Sitecore Identity and Federated Authentication

The latest versions of Sitecore (9.1+) have added support to modern authentication and authorization standards, federated authentication methodology, and industry standard technologies. The revamped identity structure makes it much easier to extend and customize the authentication experience in Sitecore, especially when it comes to federated authentication or SSO.

This article is going to be an overview of the Sitecore Identity and related techs, and in what ways we can customize it.

Key Terms and Technology

SSO: A Single-Sign-On function that authenticates a user using a single set of credentials and allows the user the access multiple applications within an organization by signing in once. E.g., Signing into Bed Bath Beyond gives you access to Buy Buy Baby.

Federated Authentication: SSO + allowing authentication to multiple organizations. E.g., Signing into Microsoft may give you access to Salesforce, Atlassian, etc.

Authentication protocol/standards: There are a few authentication protocols/standards: OpenID Connect, OAuth, and SAML. Federated authentication uses one or more protocols to standardize the authentication communication cycle.

OWIN: OWIN is a standard/specification that allows web apps to be decoupled from web servers. It defines a standard way for middleware to be used in a pipeline to handle requests and associated responses. Microsoft has an implementation of OWIN called Katana (https://github.com/aspnet/AspNetKatana) distributed as NuGet packages (Microsoft.Owin.*).

ASP.NET Identity: The standard authentication and authorization provider in latest ASP.NET versions based on OWIN middleware. In a SSO context, ASP.NET Identity by itself is usually used to receive the security token from other identity providers. https://docs.microsoft.com/en-us/aspnet/identity/overview/getting-started/introduction-to-aspnet-identity

IdentityServer4: An open-source project provides an OpenID Connect and OAuth 2.0 framework for ASP.NET Core. In Sitecore, this library is used as the identity provider and security token issuer and many functionalities and customizations rely on it. https://github.com/IdentityServer/IdentityServer4

Sitecore Identity server: A standalone authentication and authorization application based on IdentityServer4 and .NET Core, introduced since Sitecore 9.0. This server is created as a separate site when installing a new Sitecore (9.0+) instance and used as the identity provider for Sitecore backend login out of the box.

Sitecore Identity: A specific mechanism to log in to Sitecore. It was introduced in Sitecore 9.1. It builds on the Federated Authentication functionality and the Sitecore Identity server.

• Sitecore Identity server is the identity provider (supported by IdentityServer4)
• OpenID Connect is used as the protocol
• ASP.NET Identity is used at the receiver end (e.g., Sitecore CM sites).

We should be able to form a general understanding of how authentication technologies are tied up together in Sitecore Identity.

Federated scenarios and customizations

However, understanding the above is just the beginning, there are numerous ways of customization and extension that can make the Federated authentication experience much more streamlined for an organization. The goal is to make our Sitecore implementation a part of the overall organization structure so that editors and visitors alike can login to Sitecore (frontend or backend) in a consistent way.

Here are a few scenarios:

1. No integration into the larger scope. Out-of-box Sitecore Identity using the Sitecore database is enough when it is not hard for admins to manage Sitecore users, and the site visitors only need to access the Sitecore frontend site (or no frontend login at all).
2. Integration with another identity provider. This is recommended if the organization already has an identity provider (Microsoft, Google, etc.). It will be much easier for admins, editors, and visitors if they only need to manage the authentication information in one location. There are two ways of doing this:
   1. We can customize Sitecore Identity server as the Federated gateway to the organization’s identity provider. This method is eligible for backend and frontend, we can restyle the Sitecore Identity server screen and swap the logo and colors. https://doc.sitecore.com/xp/en/developers/93/sitecore-experience-manager/use-the-sitecore-identity-server-as-a-federation-gateway.html
   2. Use federated authentication directly on Sitecore instances and bypass the Sitecore Identity server, Sitecore does not recommend this for backend login. https://doc.sitecore.com/xp/en/developers/93/sitecore-experience-manager/configure-federated-authentication.html
3. Make Sitecore the identity provider. This is the reverse of scenario 2, and we authenticate other sites/services using Sitecore Identity server (supported by IdentityServer4). This is useful if the organization already has most of the credentials in Sitecore and wants to create a federated authentication experience in other applications using the same credentials. https://doc.sitecore.com/xp/en/developers/93/sitecore-experience-manager/use-bearer-tokens-in-client-applications.html
4. Make Sitecore the federated gateway for other applications. This is like the fusion of scenario 2 and scenario 3, where other applications use Sitecore Identity server as the relay to the real identity provider. This is useful if there are compatibility issues between the identity provider and other services such as they support different authentication protocols, firewall and infrastructure limitations, etc. (Achieved by the same techniques in 2.a and 3)

Conclusion

This article is just an overview of the Sitecore Identity and technologies involved and will be the start of a series of blogs that detail each customization and integration technique and provide examples on the things we find important but not elaborated or organized in Sitecore documentation.