Sitefinity AzureAD Integration

sitefinity | NET, CMS, Sitefinity, AzureAD, OpenId | 2021-01-20

Azure AD Setup

Go to you Azure Active Directory → App Registrations → New Registration

Give a name to the application, you can leave the Redirect URI as blank now. Then click Register.

Go to Authentication Tab → Add a platform → Web

Redirect URIs: http:/Sitefinity Instance/Sitefinity/Authenticate/OpenID/signin-custom

Select the tokens you would like to be issued by the authorization endpoint: Check ID Tokens

Sitefinity Setup

Spin up (If you haven’t) and run the Sitefinity Instance

Login to Sitefinity backend → Go to Administration → Advanced → Authentication → SecurityTokenService → AuthenticationProviders → OpenIDConnect

Do the following settings:

Setting	Key
ClientID	Azure AD App – Application (client) ID
Response type	id_token
Allowed scopes	openid profile email
Authority	https://login.microsoftonline.com/[Azure AD App Directory (tenant) ID]/v2.0/authorize
Metadata address	https://login.microsoftonline.com/[Azure AD App Directory (tenant) ID]/v2.0/.well-known/openid-configuration
Redirect URI	https://[Sitefinity Instance]/Sitefinity/Authenticate/OpenID/signin-custom
Post logout redirect URI	https://[Sitefinity Instance]
Title	Azure AD Login
Enabled	True
Auto assigned roles	Administrators
Require email claim from this provider	True (We can check the metadata address to understand what to map)
Claims to fields mappings	Email: email, SitefinityProfile.FirstName: name, SitefinityProfile.Nickname: nickname

Setting

Key

ClientID

Azure AD App – Application (client) ID

Response type

id_token

Allowed scopes

openid profile email

Authority

https://login.microsoftonline.com/[Azure AD App Directory (tenant) ID]/v2.0/authorize

Metadata address

https://login.microsoftonline.com/[Azure AD App Directory (tenant) ID]/v2.0/.well-known/openid-configuration

Redirect URI

https://[Sitefinity Instance]/Sitefinity/Authenticate/OpenID/signin-custom

Post logout redirect URI

https://[Sitefinity Instance]

Title

Azure AD Login

Enabled

True

Auto assigned roles

Administrators

Require email claim from this provider

True (We can check the metadata address to understand what to map)

Claims to fields mappings

Email: email, SitefinityProfile.FirstName: name, SitefinityProfile.Nickname: nickname

Restart Sitefinity

Verification a. Visit http://Sitefinity Instance/Sitefinity → Click Azure Login

screen1

b. It will prompt you a permission request for first time login, simply press Accept.

screen2

c. It will prompt for your username + password. Fulfill it and it will route you back to Sitefinity dashboard

screen3 screen4

d. Then go to Administration → Users, you will see an unknown user and a default user while both having same email address.

screen5

e. It is working!

Further Enhancement

Intercept AzureAD callback response, and create necessary users with proper profile

Hide the default login method completely

Create a file under /Content/Pages/login.html
Comment unnecessary blocks: login.html (github.com)
Restart Sitefinity, and you will see only Azure Login button
Consider to write a script to redirect on page load

Sitefinity AzureAD Integration

Sitefinity AzureAD Integration

Azure AD Setup

Sitefinity Setup

Further Enhancement

References