Use external authentication providers with user groups

You can use external authentication providers, such as AD FS, Entra ID (formerly Azure AD), and social media authentication providers, such as Google and Facebook, to authenticate users belonging to user groups.
For more information, see Configure external identity providers.

When using external authentication providers, Sitefinity CMS receives account properties, such as the account email, from the external provider and creates a corresponding Sitefinity CMS user account, using these properties.

You can select the user groups, which Sitefinity CMS uses, for every user account that comes from an external provider. This way, you automate the mapping between users from an external authentication provider and Sitefinity CMS user groups, thus assigning these accounts to the sites that use the specified user groups.

To do this, perform the following:

1. Open the Sitefinity CMS backend
2. Navigate to Settings » Advanced » Authentication » SecurityTokenService » AuthenticationProvider » <name of your provider>
3. In the Data provider input field, enter the name of an existing user group.

You use this procedure to select the roles that Sitefinity CMS automatically assigns to every user account from an external provider. This way, you automate the mapping between users from an external authentication provider and Sitefinity CMS roles. For example, you may assign all users, authenticated via Entra ID, to the BackendUsers role and all users, authenticated via social login, to the Users role.

To do this, perform the following:

1. In Sitefinity CMS backend, navigate to Settings » Advanced.
2. In the tree on the left, click Authentication » SecurityTokenService » AuthenticationProvider » <name of your provider>
3. In the Auto assigned roles input field, enter the names of existing roles.

If you do not create this automatic mapping, you will need to manually assign a role to every account, after your visitors have logged in, using an external account provider.