Associate Sitefinity CMS roles to external claims

Overview

When you use third party identity providers, such as ADFS, you can configure Sitefinity CMS to automatically maintain the membership of users in Sitefinity roles when the role of a user in ADFS changes or a new user is created.

EXAMPLE: A user is assigned a new role in ADFS. You can map this role to a role in Sitefinity CMS. Then, all users that acquire the role in ADFS will be automatically assigned to the mapped role in Sitefinity CMS.

Configure the scope of the identity server

  1. Navigate to Administration » Settings » Advanced » Authentication » SecurityTokenService » IdentityServer and click Scopes.
  2. Click Create new and fill out the following information:
    1. In Scope name, enter the name of the scope.
      For example, enter groups
    2. In Claims, enter the list of claims.
      For example, enter role
  3. Save your changes.

Configure the relying party to request the newly configured scope

  1. Navigate to Administration » Settings » Advanced » Authentication and select RelyingParty.
  2. In Additional scopes of claims to be requested from the STS, enter the name of the scope you created.
    For example, enter groups
  3. Save your changes.

Configure the scope of the Sitefinity CMS client

  1. Navigate to Administration » Settings » Advanced » Authentication » SecurityTokenService » IdentityServer » Clients and select sitefinity.
  2. In Allowed scopes, enter groups
  3. Save your changes.

Create the claims to roles mappings

  1. Navigate to Administration » Settings » Advanced.
  2. In the left pane, expand Authentication » RelyingParty and click Claims to roles mappings.
  3. Click Create new and fill out the following information:
    1. In Name, enter the name of the mapping.
      For example, enter PRgroupToAuthors
    2. In Claim type, enter the full name of the type of the external claim.
      For example, enter http://schemas.microsoft.com/ws/2008/06/identity/claims/role.
    3. In Claim value, enter the value of the external claim.
      For example, enter sitefinity.adfs\Domain Users. This means that a user with claim role is logged in as a domain user.
    4. In Mapped roles, enter a comma separated list of Sitefinity CMS roles that the claim will be mapped to.
      For example, enter BackendUsers, Administrators
  4. Save your changes.
  5. Restart the application.

NOTE: If you are using the OpenID authentication protocol, the types of all claims coming from external providers are updated according to the mappings specified in the following file: https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Configuration/Hosting/ClaimMap.cs
For example, if you have claim type returned from the ADFS:
http://schemas.microsoft.com/ws/2008/06/identity/claims/group
and mapping:
{"group", "http://schemas.microsoft.com/ws/2008/06/identity/claims/group"}
you will need to map just group as claim type. For custom claims you must map the complete claim - for example, http://schemas.microsoft.com/ws/2008/06/identity/claims/customclaim.

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Get started with Integration Hub | Sitefinity Cloud | Sitefinity SaaS

This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.

Web Security for Sitefinity Administrators

This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?