Sitefinity Azure AD Integration

Azure AD Setup

  1. Go to you Azure Active Directory → App Registrations → New Registration

  2. Give a name to the application, you can leave the Redirect URI as blank now. Then click Register.

  3. Go to Authentication Tab → Add a platform → Web

  4. Redirect URIs: http://<[Sitefinity Instance]>/Sitefinity/Authenticate/OpenID/signin-custom

  5. Select the tokens you would like to be issued by the authorization endpoint: Check ID Tokens

Sitefinity Setup

  1. Spin up (If you haven’t) and run the Sitefinity Instance

  2. Login to Sitefinity backend → Go to Administration → Advanced → Authentication → SecurityTokenService → AuthenticationProviders → OpenIDConnect

  3. Do the following settings:

ClientID<[Azure AD App – Application (client) ID]>
Response typeid_token
Allowed scopesopenid profile email
Authorityhttps://login.microsoftonline.com/<[Azure AD App Directory (tenant) ID]>/v2.0/authorize
Metadata addresshttps://login.microsoftonline.com/<[Azure AD App Directory (tenant) ID]>/v2.0/.well-known/openid-configuration
Redirect URIhttps://<[Sitefinity instance]>/Sitefinity/Authenticate/OpenID/signin-custom
Post logout redirect URIhttps://<[Sitefinity instance]>
TitleAzure AD Login
Auto assigned rolesAdministrators
Require email claim from this providerTrue (We can check the metadata address to understand what to map)
Claims to fields mappingsEmail: email, SitefinityProfile.FirstName: name, SitefinityProfile.Nickname: nickname

  1. Restart Sitefinity

  2. Verification a. Visit http://<[Sitefinity instance]>/Sitefinity → Click Azure Login screen1

    b. It will prompt you a permission request for first time login, simply press Accept. screen2

    c. It will prompt for your username + password. Fulfill it and it will route you back to Sitefinity dashboard screen3 screen4

    d. Then go to Administration → Users, you will see an unknown user and a default user while both having same email address. screen5

    e. It is working!

Further Enhancement

  • Intercept AzureAD callback response, and create necessary users with proper profile
  • Hide the default login method completely
    1. Create a file under /Content/Pages/login.html
    2. Comment unnecessary blocks: login.html (github.com)
    3. Restart Sitefinity, and you will see only Azure Login button
    4. Consider to write a script to redirect on page load