Cloud Journal

Integrating Sitecore with external authorization service

1 November 2022

Sitecore identity server provides the flexibility to be configured for federated authentication, be it an on-premise ADFS or Azure Active Directory. Role identity claims returned via ADFS/ Azure AD are then mapped into Sitecore roles making it straightforward to authorize users logged in via external authentication providers.

This post explains a requirement to authenticate the user against ADFS and authorize against a separate centralized authorization server. The following sequence diagram is the use case.

Sitecore Integration with external auth service

For this requirement we are patching Sitecore.Owin.Authentication.Services.Transformation by overriding Transform method as below. Let me breakdown important parts of the code.

Line #15 This is the service method to call the authorization service which is expected to return a list of Sitecore Roles which authenticated user belongs to. Service is expected to invoke an external API or simply read a file to get the roles current user belongs to. List of roles can be consist of Sitecore inbuilt security role such as sitecore\author or custom roles created based on default security roles to meet business requirements of content workflow.

Line #17 Loop iterates through the user roles that authenticated user belongs to and assigns the role to ClaimsIdentity.

Finally add a config patch as follows to hook custom role transformation into the pipeline. Happy coding!