Associate Sitefinity CMS roles to external claims

When you use third party identity providers, such as ADFS, you can configure Sitefinity to automatically maintain the membership of users in Sitefinity roles when the role of a user in ADFS changes or a new user is created.

EXAMPLE: A user is assigned a new role in ADFS. You can map this role to a role in Sitefinity CMS. Then, all users that acquire the role in ADFS will be automatically assigned to the mapped role in Sitefinity CMS.

Create the Claims to roles mappings

  1. Navigate to Administration » Settings » Advanced.
  2. In the left pane, expand Authentication » RelyingParty and click Claims to roles mappings.
  3. Click Create new and fill out the following information:
    1. In Name, enter the name of the mapping.
      For example PRgroupToAuthors
    2. In Claim type, enter the type of the desired external claim.
      For example, enter role
    3. In Claim value, enter the desired value of the external claim.
      For example, enter sitefinity.adfs\Domain Users
    4. In Mapped roles, enter a comma separated list of Sitefinity roles, which the claim will be mapped to.
      For example, enter BackendUsers, Administrators
  4. Save your changes

Configure the scope of the identity server

  1. In the left pane, expand Authentication » SecurityTokenService » IdentityServer and click Scopes.
  2. Click Create new and fill out the following information:
    1. In Scope name, enter the name of the scope.
      For example, enter groups
    2. In Claims, enter the list of claims.
      For example, enter role
  3. Save your changes.

Configure the relying party to request the newly configured scope

  1. In the left pane, expand Authentication and select RelyingParty.
  2. In Additional scopes of claims to be requested from the STS, enter the name of the scope you created.
    For example, enter groups
  3. Save your changes.

Configure the scope of the Sitefinity CMS client

  1. In the left pane, expand Authentication » SecurityTokenService » IdentityServer » Clients and select sitefinity.
  2. In Allowed scopes, enter groups
  3. Save your changes.
  4. Restart the application

NOTE: The types of all claims coming from external providers are updated according to the mappings specified in the following file: https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Configuration/Hosting/ClaimMap.cs
For example, if you have claim type returned from the ADFS:
http://schemas.microsoft.com/ws/2008/06/identity/claims/group
and mapping:
{"group", "http://schemas.microsoft.com/ws/2008/06/identity/claims/group"}
you will need to map just group as claim type.

 

Was this article helpful?