Press "Enter" to skip to content

Sitecore hardening using Azure App Authentication

With Azure App Authentication it is easy to secure your app with an identity provider. The steps to take are described at the following page:
https://docs.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-how-to-configure-active-directory-authentication .

For securing certain url paths it is required to set Action to take when request is not authenticated to Allow request (no action).

When you have followed the instructions above, the next step is to create a authorization.json file with the following content:

{
“routes”: [
{
“path_prefix”: “/”,
“policies”: { “unauthenticated_action”: “AllowAnonymous” }
},
{
“path_prefix”: “/sitecore/service”,
“policies”: { “unauthenticated_action”: “AllowAnonymous” }
},
{
“path_prefix”: “/sitecore/api”,
“policies”: { “unauthenticated_action”: “AllowAnonymous” }
},
{
“path_prefix”: “/sitecore/client”,
“policies”: { “unauthenticated_action”: “AllowAnonymous” }
},
{
“path_prefix”: “/sitecore”,
“policies”: { “unauthenticated_action”: “RedirectToLoginPage” }
}
]
}

Once you have uploaded the file you can restart the app to activate the authentiction.
More information on setting specific access policies to specific url paths can be found here:

URL Authorization Rules

After applying the json file and policies you will be asked to authenticate to a identity provider when
you try access the path https://YOURWEBSITE/sitecore/ . You will be allowed to all other paths since the unauthenticated_action is
set to AllowAnonymous.

So once you have validated your identity you will see the sitecore logins screen. At this stage you can login with
your sitecore user credentials. The problem from now on seems, however, that some required headers have been lost.

For example __RequestVerificationToken is not there anymore. I have opened a ticket @sitecore to resolve this issue, since
this blocks us from implementing App service authentication just yet. To be continued.

2 Comments

  1. Arjan Timmer Arjan Timmer

    Hi Bram,

    Any news from Sitecore yet?
    I’m stuggling with the same issue here 🙂

    Best regards,
    Arjan

  2. Hi Arjan, the latest update sitecore provided:

    ____________________________________________
    I’ve managed to find a viable solution for you. It would require some customization though.
    The idea is to create a custom login page for the “shell” site, which implements a kind of Single Sign-On scenario. Here is a sample code-behind for such page:

    void Page_Load (object sender, EventArgs args)
    {
    var userName = HttpContext.Current.User.Identity.Name;
    var startUrl = “/sitecore/shell”;
    if (!Sitecore.Security.Accounts.User.Exists(userName))
    {
    var user = Sitecore.Security.Accounts.User.FromName(userName, true);
    user.Profile.IsAdministrator = true;
    user.Profile.Save();
    }
    if (Sitecore.Security.Authentication.AuthenticationManager.Login (userName, true, true))
    {
    Sitecore.Web.WebUtil.Redirect(startUrl);
    }
    }

    As you see, the code just takes the name of the AAD authenticated user from HttpContext.Current.User.Identity.Name, forms a Sitecore user and logs in the user to Sitecore Shell.
    You can place such a page into any folder under Website root, e.g. to the /siteceore/login folder.
    Then just use the page path as a value of the loginPage attribute in the definition of the “shell” site:



    ……

    This approach will allow you even to avoid additional Sitecore authentication after the AAD one.
    Please note, that the above code uses administrator user – pay attention to the highlighted lines.
    You can, however, assign some specific roles instead. So please consider changing the code sample according to your needs.
    ____________________________________________

    This, however, caused the loginpage not to work as expected.
    “when i navigate to /sitecore i still get redirected to /sitecore/login instead of the expected aadRedirect.aspx When navigation to sitecore/shell it works. ”

    Sitecore responded the following to this issue:

    ____________________________________________

    The /sitecore/login URL appeared to be hardcoded as a redirection target for the /sitecore/default.aspx page. I can suggest you the following changes to completely replace the default login page:
    – rename the /sitecore/login/default.aspx page to /sitecore/login/login.aspx;
    – rename the /sietcore/login/aadredirect.aspx page to the /sitecore/login/default.aspx;
    ____________________________________________

    Hope this will get you further,

    Also please be aware that Azure Active Directory is officially supported starting from Sitecore 9.0. Find more info here: https://doc.sitecore.net/sitecore_experience_platform/developing/developing_with_sitecore/federated_authentication/using_federated_authentication_with_sitecore

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.