Administration: Configure the OpenID Connect provider
With Sitefinity CMS, you can configure the out-of-the-box OpenID Connect provider and its parameters and enable authentication via OpenID protocol with third party Security Token Issuer (STS) that supports the protocol.
PREREQUISITES: Configure your application as a client in an external STS.
IMPORTANT: The OpenID Connect provider only supports the implicit client authentication flow.
To configure the OpenID Connect provider, perform the following:
- Navigate to Administration » Settings » Advanced.
- In the left pane, expand Authentication » SecurityTokenService » AuthenticationProviders.
- Expand the OpenIDConnect node.
- Enter values or modify the following parameters:
Key |
Value |
Client ID |
The client ID configured in the external STS. |
Authority |
The absolute path to the external STS. |
Response type |
Set this key to id_token, as this is required for authentication using implicit flow. |
Allowed scopes |
Enter the scopes, required by your scenario. The minimum required scopes for Sitefinity CMS to work with the OpenID Connect provider are openid profile rememberMe email. |
Redirect URI |
The absolute path to the local STS, in this case enter https://<yoursitefinitysite>/<sts-endpoint-relative-path>/<custom-signin-path>
where:
- <yoursitefinitysite> is the domain where you host the local Sitefinity CMS instance.
- <sts-endpoint-relative-path> is the default STS endpoint relative path in Sitefinity CMS, which is Sitefinity/Authenticate/OpenID.
- <custom-signin-path> this is a custom key that defines the sign in path and must be unique among all external authentication providers in the Sitefinity CMS instance.
NOTE: Make sure the path is added in the external STS during client registration. The path, configured in the external STS, must be identical to the value of the Redirect URI parameter.
|
Callback path |
An optional constrained path, on which to process the authentication callback. If you do not provide a value, the value is generated from the Redirect URI parameter, for example: /Sitefinity/Authenticate/OpenID/signin-custom.
NOTE: Each external provider has a unique endpoint.
|
Post logout redirect URI |
You configure this parameter in the settings of the Identity server client of the external STS as a redirect URI. Enter the desired post logout URI from your site, for example, http://mysitefinitysite
NOTE: This must be a URL from your site.
|
Data provider |
Enter the name of the local membership provider where users are created. |
Title |
The text that is displayed on the login button, for example, OpenID. |
Auto assigned roles |
Optionally, enter the roles that are automatically assigned to users registered with the OpenID Connect provider (separated with a comma). |
Link css class |
Enter the CSS to be applied to the login button. |
- Select Enabled checkbox.
- Save your changes.
- Restart the application.