Sitecore Identity (SI) is a mechanism to log in to Sitecore. It was introduced in Sitecore 9.1. It builds on the Federated Authentication functionality introduced in Sitecore 9.0 and the Sitecore Identity server, which is based on IdentityServer4. It provides a separate identity provider, and allows you to set up SSO (Single Sign-On) across Sitecore services and applications.
You can use federated authentication for front-end login (on a content delivery server), and we recommend you always use Sitecore Identity for all Sitecore (back-end) authentication.
Sitecore 9.1.0 or later does not support the Active Directory module, you should use federated authentication instead.
When you use Sitecore Identity, the sign-in flow is:
If you are an authorized user in Sitecore:
Then you have access.
If you are not authenticated in Sitecore:
Then you are redirected to the SI server.
If you are not authenticated in the SI server yet:
Then you are prompted to enter your sign-in credentials on the SI server login page. After that, you are redirected back to the Sitecore Client. You are now authenticated in the Sitecore Client.Note
If users do not have permission to access the Sitecore Client, then the system redirects them back to the SI server login page and displays a warning message.
The SI server login page looks like
/sitecore/login, but you can now also see the currently authorized user in the top-right corner.
If you are already authenticated in the SI server:
Then you are redirected back to the Sitecore Client. You are now authenticated in the Sitecore Client.
You use the SI server to request and use identity, access, and refresh tokens. Sitecore Identity uses these tokens for authorizing requests to Sitecore services. Sitecore users can sign in to various sites and services that are hosted separately even when they do not have a running instance of Sitecore XP.
SI replaces the default login pages of the Sitecore Client, so you must update your browser bookmarks from
When SI is enabled, an old
/sitecore/login page redirects users. However, you can still use an old login page.