Setting up Single Sign-On (SSO) with Sitecore’s XM Cloud is quite easy, though as an SSO newbie, I ran into a few speedbumps with the installation I was performing.
In my case, I was implementing an SSO connection using my client’s Azure Active Directory setup. The official Sitecore documentation does a good job of explaining how to configure and authenticate SSO though OpenID Connect (OIDC), though I wasn’t super familiar with some of the terms used in both the documentation and in the actual portal app. I had to do a bit of digging to uncover what information I needed to request from the client, as well as instructions on where to find said information in Azure. In this blog post I’ll go through the information I came across and pieced together in order to successfully set up an SSO connection.
In order to add an SSO connection, you’ll first need to navigate to the Admin view in your organization’s Sitecore portal. If you have the correct permissions, you can do so by clicking Admin at the top of the portal landing page. From there you can click on Single sign-on (SSO) from the left-hand menu pane.
Next, you’ll want to click on the Add SSO connection button in the top right of the page. You’ll be prompted to choose between OpenID Connect and SAML. In my implementation we went with OpenID Connect.
Adding a new SSO connection requests the following information:
- Email domain
- Connection type
- Issuer URL
- Scopes
- Client ID
The above information comes from the identity provider managing the SSO connection. In my case, this was an Azure Active Directory app registration.
Email domain was simple enough; this is just the domain for the accounts associated with the SSO connection. For example, sample-domain.com. If you have multiple domains, you may need to set up multiple SSO connections.
Connection type is also quite straightforward, I went with Front channel here as that was what the client’s Active Directory required. Sitecore recommends checking your identity provider’s documentation for assistance on what to choose here.
Issuer URL took me a bit to figure out. The documentation lists this as the URL of the discovery document of the identity provider you want to connect with, also known as the metadata address. In Azure Active Directory, my client and I were not able to directly find a value in the application that matched this description, though after a bit of trial and error, we concluded that the URL is formatted as such:
https://login.microsoftonline.com/ + Directory (tenant) ID + /.well-known/openid-configuration
As an example, see the following URL:
Just replace the dummy GUID with your tenant ID and you should be good to go with that piece.
I left Scopes alone as I didn’t require any changes here. You may want to request more or less information like name, but it wasn’t necessary in my case.
Client ID is simply the application’s ID in the identity provider, aka in my case the Azure Active Directory’s SSO application my client setup.
Once I had all of the required information, I was able to save the SSO connection in the Sitecore portal.
As an additional note, at the bottom of the Add SSO connection modal, there is a Callback URL. This is the URL you should provide your identity provider to redirect the user once they’ve successfully logged in via SSO. As of writing this blog post, this is always https://auth.sitecorecloud.io/login/callback.
Once the SSO connection was set up, it was time to test it. Sitecore requires you to test the connection before enabling it, so I reached out to my client to have them test this. Kicking off an SSO Test takes place directly on the Single sign-on (SSO) page, which will redirect you to your SSO login page. If all goes well, your test should complete successfully.
The final steps are to validate and enable your SSO connection. Validation is quite simple; Sitecore will provide you with a TXT record that you’ll need to add to the domain associated with your SSO connection. Once that’s complete, you can verify the domain and enable the connection.
You’ll know your SSO connection is tested, verified and enabled on the Single sign-on (SSO) page.
And that’s it! Like I mentioned at the beginning of this post, it’s quite simple to set up SSO through the Sitecore portal. If you run into any issues or have any questions, leave them in the comments below and I’ll do my best to help if I can!
Happy Sitecoreing!
Patt's Sitecore Blog 
Leave a comment