Config examples for Sitecore Identity blog post https://sitecore.derekc.net/mapping-claims-to-user-profiles-in-sitecore-9-1-with-sitecore-identity-server/
<?xml version="1.0" encoding="utf-8"?> | |
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:role="http://www.sitecore.net/xmlconfig/role/" xmlns:set="http://www.sitecore.net/xmlconfig/set/"> | |
<sitecore role:require="Standalone or ContentDelivery or ContentManagement"> | |
<sc.variable name="identityServerAuthority" value="https://dco-xpslim-si.azurewebsites.net" /> | |
<settings> | |
<!-- The URI of the IdentityServer provider. --> | |
<setting name="FederatedAuthentication.IdentityServer.Authority" value="$(identityServerAuthority)" /> | |
<!-- The client identifier on the IdentityServer. --> | |
<setting name="FederatedAuthentication.IdentityServer.ClientId" value="Sitecore" /> | |
<!-- The client identifier for the Resource Owner Password flow on the IdentityServer. --> | |
<setting name="FederatedAuthentication.IdentityServer.ResourceOwnerClientId" value="SitecorePassword" /> | |
</settings> | |
<services> | |
<configurator type="Sitecore.Owin.Authentication.IdentityServer.ServicesConfigurator, Sitecore.Owin.Authentication.IdentityServer" /> | |
</services> | |
<pipelines> | |
<owin.identityProviders> | |
<processor type="Sitecore.Owin.Authentication.IdentityServer.Pipelines.IdentityProviders.ConfigureIdentityServer, Sitecore.Owin.Authentication.IdentityServer" resolve="true" id="SitecoreIdentityServer"> | |
<scopes hint="list"> | |
<scope name="openid">openid</scope> | |
<scope name="sitecore.profile">sitecore.profile</scope> | |
</scopes> | |
</processor> | |
</owin.identityProviders> | |
<owin.initialize> | |
<processor type="Sitecore.Owin.Authentication.IdentityServer.Pipelines.Initialize.InterceptLegacyShellLoginPage, Sitecore.Owin.Authentication.IdentityServer" patch:before="processor[@method='Authenticate']" resolve="true"> | |
<legacyShellLoginPage>/sitecore/login</legacyShellLoginPage> | |
</processor> | |
<processor type="Sitecore.Owin.Authentication.IdentityServer.Pipelines.Initialize.JwtBearerAuthentication, Sitecore.Owin.Authentication.IdentityServer" patch:before="processor[@method='Authenticate']" resolve="true"> | |
<identityProviderName>SitecoreIdentityServer</identityProviderName> | |
<audiences hint="raw:AddAudience"> | |
<audience value="$(identityServerAuthority)/resources" /> | |
</audiences> | |
<issuers hint="list"> | |
<issuer>$(identityServerAuthority)</issuer> | |
</issuers> | |
</processor> | |
</owin.initialize> | |
</pipelines> | |
<federatedAuthentication> | |
<identityProvidersPerSites> | |
<mapEntry name="sites with the core and unspecified database"> | |
<identityProviders hint="list:AddIdentityProvider"> | |
<identityProvider ref="federatedAuthentication/identityProviders/identityProvider[@id='SitecoreIdentityServer']" id="SitecoreIdentityServer" /> | |
</identityProviders> | |
</mapEntry> | |
<!-- An example that maps a sub-provider of the Identity Server to the sites that are not mapped to the SitecoreIdentityServer. --> | |
<!-- | |
<mapEntry name="all sites"> | |
<identityProviders hint="list:AddIdentityProvider"> | |
<identityProvider ref="federatedAuthentication/identityProviders/identityProvider[@id='SitecoreIdentityServer/IdS4-AzureAd']" /> | |
</identityProviders> | |
</mapEntry> | |
--> | |
</identityProvidersPerSites> | |
<identityProviders> | |
<identityProvider id="SitecoreIdentityServer" type="Sitecore.Owin.Authentication.IdentityServer.IdentityServerProvider, Sitecore.Owin.Authentication.IdentityServer" resolve="true"> | |
<caption>Go to login</caption> | |
<domain>sitecore</domain> | |
<enabled>true</enabled> | |
<triggerExternalSignOut>true</triggerExternalSignOut> | |
<transformations hint="list:AddTransformation"> | |
<transformation name="apply additional claims" type="Sitecore.Owin.Authentication.IdentityServer.Transformations.ApplyAdditionalClaims, Sitecore.Owin.Authentication.IdentityServer" resolve="true" /> | |
<transformation name="name to long name" type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication"> | |
<sources hint="raw:AddSource"> | |
<claim name="name" /> | |
</sources> | |
<targets hint="raw:AddTarget"> | |
<claim name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" /> | |
</targets> | |
<keepSource>true</keepSource> | |
</transformation> | |
<transformation name="role to long role" type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication"> | |
<sources hint="raw:AddSource"> | |
<claim name="role" /> | |
</sources> | |
<targets hint="raw:AddTarget"> | |
<claim name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" /> | |
</targets> | |
<keepSource>false</keepSource> | |
</transformation> | |
<transformation name="set ShadowUser" type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication"> | |
<sources hint="raw:AddSource"> | |
<claim name="http://schemas.microsoft.com/identity/claims/identityprovider" value="local" /> | |
</sources> | |
<targets hint="raw:AddTarget"> | |
<claim name="http://www.sitecore.net/identity/claims/shadowuser" value="true" /> | |
</targets> | |
<keepSource>true</keepSource> | |
</transformation> | |
<!-- owin.cookieAuthentication.signIn pipeline uses http://www.sitecore.net/identity/claims/cookieExp claim to override authentication cookie expiration. | |
'exp' claim value can be configured on Sitecore Identity server on the client configuration by IdentityTokenLifetimeInSeconds setting. | |
Note: Claim value is Unix time expressed as the number of seconds that have elapsed since 1970-01-01T00:00:00Z --> | |
<transformation name="use exp claim for authentication cookie expiration" type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication"> | |
<sources hint="raw:AddSource"> | |
<claim name="exp" /> | |
</sources> | |
<targets hint="raw:AddTarget"> | |
<claim name="http://www.sitecore.net/identity/claims/cookieExp" /> | |
</targets> | |
<keepSource>true</keepSource> | |
</transformation> | |
<!-- <transformation name="remove local role claims" type="Sitecore.Owin.Authentication.IdentityServer.Transformations.RemoveLocalRoles, Sitecore.Owin.Authentication.IdentityServer" /> --> | |
<transformation name="adjust NameIdentifier claim" type="Sitecore.Owin.Authentication.IdentityServer.Transformations.AdjustNameIdentifierClaim, Sitecore.Owin.Authentication.IdentityServer" resolve="true" /> | |
</transformations> | |
</identityProvider> | |
<!-- An example of how to add an identity provider as a sub-provider of the Identity Server. | |
The 'name' property must be in the following format: SitecoreIdentityServer/[AuthenticationScheme], where the 'AuthenticationScheme' equals the | |
authentication scheme of an external identity provider that is configured on the Identity Server. | |
Notes: | |
1. The 'TriggerExternalSignOut' and 'Transformations' properties are inherited from the the Identity Server provider node and can not be overridden. | |
2. To use a sub-provider, the 'Enabled' property of the Identity Server provider must be set to 'Enabled'. --> | |
<!-- | |
<identityProvider id="SitecoreIdentityServer/IdS4-AzureAd" type="Sitecore.Owin.Authentication.Configuration.DefaultIdentityProvider, Sitecore.Owin.Authentication"> | |
<param desc="name">$(id)</param> | |
<param desc="domainManager" type="Sitecore.Abstractions.BaseDomainManager" resolve="true" /> | |
<caption>Log in with Sitecore Identity: Azure AD</caption> | |
<icon>/sitecore/shell/themes/standard/Images/24x24/msazure.png</icon> | |
<domain>sitecore</domain> | |
</identityProvider> | |
--> | |
</identityProviders> | |
<propertyInitializer> | |
<maps> | |
<map name="set Email" type="Sitecore.Owin.Authentication.Services.DefaultClaimToPropertyMapper, Sitecore.Owin.Authentication"> | |
<data hint="raw:AddData"> | |
<source name="email" /> | |
<target name="Email" /> | |
</data> | |
</map> | |
<map name="set FullName" type="Sitecore.Owin.Authentication.Services.DefaultClaimToPropertyMapper, Sitecore.Owin.Authentication"> | |
<data hint="raw:AddData"> | |
<source name="name" /> | |
<target name="FullName" /> | |
</data> | |
</map> | |
<map name="set IsAdministrator" type="Sitecore.Owin.Authentication.Services.DefaultClaimToPropertyMapper, Sitecore.Owin.Authentication"> | |
<data hint="raw:AddData"> | |
<source name="http://www.sitecore.net/identity/claims/isAdmin" value="true" /> | |
<target name="IsAdministrator" value="true" /> | |
</data> | |
</map> | |
</maps> | |
</propertyInitializer> | |
</federatedAuthentication> | |
<sites> | |
<site name="shell" set:loginPage="$(loginPath)shell/SitecoreIdentityServer" /> | |
<site name="admin" set:loginPage="$(loginPath)admin/SitecoreIdentityServer" /> | |
</sites> | |
</sitecore> | |
</configuration> |
<?xml version="1.0" encoding="utf-8"?> | |
<Settings> | |
<Sitecore> | |
<ExternalIdentityProviders> | |
<IdentityProviders> | |
<AzureAd type="Sitecore.Plugin.IdentityProviders.IdentityProvider, Sitecore.Plugin.IdentityProviders"> | |
<AuthenticationScheme>IdS4-AzureAd</AuthenticationScheme> | |
<DisplayName>Azure AD</DisplayName> | |
<Enabled>true</Enabled> | |
<ClientId>YourClientIdGoesHere</ClientId> | |
<TenantId>YourTenantIdGoesHere</TenantId> | |
<MetadataAddress></MetadataAddress> | |
<ClaimsTransformations> | |
<!--Place transformation rules here. --> | |
<ClaimsTransformation1 type="Sitecore.Plugin.IdentityProviders.DefaultClaimsTransformation, Sitecore.Plugin.IdentityProviders"> | |
<SourceClaims> | |
<Claim1 type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" /> | |
</SourceClaims> | |
<NewClaims> | |
<Claim1 type="email" /> | |
</NewClaims> | |
</ClaimsTransformation1 > | |
<ClaimsTransformation2 type="Sitecore.Plugin.IdentityProviders.DefaultClaimsTransformation, Sitecore.Plugin.IdentityProviders"> | |
<SourceClaims> | |
<Claim1 type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" /> | |
</SourceClaims> | |
<NewClaims> | |
<Claim1 type="name" /> | |
</NewClaims> | |
</ClaimsTransformation2> | |
<AzureADUserToAdminUser type="Sitecore.Plugin.IdentityProviders.DefaultClaimsTransformation, Sitecore.Plugin.IdentityProviders"> | |
<SourceClaims> | |
<Claim1 type="groups" value="00ce12e7-9064-4452-8c57-bdd42bfb0f6f" /> | |
</SourceClaims> | |
<NewClaims> | |
<Claim1 type="http://www.sitecore.net/identity/claims/isAdmin" value="true"/> | |
</NewClaims> | |
</AzureADUserToAdminUser> | |
<AzureADUserToAuthor type="Sitecore.Plugin.IdentityProviders.DefaultClaimsTransformation, Sitecore.Plugin.IdentityProviders"> | |
<SourceClaims> | |
<Claim1 type="groups" value="3f93d43e-f736-4c9f-8816-da33ed6271a6" /> | |
</SourceClaims> | |
<NewClaims> | |
<Claim1 type="role" value="Sitecore\Developer"/> | |
</NewClaims> | |
</AzureADUserToAuthor> | |
</ClaimsTransformations> | |
</AzureAd> | |
</IdentityProviders> | |
</ExternalIdentityProviders> | |
</Sitecore> | |
</Settings> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment