Sitecore 9 : Content Editors Federated Authentication with Gmail

Recently in one of my Sitecore project, I got a requirement where content editor can log in using third party identity provider like google. In my previous project, I have used multiple times to authenticate the website user but for the Sitecore content user it was a bit different. There were multiple articles which I referred to implement this and this article is basically a consolidation of those articles along with some changes related to user builder and google authentication provider. Below are few references which are worth reading as they provide the flow in depth.

https://doc.sitecore.net/sitecore_experience_platform/developing/developing_with_sitecore/federated_authentication/using_federated_authentication_with_sitecore

http://blog.baslijten.com/enable-federated-authentication-and-configure-auth0-as-an-identity-provider-in-sitecore-9-0/

https://doc.sitecore.net/sitecore_experience_platform/developing/developing_with_sitecore/federated_authentication/configure_federated_authentication

The code I listed is based on the repository provided by BasLitjen at

https://github.com/BasLijten/sitecore-federated-authentication/tree/master/BasLijten.FederatedAuthentication

I have provide the code mentioned in this article at github repository which is ready to use at https://github.com/rdhaundiyal/SitecoreFederatedAuthenticationGmail

Though Sitecore 9 provides out of the box feature for OWIN authentication, there are few places where you might end up writing some piece of custom code. Below article shows how you can authenticate the content editor through google.

Before starting the Sitecore part make sure you have created a google application and have corresponding client id and secret which can be used for google authentication.

To create a google application for your application integration please refere to:

https://doc.sitecore.net/social_connected/setting_up_social_connected/configuring/walkthrough_configuring_social_connector_to_work_with_a_social_network

Steps:

  1. Start with creating a new project in Visual studio 2017, .net framework 4.6.2 and select the class library option.
  2. Add nugget package Microsoft.Owin.Security.Google and Microsoft.asp.net.identity
  3. Add references to Sitecore.Kernel, Sitecore.Owin, Sitecore.Owin.Authentication, Add reference to System.web and Microsoft.Owin.Security.Google;
  4. Create a class GmailIdentityProcessor inheriting from IdentityProvidersProcessor
  5. Override the ProcessCore method where you set the provider to GoogleOAuth2AuthenticationProvider which is provided by Microsoft identity providers and in the last set app to use googleauthentication as below
args.App.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions()
{
ClientId =ClientId,
ClientSecret = ClientSecret",
Provider = provider
});
  1. In the app_config\include add the file Sitecore.Owin.Authentication.Enabler.config. The only change done in this file is enabling FederatedAuthentication as below
    <settings>

    <setting name=”FederatedAuthentication.Enabled”>

    <patch:attribute name=”value”>true</patch:attribute>

    </setting>

    </settings>

  2. Add GmailIdentityProvider.config to app_config\include

Changes that need to be done in this config are In the pipleline for identity provider, we added our own custom provider

<pipelines>

<owin.identityProviders>

<!– Processors for coniguring providers. Each provider must have its own processor–>

<processor type=”SitecoreGmailAuth.Processor.GmailIdentityProcessor, SitecoreGmailAuth” resolve=”true” />

</owin.identityProviders>

</pipelines>

 

Please note in identity provider section you have to give the exact id of property you created in custom identity provider

<identityProviders hint=”list:AddIdentityProvider”>

<identityProvider ref=”federatedAuthentication/identityProviders/identityProvider[@id=’Google’]” />

</identityProviders>

  1. And last update is the setting for google client id and secret
     

<settings>

<setting name=”FedAuth.Google.ClientId” value=”yourclientid.apps.googleusercontent.com” />

<setting name=”FedAuth.Google.ClientSecret” value=”yourclient secret” />

<setting name=”FedAuth.Google.Domain” value=”Sitecore” />

 

</settings>

Reset the application pool and try to run the Sitecore instance. You will get a screen like below with an additional button to login using google.

SCGL-initial

On clicking you will be redirected to google login page and after providing the user you will be redirected back to Sitecore login page with the error below

SCGL-first login

Now the user is created in sitecore but it does not have any access to the system. Admin user need to provide the access so that the user can use Sitecore cms as editor.

Before that, one more thing we need to change. The default implementation of  ExternalUserBuilder in Sitecore create a user name with a GUID which is very difficult to identify. To resolve this issue, create another class CustomUserBuilder inheriting from ExternalUserBuilder and override the CreateUniqueUserName method to pass email as user id.

protected virtual string CreateUniqueUserName(UserManager userManager, ExternalLoginInfo externalLoginInfo)
{
Assert.ArgumentNotNull((object)userManager, nameof(userManager));
Assert.ArgumentNotNull((object)externalLoginInfo, nameof(externalLoginInfo));
IdentityProvider identityProvider = this.FederatedAuthenticationConfiguration.GetIdentityProvider(externalLoginInfo.ExternalIdentity);
if (identityProvider == null)
throw new InvalidOperationException("Unable to retrieve identity provider for given identity");
string domain = identityProvider.Domain;
return domain + "\\" + externalLoginInfo.Email;
}

Now, if you login as a admin user you will see the user created in Sitecore

SCGL-Role

Provide appropriate member role to the user. The user should now be able to login.

SCGL-logged in

One important thing to take care of while using external provider is that the access to URL should be protected from the website user or else you will end up having so many users created in the Sitecore system which are not content editor and also it can be a possible security threat as well.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s