Last active
February 25, 2022 19:00
Config examples for Sitecore Identity blog post https://sitecore.derekc.net/mapping-claims-to-user-profiles-in-sitecore-9-1-with-sitecore-identity-server/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:role="http://www.sitecore.net/xmlconfig/role/" xmlns:set="http://www.sitecore.net/xmlconfig/set/"> | |
| <sitecore role:require="Standalone or ContentDelivery or ContentManagement"> | |
| <sc.variable name="identityServerAuthority" value="https://dco-xpslim-si.azurewebsites.net" /> | |
| <settings> | |
| <!-- The URI of the IdentityServer provider. --> | |
| <setting name="FederatedAuthentication.IdentityServer.Authority" value="$(identityServerAuthority)" /> | |
| <!-- The client identifier on the IdentityServer. --> | |
| <setting name="FederatedAuthentication.IdentityServer.ClientId" value="Sitecore" /> | |
| <!-- The client identifier for the Resource Owner Password flow on the IdentityServer. --> | |
| <setting name="FederatedAuthentication.IdentityServer.ResourceOwnerClientId" value="SitecorePassword" /> | |
| </settings> | |
| <services> | |
| <configurator type="Sitecore.Owin.Authentication.IdentityServer.ServicesConfigurator, Sitecore.Owin.Authentication.IdentityServer" /> | |
| </services> | |
| <pipelines> | |
| <owin.identityProviders> | |
| <processor type="Sitecore.Owin.Authentication.IdentityServer.Pipelines.IdentityProviders.ConfigureIdentityServer, Sitecore.Owin.Authentication.IdentityServer" resolve="true" id="SitecoreIdentityServer"> | |
| <scopes hint="list"> | |
| <scope name="openid">openid</scope> | |
| <scope name="sitecore.profile">sitecore.profile</scope> | |
| </scopes> | |
| </processor> | |
| </owin.identityProviders> | |
| <owin.initialize> | |
| <processor type="Sitecore.Owin.Authentication.IdentityServer.Pipelines.Initialize.InterceptLegacyShellLoginPage, Sitecore.Owin.Authentication.IdentityServer" patch:before="processor[@method='Authenticate']" resolve="true"> | |
| <legacyShellLoginPage>/sitecore/login</legacyShellLoginPage> | |
| </processor> | |
| <processor type="Sitecore.Owin.Authentication.IdentityServer.Pipelines.Initialize.JwtBearerAuthentication, Sitecore.Owin.Authentication.IdentityServer" patch:before="processor[@method='Authenticate']" resolve="true"> | |
| <identityProviderName>SitecoreIdentityServer</identityProviderName> | |
| <audiences hint="raw:AddAudience"> | |
| <audience value="$(identityServerAuthority)/resources" /> | |
| </audiences> | |
| <issuers hint="list"> | |
| <issuer>$(identityServerAuthority)</issuer> | |
| </issuers> | |
| </processor> | |
| </owin.initialize> | |
| </pipelines> | |
| <federatedAuthentication> | |
| <identityProvidersPerSites> | |
| <mapEntry name="sites with the core and unspecified database"> | |
| <identityProviders hint="list:AddIdentityProvider"> | |
| <identityProvider ref="federatedAuthentication/identityProviders/identityProvider[@id='SitecoreIdentityServer']" id="SitecoreIdentityServer" /> | |
| </identityProviders> | |
| </mapEntry> | |
| <!-- An example that maps a sub-provider of the Identity Server to the sites that are not mapped to the SitecoreIdentityServer. --> | |
| <!-- | |
| <mapEntry name="all sites"> | |
| <identityProviders hint="list:AddIdentityProvider"> | |
| <identityProvider ref="federatedAuthentication/identityProviders/identityProvider[@id='SitecoreIdentityServer/IdS4-AzureAd']" /> | |
| </identityProviders> | |
| </mapEntry> | |
| --> | |
| </identityProvidersPerSites> | |
| <identityProviders> | |
| <identityProvider id="SitecoreIdentityServer" type="Sitecore.Owin.Authentication.IdentityServer.IdentityServerProvider, Sitecore.Owin.Authentication.IdentityServer" resolve="true"> | |
| <caption>Go to login</caption> | |
| <domain>sitecore</domain> | |
| <enabled>true</enabled> | |
| <triggerExternalSignOut>true</triggerExternalSignOut> | |
| <transformations hint="list:AddTransformation"> | |
| <transformation name="apply additional claims" type="Sitecore.Owin.Authentication.IdentityServer.Transformations.ApplyAdditionalClaims, Sitecore.Owin.Authentication.IdentityServer" resolve="true" /> | |
| <transformation name="name to long name" type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication"> | |
| <sources hint="raw:AddSource"> | |
| <claim name="name" /> | |
| </sources> | |
| <targets hint="raw:AddTarget"> | |
| <claim name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" /> | |
| </targets> | |
| <keepSource>true</keepSource> | |
| </transformation> | |
| <transformation name="role to long role" type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication"> | |
| <sources hint="raw:AddSource"> | |
| <claim name="role" /> | |
| </sources> | |
| <targets hint="raw:AddTarget"> | |
| <claim name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" /> | |
| </targets> | |
| <keepSource>false</keepSource> | |
| </transformation> | |
| <transformation name="set ShadowUser" type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication"> | |
| <sources hint="raw:AddSource"> | |
| <claim name="http://schemas.microsoft.com/identity/claims/identityprovider" value="local" /> | |
| </sources> | |
| <targets hint="raw:AddTarget"> | |
| <claim name="http://www.sitecore.net/identity/claims/shadowuser" value="true" /> | |
| </targets> | |
| <keepSource>true</keepSource> | |
| </transformation> | |
| <!-- owin.cookieAuthentication.signIn pipeline uses http://www.sitecore.net/identity/claims/cookieExp claim to override authentication cookie expiration. | |
| 'exp' claim value can be configured on Sitecore Identity server on the client configuration by IdentityTokenLifetimeInSeconds setting. | |
| Note: Claim value is Unix time expressed as the number of seconds that have elapsed since 1970-01-01T00:00:00Z --> | |
| <transformation name="use exp claim for authentication cookie expiration" type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication"> | |
| <sources hint="raw:AddSource"> | |
| <claim name="exp" /> | |
| </sources> | |
| <targets hint="raw:AddTarget"> | |
| <claim name="http://www.sitecore.net/identity/claims/cookieExp" /> | |
| </targets> | |
| <keepSource>true</keepSource> | |
| </transformation> | |
| <!-- <transformation name="remove local role claims" type="Sitecore.Owin.Authentication.IdentityServer.Transformations.RemoveLocalRoles, Sitecore.Owin.Authentication.IdentityServer" /> --> | |
| <transformation name="adjust NameIdentifier claim" type="Sitecore.Owin.Authentication.IdentityServer.Transformations.AdjustNameIdentifierClaim, Sitecore.Owin.Authentication.IdentityServer" resolve="true" /> | |
| </transformations> | |
| </identityProvider> | |
| <!-- An example of how to add an identity provider as a sub-provider of the Identity Server. | |
| The 'name' property must be in the following format: SitecoreIdentityServer/[AuthenticationScheme], where the 'AuthenticationScheme' equals the | |
| authentication scheme of an external identity provider that is configured on the Identity Server. | |
| Notes: | |
| 1. The 'TriggerExternalSignOut' and 'Transformations' properties are inherited from the the Identity Server provider node and can not be overridden. | |
| 2. To use a sub-provider, the 'Enabled' property of the Identity Server provider must be set to 'Enabled'. --> | |
| <!-- | |
| <identityProvider id="SitecoreIdentityServer/IdS4-AzureAd" type="Sitecore.Owin.Authentication.Configuration.DefaultIdentityProvider, Sitecore.Owin.Authentication"> | |
| <param desc="name">$(id)</param> | |
| <param desc="domainManager" type="Sitecore.Abstractions.BaseDomainManager" resolve="true" /> | |
| <caption>Log in with Sitecore Identity: Azure AD</caption> | |
| <icon>/sitecore/shell/themes/standard/Images/24x24/msazure.png</icon> | |
| <domain>sitecore</domain> | |
| </identityProvider> | |
| --> | |
| </identityProviders> | |
| <propertyInitializer> | |
| <maps> | |
| <map name="set Email" type="Sitecore.Owin.Authentication.Services.DefaultClaimToPropertyMapper, Sitecore.Owin.Authentication"> | |
| <data hint="raw:AddData"> | |
| <source name="email" /> | |
| <target name="Email" /> | |
| </data> | |
| </map> | |
| <map name="set FullName" type="Sitecore.Owin.Authentication.Services.DefaultClaimToPropertyMapper, Sitecore.Owin.Authentication"> | |
| <data hint="raw:AddData"> | |
| <source name="name" /> | |
| <target name="FullName" /> | |
| </data> | |
| </map> | |
| <map name="set IsAdministrator" type="Sitecore.Owin.Authentication.Services.DefaultClaimToPropertyMapper, Sitecore.Owin.Authentication"> | |
| <data hint="raw:AddData"> | |
| <source name="http://www.sitecore.net/identity/claims/isAdmin" value="true" /> | |
| <target name="IsAdministrator" value="true" /> | |
| </data> | |
| </map> | |
| </maps> | |
| </propertyInitializer> | |
| </federatedAuthentication> | |
| <sites> | |
| <site name="shell" set:loginPage="$(loginPath)shell/SitecoreIdentityServer" /> | |
| <site name="admin" set:loginPage="$(loginPath)admin/SitecoreIdentityServer" /> | |
| </sites> | |
| </sitecore> | |
| </configuration> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <Settings> | |
| <Sitecore> | |
| <ExternalIdentityProviders> | |
| <IdentityProviders> | |
| <AzureAd type="Sitecore.Plugin.IdentityProviders.IdentityProvider, Sitecore.Plugin.IdentityProviders"> | |
| <AuthenticationScheme>IdS4-AzureAd</AuthenticationScheme> | |
| <DisplayName>Azure AD</DisplayName> | |
| <Enabled>true</Enabled> | |
| <ClientId>YourClientIdGoesHere</ClientId> | |
| <TenantId>YourTenantIdGoesHere</TenantId> | |
| <MetadataAddress></MetadataAddress> | |
| <ClaimsTransformations> | |
| <!--Place transformation rules here. --> | |
| <ClaimsTransformation1 type="Sitecore.Plugin.IdentityProviders.DefaultClaimsTransformation, Sitecore.Plugin.IdentityProviders"> | |
| <SourceClaims> | |
| <Claim1 type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" /> | |
| </SourceClaims> | |
| <NewClaims> | |
| <Claim1 type="email" /> | |
| </NewClaims> | |
| </ClaimsTransformation1 > | |
| <ClaimsTransformation2 type="Sitecore.Plugin.IdentityProviders.DefaultClaimsTransformation, Sitecore.Plugin.IdentityProviders"> | |
| <SourceClaims> | |
| <Claim1 type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" /> | |
| </SourceClaims> | |
| <NewClaims> | |
| <Claim1 type="name" /> | |
| </NewClaims> | |
| </ClaimsTransformation2> | |
| <AzureADUserToAdminUser type="Sitecore.Plugin.IdentityProviders.DefaultClaimsTransformation, Sitecore.Plugin.IdentityProviders"> | |
| <SourceClaims> | |
| <Claim1 type="groups" value="00ce12e7-9064-4452-8c57-bdd42bfb0f6f" /> | |
| </SourceClaims> | |
| <NewClaims> | |
| <Claim1 type="http://www.sitecore.net/identity/claims/isAdmin" value="true"/> | |
| </NewClaims> | |
| </AzureADUserToAdminUser> | |
| <AzureADUserToAuthor type="Sitecore.Plugin.IdentityProviders.DefaultClaimsTransformation, Sitecore.Plugin.IdentityProviders"> | |
| <SourceClaims> | |
| <Claim1 type="groups" value="3f93d43e-f736-4c9f-8816-da33ed6271a6" /> | |
| </SourceClaims> | |
| <NewClaims> | |
| <Claim1 type="role" value="Sitecore\Developer"/> | |
| </NewClaims> | |
| </AzureADUserToAuthor> | |
| </ClaimsTransformations> | |
| </AzureAd> | |
| </IdentityProviders> | |
| </ExternalIdentityProviders> | |
| </Sitecore> | |
| </Settings> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am sure you have tested this for 9.1, but on 10.2 it is not working and I am using XM. Please let me know. Really struggling to get his work for one my clients