Five New Optimizely Certifications are Here! Validate your expertise and advance your career with our latest certification exams. Click here to find out more
AI OnAI Off
Navigation [hide]
[expand]
- Add-ons
- Architecture
- BLOB storage and providers
- Caching
- Client resources
- Configuration
- Configuring episerver
- Configuring episerver.dataStore
- Configuring episerver.framework
- Configuring episerver.packaging
- Configuring episerver.search
- Configuring episerver.shell
- Configuring module.config
- Configuring staticFile
- Configuring episerver.basicAuthentication
- Configuring .NET SignalR
- Configuring Image Service
- Configuring link validation
- Reading application settings programmatically
- Content
- Page types and templates
- Block types and templates
- IContentRepository and DataFactory
- Persisting IContent instances
- Synchronization
- Validation
- ContentType attribute
- Grouping content types and properties
- EditHint in MVC
- Creating a page programmatically
- Selecting content
- Converting page types for pages
- Refactoring content type classes
- Multilingual content
- Properties
- Built-in property types
- Restricting content types in properties
- Writing custom attributes
- Single or multiple list options
- Built-in auto-suggestion editor
- Property settings
- Property attributes
- Using a block as a property
- Property controls
- Custom properties
- Links
- Assets and media
- Media types and templates
- Working with media
- Content assets and folders
- Custom editing preview for media
- Providers
- Deployment
- Planning deployments
- Installing database schema
- Setting up multiple sites
- Content Delivery Network
- Configuring your email server
- Automatic schema updates
- Deployment scenarios
- Mirroring
- Storing UTC date and time in the database
- Database mode
- Dynamic content
- Configuring dynamic content
- Using interfaces to render Dynamic Content
- Creating UI settings for dynamic content
- Creating a plug-in
- Creating a Hello World dynamic content
- Dynamic data store
- Configuring Dynamic Data Store
- Indexing properties
- Mapping stores
- Supporting LINQ
- Identity and Date and time management
- Editing
- Event management
- Forms
- Globalization
- Determining languages
- Globalization scenarios
- Adding languages
- Localization service
- Localizing the user interface
- Configuring a custom localization provider
- Initialization
- Logging
- Personalization
- Projects
- Rendering
- TemplateDescriptor and tags
- Selecting templates
- Display options
- Display channels
- Using data source controls
- Adding edit hints without using Property web control
- Navigation menus and listings
- Creating a main menu
- Creating a submenu
- Reports
- Routing
- Scheduled jobs
- Search
- Search integration
- Searching and filtering
- Installing and deploying Search Service
- About Episerver full-text search client
- About Episerver full-text search service
- Configuring Episerver full-text search client
- Configuring Episerver full-text search service
- Searching for pages based on page type
- Adding search providers
- Security
- Authentication and authorization
- Virtual roles
- Configuring Active Directory membership provider
- Recommendations for ASP.NET security settings
- Securing edit and admin user interfaces
- Federated security
- Forms authentication
- OWIN authentication
- Configuring mixed-mode OWIN authentication
- Permissions to functions
- Protecting users from session hijacking
- Managing cookies on the website
- EPiServer AspNetIdentity
- Integrate Azure AD using OpenID Connect
- User interface
- Context-sensitive components
- Service locator
- Describing content in the UI
- Dialogs
- Shell profile
- Store architecture
- Drag-and-drop
- Message service pool
- Publish and subscribe messaging system
- Introduction to Dojo
- Using jQuery
- Plugging in a gadget
- Creating a component
- Extending the navigation
- Dashboard gadgets
- Controller options
- HTML helpers
- Client API and gadget instance
- Gadget styling
- Configuring Shell modules
- Setting up your environment
- Developing gadgets, step 1
- Developing gadgets, step 2
- Developing gadgets, step 3
- Developing gadgets, step 4
- Command Pattern
- Object editing
- Views
- Creating a view
- Creating a container
- Creating a component
- Creating a component for a Web Form
- Plugging in components into a view
- Modifying a view through configuration
- Hiding or controlling access to a component
- Replacing a component globally
- Configuring the dashboard
- WebSocket support
- User notifications
- Virtual path providers
Area:
Optimizely CMS
ARCHIVED This content is retired and no longer maintained. See the latest version here.
Integrate Azure AD using OpenID Connect
This topic provides an introduction to using OpenID Connect to integrate with Azure Active Directory. OpenID Connect is an authentication protocol built on top of OAuth 2.0 that can be used to securely sign users into web applications. This document shows how an Episerver application can use the OpenID Connect to sign-in users from a single/multi-tenant environment, using the ASP.Net OpenID Connect OWIN middleware.
For more information about how the protocols works, refer to Authentication Scenarios for Azure AD and Integrate Azure AD into a web application using OpenID Connect.
If you require role-based access control, refer to Adding application roles in Azure Active Directory
Prerequisites
Disable Role and Membership Providers
Disable the built-in Role and Membership providers in web.config:
<authentication mode="None" />
<membership>
<providers>
<clear/>
</providers>
</membership>
<roleManager enabled="false">
<providers>
<clear/>
</providers>
</roleManager>
Configure Episerver to support claims
Enable claims on virtual roles by setting the addClaims property. Also add the provider for security entities, which is used by the set access rights dialog and impersonating users. The SynchronizingRolesSecurityEntityProvider configured in the following example is using the SynchronizingUserService
<episerver.framework>
<securityEntity>
<providers>
<add name="SynchronizingProvider" type ="EPiServer.Security.SynchronizingRolesSecurityEntityProvider, EPiServer"/>
</providers>
</securityEntity>
<virtualRoles addClaims="true">
//existing virtual roles
</virtualRoles>Install NuGet packages
Open Package Manager in Visual Studio and install the following packages:
Install-Package Microsoft.Owin.Security.Cookies
Install-Package Microsoft.Owin.Security.OpenIdConnect
Install-Package Microsoft.Owin.Host.SystemWeb
Update-Package Microsoft.IdentityModel.Protocol.Extensions -SafeNote: Always use Microsoft.IdentityModel.Protocol.Extensions package version 1.0.2 or later. Previous versions contain a critical bug that might cause threads to hang.
Configure OpenID Connect
To configure the OpenID Connect, add the following code in the startup class for OWIN middleware
using System;
using System.Configuration;
using System.Globalization;
using System.Threading.Tasks;
using System.Web;
using Owin;
using Microsoft.Owin;
using Microsoft.Owin.Extensions;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.Notifications;
using Microsoft.Owin.Security.OpenIdConnect;
using EPiServer.Security;
using EPiServer.ServiceLocation;
public class Startup
{
// <add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" />
private static readonly string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
// <add key="ida:ClientId" value="Client ID from Azure AD application" />
private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
//<add key="ida:PostLogoutRedirectUri" value="https://the logout post uri/" />
private static readonly string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
private static string commonAuthority = String.Format(CultureInfo.InvariantCulture, aadInstance, "common/");
const string LogoutPath = "logout path";
public void Configuration(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = commonAuthority,
PostLogoutRedirectUri = postLogoutRedirectUri,
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
ValidateIssuer = false,
RoleClaimType = ClaimTypes.Role
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse();
context.Response.Write(context.Exception.Message);
return Task.FromResult(0);
},
RedirectToIdentityProvider = context =>
{
// Here you can change the return uri based on multisite
HandleMultiSitereturnUrl(context);
// To avoid a redirect loop to the federation server send 403
// when user is authenticated but does not have access
if (context.OwinContext.Response.StatusCode == 401 &&
context.OwinContext.Authentication.User.Identity.IsAuthenticated)
{
context.OwinContext.Response.StatusCode = 403;
context.HandleResponse();
}
return Task.FromResult(0);
},
SecurityTokenValidated = (ctx) =>
{
var redirectUri = new Uri(ctx.AuthenticationTicket.Properties.RedirectUri, UriKind.RelativeOrAbsolute);
if (redirectUri.IsAbsoluteUri)
{
ctx.AuthenticationTicket.Properties.RedirectUri = redirectUri.PathAndQuery;
}
//Sync user and the roles to EPiServer in the background
ServiceLocator.Current.GetInstance<ISynchronizingUserService>().
SynchronizeAsync(ctx.AuthenticationTicket.Identity);
return Task.FromResult(0);
}
}
});
app.UseStageMarker(PipelineStage.Authenticate);
app.Map(LogoutPath, map =>
{
map.Run(ctx =>
{
ctx.Authentication.SignOut();
return Task.FromResult(0);
});
});
}
private void HandleMultiSitereturnUrl(
RedirectToIdentityProviderNotification<Microsoft.IdentityModel.Protocols.OpenIdConnectMessage,
OpenIdConnectAuthenticationOptions> context)
{
// here you change the context.ProtocolMessage.RedirectUri to corresponding siteurl
// this is a sample of how to change redirecturi in the multi-tenant environment
if (context.ProtocolMessage.RedirectUri == null)
{
var currentUrl = EPiServer.Web.SiteDefinition.Current.SiteUrl;
context.ProtocolMessage.RedirectUri = new UriBuilder(
currentUrl.Scheme,
currentUrl.Host,
currentUrl.Port,
HttpContext.Current.Request.Url.AbsolutePath).ToString();
}
}
}
Adding application roles in Azure Active Directory
By default, you need to declare application roles in the Active Directory application, such as WebEditors, WebAdmins and etc. Either the application owner (developer of the app) or the global administrator of the developer’s directory can declare roles for an application.
- In the Azure Management Portal, navigate to the Active Directory node and go to the Applications tab.
- Click to open the application for which you wish to declare application roles.
- Click the Manage Manifest action button on the bottom bar.
- Select Download Manifest.
- Open the manifest file in a JSON editor of your choice.
- Locate the appRoles setting.
- Insert the appRole definitions in the array.
This is an example of approles that declare WebAdmins and WebEditors. You can modify it according to your application roles. Be aware that you need to generate a new Guid for each role declaration.
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Editor can edit the site.",
"displayName": "WebEditors",
"id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"isEnabled": true,
"value": "WebEditors"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Admins can manage roles and perform all task actions.",
"displayName": "WebAdmins",
"id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX",
"isEnabled": true,
"value": "WebAdmins"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Admin the site.",
"displayName": "Administrators",
"id": "XXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX",
"isEnabled": true,
"value": "Administrators"
}
],After declaring the approles, you need to upload the manifest to the Azure Active Directory application. Refer to Roles based access control for more information.
Assigning users and groups to application roles
After a global administrator of the customer’s organization installs your application, either they or a user accounts administrator in their organization can assign users and groups to your application.
- Navigate to the users tab under the application to which you would like to assign users and groups.
- Select a user.
- Click the Assign action on the bottom bar. Here you can assign the desired role to the user.
Known problems
- If you are using System.IdentityModel.Tokens.Jwt version 4.0.0 or lower, it is required to set RoleClaimType = "roles" in the TokenValidationParameters.
- If the application throws an antiforgery token exception like “AntiForgeryToken: A Claim of Type NameIdentifier or IdentityProvider Was Not Present on Provided ClaimsIdentity,” set AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier.
Last updated: Sep 16, 2016
