SaaS CMS has officially launched! Learn more now.

Error sign in with custom identity manager

Vote:
 

Hi

We have upgraded to Optimizely cms 12 and are able to Login from Optimizely default login. The next step is to login with our custom identity manager .

We are able to use “AddOpenIdConnect” and “AddCookie” like login with azure documented here: https://docs.developers.optimizely.com/content-cloud/v12.0.0-content-cloud/docs/integrate-azure-ad-using-openid-connect

We get back a authenticated token with claims like username, roles ex. from our identity manager. This data is then synchronized see code example

(In the code example we do some mappings from “role” to “ClaimTypes.Role” )

o.Events.OnSignedIn = async (ctx) =>
            {
                if (ctx.Principal?.Identity is ClaimsIdentity claimsIdentity)
                {
                    var synchronizingUserService = ctx
                      .HttpContext
                      .RequestServices
                      .GetRequiredService<ISynchronizingUserService>();

                    var claims = new List<Claim>(claimsIdentity.Claims);
                    ClaimHelper.PatchClaims(claims);
                    var nid = new ClaimsIdentity(claims, "id_token", ClaimTypes.Name, ClaimTypes.Role);

                    await synchronizingUserService.SynchronizeAsync(nid);
                }
            };

 Optimizely then send us to “/Account/AccessDenied?ReturnUrl=”   and episerver is not logged in.

 For Optimizely 11 we used owin to connect. I have verified that the claims is the same.

 Is there some requirements for the claims?

 Or do we need to do something after the synchronization part?

 

Thanks for help!

 

#286111
Aug 25, 2022 11:24
Vote:
 

Are you using custom roles? Take a look at tblSynchedUserRole table and see what's assigned to your test user.

#286119
Aug 25, 2022 15:02
Trond Erik Aatlo - Aug 26, 2022 6:42
Thanks.
I forgot to add the cms mappings for our custom mappings.
"Cms": {
"MappedRoles": {
"Items": {
"CmsEditors": {
"MappedRoles": [ "WebEditors", "WebAdmins", custommapping ]
},
"CmsAdmins": {
"MappedRoles": [ "WebAdmins", "Iceweb.CmsAdmin", custommapping ]
}
}
}
}
Vote:
 

Edit and admin mode is locked down with a policy that evaluates following groups; CmsEditor and CmsAdmins. Your users must be memebers of any of these groups -- as you've discovered.

#286299
Aug 29, 2022 8:43
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.