Sitecore federated Authentication-Create a custom External User

Fenil Jacob, ,

Sitecore has enabled OWIN based federated authentication to integrate sitecore login with external identity providers.

From the below link you can find more details on how to use federated authentication

https://doc.sitecore.net/sitecore_experience_platform/developing/developing_with_sitecore/federated_authentication/using_federated_authentication_with_sitecore

 

The below article give a step by step guide to use AD as the identity provider.

https://labs.tadigital.com/index.php/2018/02/16/integrating-federated-authentication-for-sitecore-9-with-azure-ad/

Sitecore user name generation when using Federated authentication

User names must be unique across a Sitecore instance. You cannot use user names from different external providers as Sitecore user names because this does not guarantee that the user names are unique.

The DefaultExternalUserBuilder class creates a sequence of user names for a given external user name. It then uses the first of these names that does not already exist in Sitecore. The values in the sequence depend only on the external username and the Sitecore domain configured for the given identity provider.

The sitecore username DefaultExternalUserBuilder  generated by the class has some sequence of characters usings it is difficult to identify the user’s with that name.

We can override this default user generation logic with our own class on the  configurations related to federated authentication

<!-- ExternalUserBuilder is what creates a user with customusername in Sitecore and assigns roles based on claim transformation configured above -->

<externalUserBuilder type="XX.Feature.FederatedAuthentication.Modules.FederatedAuthentication.ExternalDomainUserBuilder, XX.Feature.FederatedAuthentication">

<param desc="isPersistentUser">true</param>

</externalUserBuilder>
Below is an example of class that use the AD claim “givename” as sitecore user name.
public class ExternalDomainUserBuilder : DefaultExternalUserBuilder
{
    public ExternalDomainUserBuilder(string isPersistentUser) : base(bool.Parse(isPersistentUser)) { }

    protected override string CreateUniqueUserName(UserManager<ApplicationUser> userManager, ExternalLoginInfo externalLoginInfo)
    {
           Assert.ArgumentNotNull((object)userManager, nameof(userManager));
           Assert.ArgumentNotNull((object)externalLoginInfo, nameof(externalLoginInfo));
           var identityProvider = this.FederatedAuthenticationConfiguration.GetIdentityProvider(externalLoginInfo.ExternalIdentity);
           if (identityProvider == null)
              throw new InvalidOperationException("Unable to retrieve identity provider for given identity");
           var domain = identityProvider.Domain;

           var name = externalLoginInfo.ExternalIdentity.Claims.Where(c => c.Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname")
           .Select(c => c.Value).SingleOrDefault();
           if(string.IsNullOrEmpty(name))
           {
             return domain + "\\" + externalLoginInfo.DefaultUserName;
           }
         return domain + "\\" + name;
     }
}

Published by Fenil Jacob

.Net and Sitecore solution architect

Leave a comment