Skip to main content

Configure OpenID Connect (OIDC)

OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. It enables client applications to rely on authentication that is performed by an OpenID Connect Provider to verify the identity of a user.

Warning

Before enabling an SSO connection, we highly recommend reading about what happens when you enable SSO!

Note

To configure SSO, you must have an Organization Admin or Organization Owner role. You must also have the ability to register Sitecore Cloud Portal with your IdP and the ability to create a TXT record with your domain host.

To allow team members to log in using an ODIC identity provider, you need to:

  1. Register Sitecore Cloud Portal with your OIDC identity provider

  2. Add a new SSO connection

  3. Verify the domain

  4. Test the connection

  5. Enable the connection

Step 1: Register Sitecore Cloud Portal with your OIDC identity provider

Before you add an SSO connection, you must register Sitecore Cloud Portal with your identity provider. The process varies depending on the OpenID provider. The following are configuration guides for some common OpenID Connect identity providers:

Azure Active Directory

Google

AWS Cognito

Salesforce

Auth0

OneLogin

Okta

Step 2: Add an SSO connection in Sitecore Cloud Portal

  1. Navigate to the Sitecore Cloud Portal SSO page and click Add SSO connection.

  2. In the drop-down menu, select OpenID Connect.

  3. In the Add SSO connection dialog, enter the details for your connection, then click Save.

    Field

    Description

    Domain

    Domain that can be authenticated in the Identity Provider.

    Connection name

    Unique name for your SSO connection.

    Connection type

    Front Channel will use OIDC protocol with response_mode=form_post and response_type=id_token. Back Channel will use response_type=code.

    Issuer URL

    The URL of the discovery document of the OpenID Connect provider you want to connect with.

    Client ID

    When you created your

    Scopes

    Client secret

Step 3: Verify your domain

  1. Navigate to the Sitecore Cloud Portal SSO page, and for the connection you want to verify, click Verify domain.

  2. In the Verify domain dialog, copy the TXT record, then add it to your domain's DNS record.

    Adding a TXT record to your domain host varies depending on your domain host.

    In general, you should:

    1. Sign into your domain registrar with the account and password you used to buy your domain or to manage your website.

    2. Go to the section where you can update your domain's TXT records. This is typically called: DNS settings, DNS management, or advanced settings.

    3. Create a new TXT record.

    For some examples, see Google's custom instructions for many popular domain registrars.

  3. Click Verify domain.

    Note

    Domain verification can take up to 72 hours to complete.

Step 4: Test your SSO connection

  1. After verifying your domain, in the Verify domain dialog, click Test SSO connection.

    You can also test your SSO connection by navigating to the Sitecore Cloud Portal SSO page and clicking Test for the connection you want to test.

  2. ...

Edit an SSO connection

If you edit something, your connection may not work. To edit an existing SSO connection:

  • ...

Delete an SSO connection

When you delete an SSO connection, team members that belong to the deleted SSO connection must reset their password and log in using the default Sitecore authentication.

To delete an SSO connection:

  • ...