Config examples for Sitecore Identity blog post https://sitecore.derekc.net/mapping-claims-to-user-profiles-in-sitecore-9-1-with-sitecore-identity-server/
| <?xml version="1.0" encoding="utf-8"?> | |
| <configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:role="http://www.sitecore.net/xmlconfig/role/" xmlns:set="http://www.sitecore.net/xmlconfig/set/"> | |
| <sitecore role:require="Standalone or ContentDelivery or ContentManagement"> | |
| <sc.variable name="identityServerAuthority" value="https://dco-xpslim-si.azurewebsites.net" /> | |
| <settings> | |
| <!-- The URI of the IdentityServer provider. --> | |
| <setting name="FederatedAuthentication.IdentityServer.Authority" value="$(identityServerAuthority)" /> | |
| <!-- The client identifier on the IdentityServer. --> | |
| <setting name="FederatedAuthentication.IdentityServer.ClientId" value="Sitecore" /> | |
| <!-- The client identifier for the Resource Owner Password flow on the IdentityServer. --> | |
| <setting name="FederatedAuthentication.IdentityServer.ResourceOwnerClientId" value="SitecorePassword" /> | |
| </settings> | |
| <services> | |
| <configurator type="Sitecore.Owin.Authentication.IdentityServer.ServicesConfigurator, Sitecore.Owin.Authentication.IdentityServer" /> | |
| </services> | |
| <pipelines> | |
| <owin.identityProviders> | |
| <processor type="Sitecore.Owin.Authentication.IdentityServer.Pipelines.IdentityProviders.ConfigureIdentityServer, Sitecore.Owin.Authentication.IdentityServer" resolve="true" id="SitecoreIdentityServer"> | |
| <scopes hint="list"> | |
| <scope name="openid">openid</scope> | |
| <scope name="sitecore.profile">sitecore.profile</scope> | |
| </scopes> | |
| </processor> | |
| </owin.identityProviders> | |
| <owin.initialize> | |
| <processor type="Sitecore.Owin.Authentication.IdentityServer.Pipelines.Initialize.InterceptLegacyShellLoginPage, Sitecore.Owin.Authentication.IdentityServer" patch:before="processor[@method='Authenticate']" resolve="true"> | |
| <legacyShellLoginPage>/sitecore/login</legacyShellLoginPage> | |
| </processor> | |
| <processor type="Sitecore.Owin.Authentication.IdentityServer.Pipelines.Initialize.JwtBearerAuthentication, Sitecore.Owin.Authentication.IdentityServer" patch:before="processor[@method='Authenticate']" resolve="true"> | |
| <identityProviderName>SitecoreIdentityServer</identityProviderName> | |
| <audiences hint="raw:AddAudience"> | |
| <audience value="$(identityServerAuthority)/resources" /> | |
| </audiences> | |
| <issuers hint="list"> | |
| <issuer>$(identityServerAuthority)</issuer> | |
| </issuers> | |
| </processor> | |
| </owin.initialize> | |
| </pipelines> | |
| <federatedAuthentication> | |
| <identityProvidersPerSites> | |
| <mapEntry name="sites with the core and unspecified database"> | |
| <identityProviders hint="list:AddIdentityProvider"> | |
| <identityProvider ref="federatedAuthentication/identityProviders/identityProvider[@id='SitecoreIdentityServer']" id="SitecoreIdentityServer" /> | |
| </identityProviders> | |
| </mapEntry> | |
| <!-- An example that maps a sub-provider of the Identity Server to the sites that are not mapped to the SitecoreIdentityServer. --> | |
| <!-- | |
| <mapEntry name="all sites"> | |
| <identityProviders hint="list:AddIdentityProvider"> | |
| <identityProvider ref="federatedAuthentication/identityProviders/identityProvider[@id='SitecoreIdentityServer/IdS4-AzureAd']" /> | |
| </identityProviders> | |
| </mapEntry> | |
| --> | |
| </identityProvidersPerSites> | |
| <identityProviders> | |
| <identityProvider id="SitecoreIdentityServer" type="Sitecore.Owin.Authentication.IdentityServer.IdentityServerProvider, Sitecore.Owin.Authentication.IdentityServer" resolve="true"> | |
| <caption>Go to login</caption> | |
| <domain>sitecore</domain> | |
| <enabled>true</enabled> | |
| <triggerExternalSignOut>true</triggerExternalSignOut> | |
| <transformations hint="list:AddTransformation"> | |
| <transformation name="apply additional claims" type="Sitecore.Owin.Authentication.IdentityServer.Transformations.ApplyAdditionalClaims, Sitecore.Owin.Authentication.IdentityServer" resolve="true" /> | |
| <transformation name="name to long name" type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication"> | |
| <sources hint="raw:AddSource"> | |
| <claim name="name" /> | |
| </sources> | |
| <targets hint="raw:AddTarget"> | |
| <claim name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" /> | |
| </targets> | |
| <keepSource>true</keepSource> | |
| </transformation> | |
| <transformation name="role to long role" type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication"> | |
| <sources hint="raw:AddSource"> | |
| <claim name="role" /> | |
| </sources> | |
| <targets hint="raw:AddTarget"> | |
| <claim name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" /> | |
| </targets> | |
| <keepSource>false</keepSource> | |
| </transformation> | |
| <transformation name="set ShadowUser" type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication"> | |
| <sources hint="raw:AddSource"> | |
| <claim name="http://schemas.microsoft.com/identity/claims/identityprovider" value="local" /> | |
| </sources> | |
| <targets hint="raw:AddTarget"> | |
| <claim name="http://www.sitecore.net/identity/claims/shadowuser" value="true" /> | |
| </targets> | |
| <keepSource>true</keepSource> | |
| </transformation> | |
| <!-- owin.cookieAuthentication.signIn pipeline uses http://www.sitecore.net/identity/claims/cookieExp claim to override authentication cookie expiration. | |
| 'exp' claim value can be configured on Sitecore Identity server on the client configuration by IdentityTokenLifetimeInSeconds setting. | |
| Note: Claim value is Unix time expressed as the number of seconds that have elapsed since 1970-01-01T00:00:00Z --> | |
| <transformation name="use exp claim for authentication cookie expiration" type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication"> | |
| <sources hint="raw:AddSource"> | |
| <claim name="exp" /> | |
| </sources> | |
| <targets hint="raw:AddTarget"> | |
| <claim name="http://www.sitecore.net/identity/claims/cookieExp" /> | |
| </targets> | |
| <keepSource>true</keepSource> | |
| </transformation> | |
| <!-- <transformation name="remove local role claims" type="Sitecore.Owin.Authentication.IdentityServer.Transformations.RemoveLocalRoles, Sitecore.Owin.Authentication.IdentityServer" /> --> | |
| <transformation name="adjust NameIdentifier claim" type="Sitecore.Owin.Authentication.IdentityServer.Transformations.AdjustNameIdentifierClaim, Sitecore.Owin.Authentication.IdentityServer" resolve="true" /> | |
| </transformations> | |
| </identityProvider> | |
| <!-- An example of how to add an identity provider as a sub-provider of the Identity Server. | |
| The 'name' property must be in the following format: SitecoreIdentityServer/[AuthenticationScheme], where the 'AuthenticationScheme' equals the | |
| authentication scheme of an external identity provider that is configured on the Identity Server. | |
| Notes: | |
| 1. The 'TriggerExternalSignOut' and 'Transformations' properties are inherited from the the Identity Server provider node and can not be overridden. | |
| 2. To use a sub-provider, the 'Enabled' property of the Identity Server provider must be set to 'Enabled'. --> | |
| <!-- | |
| <identityProvider id="SitecoreIdentityServer/IdS4-AzureAd" type="Sitecore.Owin.Authentication.Configuration.DefaultIdentityProvider, Sitecore.Owin.Authentication"> | |
| <param desc="name">$(id)</param> | |
| <param desc="domainManager" type="Sitecore.Abstractions.BaseDomainManager" resolve="true" /> | |
| <caption>Log in with Sitecore Identity: Azure AD</caption> | |
| <icon>/sitecore/shell/themes/standard/Images/24x24/msazure.png</icon> | |
| <domain>sitecore</domain> | |
| </identityProvider> | |
| --> | |
| </identityProviders> | |
| <propertyInitializer> | |
| <maps> | |
| <map name="set Email" type="Sitecore.Owin.Authentication.Services.DefaultClaimToPropertyMapper, Sitecore.Owin.Authentication"> | |
| <data hint="raw:AddData"> | |
| <source name="email" /> | |
| <target name="Email" /> | |
| </data> | |
| </map> | |
| <map name="set FullName" type="Sitecore.Owin.Authentication.Services.DefaultClaimToPropertyMapper, Sitecore.Owin.Authentication"> | |
| <data hint="raw:AddData"> | |
| <source name="name" /> | |
| <target name="FullName" /> | |
| </data> | |
| </map> | |
| <map name="set IsAdministrator" type="Sitecore.Owin.Authentication.Services.DefaultClaimToPropertyMapper, Sitecore.Owin.Authentication"> | |
| <data hint="raw:AddData"> | |
| <source name="http://www.sitecore.net/identity/claims/isAdmin" value="true" /> | |
| <target name="IsAdministrator" value="true" /> | |
| </data> | |
| </map> | |
| </maps> | |
| </propertyInitializer> | |
| </federatedAuthentication> | |
| <sites> | |
| <site name="shell" set:loginPage="$(loginPath)shell/SitecoreIdentityServer" /> | |
| <site name="admin" set:loginPage="$(loginPath)admin/SitecoreIdentityServer" /> | |
| </sites> | |
| </sitecore> | |
| </configuration> |
| <?xml version="1.0" encoding="utf-8"?> | |
| <Settings> | |
| <Sitecore> | |
| <ExternalIdentityProviders> | |
| <IdentityProviders> | |
| <AzureAd type="Sitecore.Plugin.IdentityProviders.IdentityProvider, Sitecore.Plugin.IdentityProviders"> | |
| <AuthenticationScheme>IdS4-AzureAd</AuthenticationScheme> | |
| <DisplayName>Azure AD</DisplayName> | |
| <Enabled>true</Enabled> | |
| <ClientId>YourClientIdGoesHere</ClientId> | |
| <TenantId>YourTenantIdGoesHere</TenantId> | |
| <MetadataAddress></MetadataAddress> | |
| <ClaimsTransformations> | |
| <!--Place transformation rules here. --> | |
| <ClaimsTransformation1 type="Sitecore.Plugin.IdentityProviders.DefaultClaimsTransformation, Sitecore.Plugin.IdentityProviders"> | |
| <SourceClaims> | |
| <Claim1 type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" /> | |
| </SourceClaims> | |
| <NewClaims> | |
| <Claim1 type="email" /> | |
| </NewClaims> | |
| </ClaimsTransformation1 > | |
| <ClaimsTransformation2 type="Sitecore.Plugin.IdentityProviders.DefaultClaimsTransformation, Sitecore.Plugin.IdentityProviders"> | |
| <SourceClaims> | |
| <Claim1 type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" /> | |
| </SourceClaims> | |
| <NewClaims> | |
| <Claim1 type="name" /> | |
| </NewClaims> | |
| </ClaimsTransformation2> | |
| <AzureADUserToAdminUser type="Sitecore.Plugin.IdentityProviders.DefaultClaimsTransformation, Sitecore.Plugin.IdentityProviders"> | |
| <SourceClaims> | |
| <Claim1 type="groups" value="00ce12e7-9064-4452-8c57-bdd42bfb0f6f" /> | |
| </SourceClaims> | |
| <NewClaims> | |
| <Claim1 type="http://www.sitecore.net/identity/claims/isAdmin" value="true"/> | |
| </NewClaims> | |
| </AzureADUserToAdminUser> | |
| <AzureADUserToAuthor type="Sitecore.Plugin.IdentityProviders.DefaultClaimsTransformation, Sitecore.Plugin.IdentityProviders"> | |
| <SourceClaims> | |
| <Claim1 type="groups" value="3f93d43e-f736-4c9f-8816-da33ed6271a6" /> | |
| </SourceClaims> | |
| <NewClaims> | |
| <Claim1 type="role" value="Sitecore\Developer"/> | |
| </NewClaims> | |
| </AzureADUserToAuthor> | |
| </ClaimsTransformations> | |
| </AzureAd> | |
| </IdentityProviders> | |
| </ExternalIdentityProviders> | |
| </Sitecore> | |
| </Settings> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment