No groups claim? No Problem!
How to use App Roles instead of groups.
While implementing federated authentication for another client, I ran into a new issue. This client was only intending on using Azure AD for the back-end, which simplied the process greatly. I only need to create a User Builder class, implement the correct configs for Identity Server, and some small config changes for sitecore and voila! we should be all done. Right? Nope think again. When testing, we ran into an issue where some users were not getting the appropriate sitecore roles assigned to them! When I checked their account, I could see the UserBuilder class ran perfectly, so why no roles?
I had the user send me the token that was being generated for them. Using jwt.ms I was able to decode the token, and I noticed something a bit strange....
"_claim_names": {
"groups": "src1"
},
"_claim_sources": {
"src1": {
"endpoint": "https://graph.windows.net/0aad2ef9-8871-4f4b-9f84-bb6fb9dc58de/users/9091fa67-7c39-42f1-a6ab-d4094cceb2fb/getMemberObjects"
}
}
Well thats not what we were expecting!
Normally we're used to seeing a groups claim with the GUID's from the azure groups....
So after doing some research, it seems the issues is The Azure ID token is limited to 250 groups.. Now that might seems like a lot, but many groups have child, or inherited groups, which can cause their to be many more groups than expected. We found out that the users that we're not recivieng the proper roles in sitecore, were because they exceeded this limit.
The Solution
Forget groups! We're going to pivot to App Roles. Within your application registration, we can create App Roles. These are similar to groups, but are specific only to this application. This fits our use case, because we are only creating these groups to assign the Sitecore roles.
Configuring in Azure
-
Go to the App Registration, and on the left press Manifest. Inside the manifest, changes the groupMembershipsClaims to "null" and save the manifest.
-
On the left menu inside the App Registration, click App Roles. Here we create the roles we need. For each role press + Create app role and fill with the following values:
- Display Name: "Role name "
- Allowed Member Types: "Users/Groups"
- Value: "RoleValue" (for example this could be "SitecoreAdmin")
- Description: "Assigns the admin role for sitecore."
- If done correctly, you should now see your App Roles inside your applications Manifest.
-
Time to assign the roles to users. Leave the App Registration, and search for "Enterprise Applications" in the top menu in the Azure Portal. Find and select the app registration for your sitecore.
-
Inside the Enterprise Applications menu for our application, press "Users and Groups" on the left menu.
-
To add a user with their role:
- press Add user/group
- Under Users press the "None Selected" link.
- Click all the users who need the Admin role.
- Under Select a role* press the "None Selected" link.
- You should see the roles we created in the previous steps, assign these roles to the users.
- In the bottom left, press the assign button.
- Repeat these steps for other roles.
Great! Now you should see the token looks a little different. Instead of a groups claim, we now see a roles claim, containing the assigned roles we created in Azure! It should look a little like this:
"roles": [
"SitecoreAdmin",
"WhateverValueYouPutForYourRoles"
],
Updating the Identity Server Configuration
Now we need to update the Identity Server configuration to accept these app roles instead of the groups guid. This process is fairly straight forward.
OLD GROUP CLAIM
<GroupToRole type="Sitecore.Plugin.IdentityProviders.DefaultClaimsTransformation, Sitecore.Plugin.IdentityProviders">
<SourceClaims>
<Claim1 type="groups" value="GROUP GUID HERE" />
</SourceClaims>
<NewClaims>
<Claim1 type="role" value="sitecore\Role Name" />
</NewClaims>
</GroupToRole>
NEW ROLE CLAIM
<RoleToRole type="Sitecore.Plugin.IdentityProviders.DefaultClaimsTransformation, Sitecore.Plugin.IdentityProviders">
<SourceClaims>
<Claim1 type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" value="AppRoleValue" />
</SourceClaims>
<NewClaims>
<Claim1 type="role" value="sitecore\Role Name" />
</NewClaims>
</RoleToRole>
As you can see, really we are only changing the <SourceClaims> section to use the role schema as the type instead of the string groups. And we are changing the value property from the guid, to the value created when making the App Role.
After that you should be all done! Your token will now pass App Roles, and your sitecore instance is ready to accept them! Congrats!