Skip to main content

Using Okta Authentication for a Sitecore client site

I recently had a project where we had to add a new Sitecore site to an already multi site Sitecore 8.2 Update 7 instance. This new site had to integrate with Okta to manage user authentication. I found many articles online that integrated Okta and Sitecore's admin interface but I could not find one that just integrated Okta with a client Sitecore site.

My first step was to use Okta's available ASP.NET MVC projects on their Dev site and test them out. This worked very well with the first Authenticated method I tried which was WS-Fed. But when I tried to use the same authentication method with a site in Sitecore I got errors in my logs like the following:

Sitecore.Security.Principal.SitecoreIdentity does not contain a definition for Claims

Claims are available in HttpContext.User.Identity but not in Sitecore.Security.Principal.SitecoreIdentity, and since we are using a Sitecore site we could not read the claims. I tried to make claims work in Sitecore using various online articles but was not successful.

Next I tried using OpenId connect and again setting up a sample website with Okta authentication was easy. But when I tried to use OpenId connect with my new Sitecore site, I got into issues like going into an endless authentication loop. I think the reason was that my application saw that the user is not authenticated and send the user to Okta. Okta checked the user and sent the user back to the site. But Sitecore is not able to see that the user is authenticated and sends the user back to Okta. Mainly I needed HttpContext.User.Identity.IsAuthenticated to return true and be able to read the associated claims. To avoid this endless loop,.I tried a few more articles online but was not successful in getting OpenId connect to work.

Then I turned to good old Saml. Again first I got Okta Saml to work with a sample website.
To setup the Okta Saml application I used.
https://developer.okta.com/standards/SAML/setting_up_a_saml_application_in_okta

and to read the Saml response I used the following Simple SAML consumer implementation
https://github.com/jitbit/AspNetSaml/

As expected this worked fine for the sample website. But to my surprise, this worked seamlessly in my Sitecore site as well. I was able to read the Okta user attributes in Sitecore. I was excited!

Lastly now that I could read the user attributes, I created a virtual Sitecore user and assigned these user attributes to this virtual user and logged the user into Sitecore as described in this blog
https://briancaos.wordpress.com/2015/11/13/sitecore-virtual-users-authenticate-users-from-external-systems/

As mentioned in the above articles you could assign the virtual user to a role based on some of the Okta user attributes. This can be used by content authors to assign a page to a particular role so that only users that belong to that role would have access to that page.

I'm hoping someone else out there finds this blog useful. I told myself that if I solve this issue for myself I would blog about it. So I'm glad I took the time today to write about it.


Comments

Popular posts from this blog

Un Lock Sitecore admin account

There are times when you - Upgrade Sitecore locally - Restore databases in your local Sitecore instance. And you are no longer able to login to the Sitecore admin interface with the default admin username and password b. When this happens you can unlock the Sitecore admin account and reset the password back to b. To do this copy this aspx  file to your Website\sitecore\admin folder (and overwrite existing file) Next make sure your local web.config (in the root Website) folder has the following settings minRequiredPasswordLength="1" minRequiredNonalphanumericCharacters="0" Lastly go to the following page https://YourSitecore.com/sitecore/admin/unlock_admin.aspx And click the Unlock Administrator button. That's it, you can now login to your local Sitecore instance. Happy Sitecoreing!

Sitecore media RequestExtension for images and pdfs

On your Sitecore site what is the media file extension you see? If you see .ashx for all your media (images, pdfs) read on. Ideally the IIS application pool for your website should be configured to use Integrated mode instead of classic mode. If that is the case, there is one default Sitecore 8 setting that you should change in your Sitecore.config   FROM: <setting name="Media.RequestExtension" value="ashx"/> TO: <setting name="Media.RequestExtension" value=""/> This configures Sitecore to use the original file extensions rather than .ashx extension. So images would be jpg, gif, png's while pdfs would have the pdf extension. I also notice that Sitecore themselves have this configured on their website, so we should be good making this change. There are multiple benefits to the end user. They know the file types of media like pdfs before clicking on the download link CDN have cache settings that will be honoured