Configure the OpenID Connect provider

With Sitefinity CMS, you can configure the out-of-the-box OpenID Connect provider and its parameters and enable authentication via OpenID protocol with third party Security Token Issuer (STS) that supports the protocol.

PREREQUISITES: Configure your application as a client in an external STS.

IMPORTANT: The OpenID Connect provider only supports the implicit client authentication flow.

To configure the OpenID Connect provider, perform the following:

  1. Navigate to Administration » Settings » Advanced.
  2. In the left pane, expand Authentication » SecurityTokenService » AuthenticationProviders.
  3. Expand the OpenIDConnect node.
  4. Enter values or modify the following parameters:
    Key Value 
    Client ID The client ID configured in the external STS. 
    Authority The absolute path to the external STS. 
    Response type Set this key to id_token, as this is required for authentication using implicit flow.
    Allowed scopes Enter the scopes, required by your scenario. The minimum required scopes for Sitefinity CMS to work with the OpenID Connect provider are openid profile rememberMe email
    Metadata address

    Enter the absolute URL from where to retrieves the OpenID metadata.

    If you leave it empty, the default URL is used: {Authority}/.well-known/openid-configuration

    Redirect URI The absolute path to the local STS, in this case enter https://<yoursitefinitysite>/<sts-endpoint-relative-path>/<custom-signin-path>


    • <yoursitefinitysite> is the domain where you host the local Sitefinity CMS instance.
    • <sts-endpoint-relative-path> is the default STS endpoint relative path in Sitefinity CMS, which is Sitefinity/Authenticate/OpenID.
    • <custom-signin-path> this is a custom key that defines the sign in path and must be unique among all external authentication providers in the Sitefinity CMS instance.

    NOTE: Make sure the path is added in the external STS during client registration. The path, configured in the external STS, must be identical to the value of the Redirect URI parameter.

    Callback path An optional constrained path, on which to process the authentication callback. If you do not provide a value, the value is generated from the Redirect URI parameter, for example: /Sitefinity/Authenticate/OpenID/signin-custom.

    NOTE: Each external provider has a unique endpoint.

    Post logout redirect URI You configure this parameter in the settings of the Identity server client of the external STS as a redirect URI. Enter the desired post logout URI from your site, for example, http://mysitefinitysite

    NOTE: This must be a URL from your site. 

    Data provider Enter the name of the local membership provider where users are created.
    Title The text that is displayed on the login button, for example, OpenID.
    Auto assigned roles Optionally, enter the roles that are automatically assigned to users registered with the OpenID Connect provider (separated with a comma).
    Link css class Enter the CSS to be applied to the login button.
    Require email claim from this provider

    This option, specifies whether you want to use the email address, provided by the external provider to map external users to Sitefinity CMS users.

    Select this checkbox, if you want users to be able to login, only if their valid email is included in the provided claim.

    This checkbox sets to true or false MapUsersViaEmail property. By default, it is selected.

  5. Select Enabled checkbox.
  6. Save your changes.
  7. Restart the application.

Map profile properties to external claims

You can create a claims map that will map Sitefinity profile properties to the respective properties of the external provider. The list defines claims to property fields mapping in the following format: Key – profile field, Value – claim name.

There are some preconfigured mappings, you can add more by performing the following:

  1. Navigate to Administration » Settings » Advanced.
  2. In the left pane, expand Authentication » SecurityTokenService » AuthenticationProviders.
  3. Expand the OpenIDConnect and click ClaimsMap » Create new.
  4. In Sitefinity field, enter the name of the property that you want to map.
    To specify the profile field, you must use a combination of the profile type name and the profile field name in the following format -  <profile_type_name>.<property_name>
    For example, if you want to map a field called FirstName, from the default SitefinityProfile profile type, in Sitefinity field, enter SitefinityProfile.FirstName
  5. In Claim from external provider, enter the name of the claim that you want to map to.
    For example, enter given_name
  6. Save your changes.

EXAMPLE: You can also map fields from custom profile typesl. For example if you have created a custom profile type, called AzureInfo, and want to create a mapping for its FullName field to a claim called user_fullname, in Step 4, enter AzureInfo.FullName and in Step 5, enter user_fullname

Was this article helpful?

Next article

Social media