I recently had a project where we had to add a new Sitecore site to an already multi site Sitecore 8.2 Update 7 instance. This new site had to integrate with Okta to manage user authentication. I found many articles online that integrated Okta and Sitecore's admin interface but I could not find one that just integrated Okta with a client Sitecore site.
My first step was to use Okta's available ASP.NET MVC projects on their Dev site and test them out. This worked very well with the first Authenticated method I tried which was WS-Fed. But when I tried to use the same authentication method with a site in Sitecore I got errors in my logs like the following:
Sitecore.Security.Principal.SitecoreIdentity does not contain a definition for Claims
Claims are available in HttpContext.User.Identity but not in Sitecore.Security.Principal.SitecoreIdentity, and since we are using a Sitecore site we could not read the claims. I tried to make claims work in Sitecore using various online articles but was not successful.
Next I tried using OpenId connect and again setting up a sample website with Okta authentication was easy. But when I tried to use OpenId connect with my new Sitecore site, I got into issues like going into an endless authentication loop. I think the reason was that my application saw that the user is not authenticated and send the user to Okta. Okta checked the user and sent the user back to the site. But Sitecore is not able to see that the user is authenticated and sends the user back to Okta. Mainly I needed HttpContext.User.Identity.IsAuthenticated to return true and be able to read the associated claims. To avoid this endless loop,.I tried a few more articles online but was not successful in getting OpenId connect to work.
Then I turned to good old Saml. Again first I got Okta Saml to work with a sample website.
To setup the Okta Saml application I used.
https://developer.okta.com/standards/SAML/setting_up_a_saml_application_in_okta
and to read the Saml response I used the following Simple SAML consumer implementation
https://github.com/jitbit/AspNetSaml/
As expected this worked fine for the sample website. But to my surprise, this worked seamlessly in my Sitecore site as well. I was able to read the Okta user attributes in Sitecore. I was excited!
Lastly now that I could read the user attributes, I created a virtual Sitecore user and assigned these user attributes to this virtual user and logged the user into Sitecore as described in this blog
https://briancaos.wordpress.com/2015/11/13/sitecore-virtual-users-authenticate-users-from-external-systems/
As mentioned in the above articles you could assign the virtual user to a role based on some of the Okta user attributes. This can be used by content authors to assign a page to a particular role so that only users that belong to that role would have access to that page.
I'm hoping someone else out there finds this blog useful. I told myself that if I solve this issue for myself I would blog about it. So I'm glad I took the time today to write about it.
My first step was to use Okta's available ASP.NET MVC projects on their Dev site and test them out. This worked very well with the first Authenticated method I tried which was WS-Fed. But when I tried to use the same authentication method with a site in Sitecore I got errors in my logs like the following:
Sitecore.Security.Principal.SitecoreIdentity does not contain a definition for Claims
Claims are available in HttpContext.User.Identity but not in Sitecore.Security.Principal.SitecoreIdentity, and since we are using a Sitecore site we could not read the claims. I tried to make claims work in Sitecore using various online articles but was not successful.
Next I tried using OpenId connect and again setting up a sample website with Okta authentication was easy. But when I tried to use OpenId connect with my new Sitecore site, I got into issues like going into an endless authentication loop. I think the reason was that my application saw that the user is not authenticated and send the user to Okta. Okta checked the user and sent the user back to the site. But Sitecore is not able to see that the user is authenticated and sends the user back to Okta. Mainly I needed HttpContext.User.Identity.IsAuthenticated to return true and be able to read the associated claims. To avoid this endless loop,.I tried a few more articles online but was not successful in getting OpenId connect to work.
Then I turned to good old Saml. Again first I got Okta Saml to work with a sample website.
To setup the Okta Saml application I used.
https://developer.okta.com/standards/SAML/setting_up_a_saml_application_in_okta
and to read the Saml response I used the following Simple SAML consumer implementation
https://github.com/jitbit/AspNetSaml/
As expected this worked fine for the sample website. But to my surprise, this worked seamlessly in my Sitecore site as well. I was able to read the Okta user attributes in Sitecore. I was excited!
Lastly now that I could read the user attributes, I created a virtual Sitecore user and assigned these user attributes to this virtual user and logged the user into Sitecore as described in this blog
https://briancaos.wordpress.com/2015/11/13/sitecore-virtual-users-authenticate-users-from-external-systems/
As mentioned in the above articles you could assign the virtual user to a role based on some of the Okta user attributes. This can be used by content authors to assign a page to a particular role so that only users that belong to that role would have access to that page.
I'm hoping someone else out there finds this blog useful. I told myself that if I solve this issue for myself I would blog about it. So I'm glad I took the time today to write about it.
Hi, I'm Japanese WebSite Developer using Sitecore. Thank you for your contribution.
ReplyDeleteWe will try to integrate Okta authentification to pages on CD server.
So, this article gave us useful information.
I know this info written in 2018. but I got many hints.