Sitecore.Plugin.Authentication.JwtBearer NuGet package. 

Do you have some feedback for us?

If you have suggestions for improving this article,