Skip to main content

Using Okta Authentication for a Sitecore client site

I recently had a project where we had to add a new Sitecore site to an already multi site Sitecore 8.2 Update 7 instance. This new site had to integrate with Okta to manage user authentication. I found many articles online that integrated Okta and Sitecore's admin interface but I could not find one that just integrated Okta with a client Sitecore site.

My first step was to use Okta's available ASP.NET MVC projects on their Dev site and test them out. This worked very well with the first Authenticated method I tried which was WS-Fed. But when I tried to use the same authentication method with a site in Sitecore I got errors in my logs like the following:

Sitecore.Security.Principal.SitecoreIdentity does not contain a definition for Claims

Claims are available in HttpContext.User.Identity but not in Sitecore.Security.Principal.SitecoreIdentity, and since we are using a Sitecore site we could not read the claims. I tried to make claims work in Sitecore using various online articles but was not successful.

Next I tried using OpenId connect and again setting up a sample website with Okta authentication was easy. But when I tried to use OpenId connect with my new Sitecore site, I got into issues like going into an endless authentication loop. I think the reason was that my application saw that the user is not authenticated and send the user to Okta. Okta checked the user and sent the user back to the site. But Sitecore is not able to see that the user is authenticated and sends the user back to Okta. Mainly I needed HttpContext.User.Identity.IsAuthenticated to return true and be able to read the associated claims. To avoid this endless loop,.I tried a few more articles online but was not successful in getting OpenId connect to work.

Then I turned to good old Saml. Again first I got Okta Saml to work with a sample website.
To setup the Okta Saml application I used.
https://developer.okta.com/standards/SAML/setting_up_a_saml_application_in_okta

and to read the Saml response I used the following Simple SAML consumer implementation
https://github.com/jitbit/AspNetSaml/

As expected this worked fine for the sample website. But to my surprise, this worked seamlessly in my Sitecore site as well. I was able to read the Okta user attributes in Sitecore. I was excited!

Lastly now that I could read the user attributes, I created a virtual Sitecore user and assigned these user attributes to this virtual user and logged the user into Sitecore as described in this blog
https://briancaos.wordpress.com/2015/11/13/sitecore-virtual-users-authenticate-users-from-external-systems/

As mentioned in the above articles you could assign the virtual user to a role based on some of the Okta user attributes. This can be used by content authors to assign a page to a particular role so that only users that belong to that role would have access to that page.

I'm hoping someone else out there finds this blog useful. I told myself that if I solve this issue for myself I would blog about it. So I'm glad I took the time today to write about it.


Comments

  1. kazukisuima@gmail.comNovember 12, 2022 at 9:55 AM

    Hi, I'm Japanese WebSite Developer using Sitecore. Thank you for your contribution.
    We will try to integrate Okta authentification to pages on CD server.
    So, this article gave us useful information.
    I know this info written in 2018. but I got many hints.

    ReplyDelete

Post a Comment

Popular posts from this blog

Sitecore: Get list of logged in users

I had a deployment today and wanted to find a list of users who were logged into the Sitecore admin site. This was mainly so that I can contact them and let them know that a deployment was going to happen. I found the following link very useful as it gave me exactly what I was looking for. A list of users that were logged in and I contacted them. It also has the ability to Kick off users! http://{YourWebsite}/sitecore/client/Applications/LicenseOptions/KickUser Note: You can only see other users in this list if you have the right administrator permission. Logging in with a lower access level user only gave me the logged in user and no one else on the list.

Sitecore clear cache setting

Sitecore has extensive cache settings. You can add caching at the rendering level so it affects all instances of that rendering. Or you can add caching at the component level on a particular page via the presentation details. This is all good when you are setting it up, but once this goes to production, the way caching is supposed to work is that the cache should get cleared after an item is published. So after an item is published, any associated cache should also automatically get updated. In our case, we saw that once we went to production (with extensive caching enabled) our pages loaded much faster. However when the content authors were updating content, the updates were not making it to the delivery servers. The content seemed to be stuck in the cache. We noticed that we had to do one of the following to see the updated cache. Go to the admin cache page [SitecoreSite/sitecore/admin/Cache.aspx] and click the "Clear all" button. This is not viable long term solution