Code - Alpha Solutions

Sitecore has supported a variety of techniques for managing user accounts throughout its history. Although Sitecore provides its own user management capabilities, it is common for organizations to integrate Sitecore with centralized user/identity management systems, such as Active Directory.

3.29.21

BY KEVIN GREGORY

As user management has continued to evolve in the industry, Sitecore has introduced additional capability through Sitecore Identity Server. Sitecore Identity Server enables organizations to integrate Sitecore with a variety of platforms such as Azure Active Directory and Office365.

However, what if an organization has not shifted to a solution such as Azure Active Directory, Active Directory Federated Services, or other identity provider services? The legacy Sitecore Active Directory module which integrated Sitecore with Active Directory via LDAP is no longer supported on recent Sitecore versions.

One option is to develop a solution which extends Sitecore Identity Server through its plugin system. Sitecore Identity Server supports extensible External Providers, which can authenticate users through common identity protocols such as Open ID Connect (OIDC). Any system which meets the requirements of these protocols can be configured to provide user and identity management features for Sitecore.

To replicate the behavior of the legacy Sitecore Active Directory module, we chose to implement an OIDC-compliant identity provider that interfaced with Active Directory via LDAP. Since Sitecore Identity Server is implemented using the open source IdentityServer4 platform, it was natural to use the same for this solution. This enables a consistent .NET Core application deployment and management approach in-line with Sitecore itself.

SOLUTION OVERVIEW

First, we developed and deployed an additional IdentityServer4 instance. It is deployed alongside Sitecore Identity Server as another .NET Core web application on the CM server.

The additional IdentityServer4 instance was customized to enable Active Directory users to authenticate via LDAP. The IdentityServer4.LdapExtension project provides such an implementation.

services.AddIdentityServer()
  .AddInMemoryIdentityResources(InMemoryInitConfig.GetIdentityResources())
  .AddInMemoryClients(InMemoryInitConfig.GetClients())
  .AddLdapUsers<ActiveDirectoryAppUser>(...);

 

Next, Sitecore Identity Server must be configured to provide Sitecore users with the option to authenticate via the IdentityServer4 instance. This is achieved through a custom plugin implementing an External Provider. For an overview of the process, please see this.

new AuthenticationBuilder(services)
  .AddOpenIdConnect(ldapProvider.AuthenticationScheme, ldapProvider.DisplayName,   options =>
  {
    options.SignInScheme = "idsrv.external";
    options.ClientId = ldapProvider.ClientId;
    options.Authority = ldapProvider.Authority;
    options.MetadataAddress = ldapProvider.MetadataAddress;
    options.CallbackPath = "/signin-idsrv";
    options.Scope.Add("email");
    };
  });

 

In order for IdentityServer4 to communicate with Sitecore Identity Server, IdentityServer4 must be configured with a client representing Sitecore Identity Server. This client is then configured with grants that the client may request. In this case, Active Directory attributes such as the user’s name, email address, and group memberships are the relevant grants/claims.

new Client
{
  ClientId = "scid",
  ClientName = "Sitecore Identity",
  AllowedGrantTypes = GrantTypes.Hybrid,
  RedirectUris = config.RedirectUris,
  PostLogoutRedirectUris = config.PostLogoutRedirectUris,
  AllowedScopes =
  {
    IdentityServerConstants.StandardScopes.OpenId,
    IdentityServerConstants.StandardScopes.Profile,
    IdentityServerConstants.StandardScopes.Email,
  }, 
},

 

Finally, the Sitecore application itself needs to be configured to map the Active Directory user attributes to Sitecore user attributes. For example, mapping the user’s name and email address attributes will cause these to be displayed in Sitecore’s User Manager. Additionally, Active Directory group memberships can be mapped to correspond with Sitecore roles. To see an overview of this process, click here.

In addition to configuring the client, grants, and attribute mappings, it is important to consider the OIDC protocol configuration and security options. IdentityServer4’s documentation provides a good overview of the concepts and available options:

ADDITIONAL CONSIDERATIONS

There are core differences between the behavior of the legacy Sitecore Active Directory module and Sitecore Identity Server. Some organizations may not require all the capabilities of Sitecore Identity Server, and therefore the solution can be tailored to reduce the administration complexity and more closely mirror the behavior of the legacy Active Directory module.

For example, Sitecore will, by default, assign pseudo-random usernames to users logging in through External Providers. This is required for the case where the username may not be unique across multiple systems. However, if this uniqueness can be reasonably assured by the organization’s administration practices, Sitecore can be customized to make it easier to manage the system.  For example, overriding the DefaultExternalUserBuilder can allow for the Active Directory username to be used directly by Sitecore.

FINISHING TOUCHES

 

  • The styling of IdentityServer4 can be adjusted to match the appearance of Sitecore Identity Server. In our case, we carried over the HTML and styling of Sitecore Identity Server to IdentityServer4.


  • To simplify the user experience when logging in, the Sitecore Identity Server login page was customized with CSS and JavaScript to make the “Log In via IdentityServer4” button (whose label can be customized in the plugin) more prominent. The login form for local Sitecore accounts was hidden with an option to show it in case an administrator needed to login to Sitecore without using an Active Directory account.

Log in via Sitecore Identity Server

  • IdentityServer4 provides various configurable options for the authentication process. For example, options such as “Remember Me” can be enabled or disabled, the log-out behavior can be customized to request confirmation or not, etc. See the AccountOptions.cs class.