Thursday, 24 January 2013

How to enable Single Sign On in Sitecore with Active Directory Users and Roles

(Assuming that reader has knowledge on Single Sign On)

Single sign on functionality needs the site not to be in anonymous authentication. In IIS, Basic or Windows authentication should be enabled.


Single sign on functionality comes along with Active Directory Module from Sitecore. You can get the latest version from SDN. This module integrates AD to the Sitecore instance. This module needs the LDAP path and few provider configuration settings in web.config file.


This module installs LDAP dll, configuration and few aspx pages. Once installed, we get the LDAP login page under /website/Sitecore/admin/ldaplogin.aspx. Along with that, we will be having few more roles in Sitecore.

sitecore\Sitecore Client Account Managing
sitecore\Sitecore Client Authoring
sitecore\Sitecore Client Configuring
sitecore\Sitecore Client Designing
sitecore\Sitecore Client Developing
sitecore\Sitecore Client Forms Author
sitecore\Sitecore Client Maintaining
sitecore\Sitecore Client Publishing
sitecore\Sitecore Client Securing
sitecore\Sitecore Client Translating
sitecore\Sitecore Client Users

How Single Sign on works with LDAP (AD) module

Since site is windows authenticated, LDAP gets the currently logged in user from the browser and tries login into the Sitecore client. The minimum role that user should have is Sitecore Client Users. If the user doesn’t have proper roles, then LDAP module throws access denied error and redirects to default Sitecore login page.

Each group has different access levels. For minimum level of access, the particular user should be a member of Sitecore Client Users.

The brief information on each group.

Group
Members – (Domain - Sitecore)
Member Of
sitecore\Sitecore Client Account Managing
Sitecore Local Administrators
Sitecore Client Users
sitecore\Sitecore Client Authoring
Author
Sitecore Client Users
sitecore\Sitecore Client Configuring
Developer
Sitecore Client Users
sitecore\Sitecore Client Designing
Design
Sitecore Client Users
sitecore\Sitecore Client Developing
Developer
Sitecore Client Users
sitecore\Sitecore Client Forms Author
Sitecore Marketer Form Author
Sitecore Client Users
sitecore\Sitecore Client Maintaining
Developer
Sitecore Client Users
sitecore\Sitecore Client Publishing
-
Sitecore Client Users
sitecore\Sitecore Client Securing
Sitecore Local Administrators
Sitecore Client Users
sitecore\Sitecore Client Translating
-
Sitecore Client Users
sitecore\Sitecore Client Users
-
All Other Groups

Ex: A normal content author should be at least a member of Sitecore Client Authoring group.

Setting up of LDAP login as the default login

Default login site in Sitecore is /Sitecore/Login and the default page is Default.aspx.

The following tweak will allow us to have LDAP login as default

      1.     Rename default.aspx to default-login.aspx in /Sitecore/login folder.
      2.     Copy LDAP login from /Sitecore/admin folder to /Sitecore/login folder.
      3.     Rename LDAPLogin.aspx to Default.aspx in /Sitecore/Login folder.
      4.     Add the following JavaScript in Default.aspx (LDAPLogin.aspx) to redirect to default login page when LDAP login fails.


    <script type="text/javascript">
        function getQuerystring(key, default_) {
            if (default_ == null) default_ = "";
            key = key.replace(/[\[]/, "\\\[").replace(/[\]]/, "\\\]");
            var regex = new RegExp("[\\?&]" + key + "=([^&#]*)");
            var qs = regex.exec(window.location.href);
            if (qs == null)
                return default_;
            else
                return qs[1];
        }
        if (getQuerystring('sc_error') == '') {
            window.location = '/sitecore/login/default-login.aspx?sc_error=You do not have access to the system.';
        }
    </script>

By doing this, we make the LDAP login page as the default one. Even Sitecore domain user can also login using /Sitecore/Login/Default-login.aspx url.

This helps the user to have Single Sign On Functionality.

Note: Sitecore Admin users need not be in any of the above group to access the Content editor. They will be able to access the whole system.

Access Levels of each Group – Ref: Link

     1.    Everyone

             Applications:
§  Content Editor
§  Media Library
§  WebEdit
§  Preview
§  Carousel
§  Recycle Bin
§  Search
§  Workbox
§  Control Panel

Content Editor Commands
·  Navigate
·  Review
·  Versions
·  View

Control Panel Commands
·  Administration
·  Preferences
·  Reports


     2.    Sitecore Client Users

Every User who wants to login using LDAP or Single Sign On has to be a member of this group. If not, LDAP login will not allow the user to login.

Cannot log in: The user '<DOMAIN>\<USERNAME>' is not a member of the 'sitecore\Sitecore Client Users' role

     3.    Sitecore Client Authoring

This is the basic role for a user to author in the site.

            Access to:
·  The Home tab, all chunks and commands.
·  The Review tab, Validate and Workflow chunks.
·  The Publish tab, Restrictions chunk.
·  The Versions tab, Versions chunk.

     4.    Sitecore Client Configuring

Access to:
·  Change the appearance
·  Configure tab to the Content Editor

     5.    Sitecore Client Maintaining

This role is for the Sitecore developer. Almost like second higher level access after Admin role

Application Access:
§  Template Manager
§  Development Tools
§  Reporting Tools
§  All Applications

Content Editor Commands
§  Versions tab Reset command
§  Configure tab Change Template and Edit Template
§  Presentation

Control Panel Commands
§  Administration
§  Database
§  Globalization
§  Reports

     6.    Sitecore Client Publishing

This role provides access to trigger publishing. This enables the publish chunks in publish tab in the content tree.

     7.    Sitecore Client Account Managing

Sitecore Client Account Managing provides access to applications used to maintain users, roles, and domains.

     8.    Sitecore Client Designing

Sitecore Client Designing provides access to the Page Editor Design Pane features.

     9.    Sitecore Client Translating

Provides access to languages other than site’s default language.

Content Editor Commands
§  Review
§  Versions

Control Panel
§  Reports

     10. Sitecore Client Securing

Provides access to maintain users, roles and access rights.

Application
§  Security Editor
§  Security Tools

            Content Editor
§  Security Tab

            Control Panel
§  User Manager
§  Create a new User

     11. Sitecore Client Developing
                       
Developer role needs other roles like
§  Sitecore Client Authoring
§  Sitecore Client Maintaining
§  Sitecore Client Configuring
§  Sitecore Client Securing

            Application
§  Developer Center
§  Debug
§  Development Tools

            Content Editor Commands
§  View chunk’s Hidden Items, Standard Fields, and Raw Values toggles

            Control Panel
§  Database

     12. Sitecore Client Forms Author

This role provides user to design web forms using web form for marketer’s module.


Recommended Roles and Access Levels

     1.    An Author:

An author is a person who does content changes, add a new version, configuring an item (ex: Icon to an item) and design forms using WFM.

Roles:
a.     Sitecore Client Users (Base to other roles.)
b.    Sitecore Client Authoring
c.     Sitecore Client Translating
d.    Sitecore Client Forms Author
e.     Sitecore Client Configuring
f.      Sitecore Client Designing – (Higher access to set layouts)

     2.    A Security Administrator:

A security admin is the one who does administrative tasks like adding a new user, providing access to Sitecore items, verify the user access levels etc.

Roles:
a.     Sitecore Client Users (Base to other roles.)
b.    Sitecore Client Securing
c.     Sitecore Client Account Managing

     3.    A Release manager:

A release manager is the one who takes care of deployments, manages the content tree. He is one who takes care of Package Installation and publishing.
(Facilitator, Gatekeeper, Architect, Coordinator)

Roles:
a.     Sitecore Client Users (Base to other roles.)
b.    Sitecore Client Maintaining
c.     Sitecore Client Publishing
d.    Sitecore Client Configuring

     4.    A developer:

A developer needs access to the developer specific functionality in the user interface.

Roles:
a.     Sitecore Client Users (Base to other roles.)
b.    Sitecore Client Developing
c.     Sitecore Client Maintaining
d.    Sitecore Client Designing
e.     Sitecore Client Configuring
f.      Sitecore Client Authoring
g.    Sitecore Client Translating
h.    Sitecore Client Forms Author
i.      Sitecore Client Securing – (Higher Access - Not recommended)

Reference:

1. SDN - http://sdn.sitecore.net
2. Sitecore Security Reference - PDF