We have upgraded to Optimizely cms 12 and are able to Login from Optimizely default login. The next step is to login with our custom identity manager .
We are able to use “AddOpenIdConnect” and “AddCookie” like login with azure documented here: https://docs.developers.optimizely.com/content-cloud/v12.0.0-content-cloud/docs/integrate-azure-ad-using-openid-connect
We get back a authenticated token with claims like username, roles ex. from our identity manager. This data is then synchronized see code example
(In the code example we do some mappings from “role” to “ClaimTypes.Role” )
o.Events.OnSignedIn = async (ctx) =>
if (ctx.Principal?.Identity is ClaimsIdentity claimsIdentity)
var synchronizingUserService = ctx
var claims = new List<Claim>(claimsIdentity.Claims);
var nid = new ClaimsIdentity(claims, "id_token", ClaimTypes.Name, ClaimTypes.Role);
Optimizely then send us to “/Account/AccessDenied?ReturnUrl=” and episerver is not logged in.
For Optimizely 11 we used owin to connect. I have verified that the claims is the same.
Is there some requirements for the claims?
Or do we need to do something after the synchronization part?
Thanks for help!
Are you using custom roles? Take a look at tblSynchedUserRole table and see what's assigned to your test user.
Edit and admin mode is locked down with a policy that evaluates following groups; CmsEditor and CmsAdmins. Your users must be memebers of any of these groups -- as you've discovered.