Skip to main content

User Roles Are Being Removed Following Active Directory (AD) Login in Sitecore 10.1.3

User roles are being removed following Active Directory (AD) login in Sitecore 10.1.3

Our website operated initially on Sitecore 10.1.1. However, driven by the imperative of addressing particular hotfixes, we made the proactive choice to upgrade it to Sitecore 10.1.3. Following the upgrade, a significant issue arose: when users logged in through Active Directory (AD), their roles were removed within Sitecore. Consequently, this loss of roles led to a subsequent challenge where affected users were unable to log in again, as their roles were essential for access privileges.

To solve this issue, we have raised a Sitecore support ticket and Sitecore suggested below solution:

I reproduced and fixed the issue in my local environment in the following way:

1. Install Sitecore 10.1.1.

2. Configure custom Azure AD identity provider on CM.

3. Add a Sitecore role (e.g. “sitecore\Forms Editor”) to an Azure AD user in User Manager.

4. Install Sitecore 10.1.3 rev. 009359 PRE.

5. Login using an Azure AD user.

In this case, the defined role in the 3rd step is removed.

6. Add the following section to the custom Azure AD identity provider’ definition in the configuration:

<clearroleswhensignin>false</clearroleswhensignin>

7. Repeat the 3rd step.

8. Log in using an Azure AD user.

In this case, the defined role on the 7th step is not removed.

I see that your “keycloak” identity provider is defined in the “\App_Config\Include\XXXX\FederatedAuthenticationSettings.config” file.

The <clearroleswhensignin>false</clearroleswhensignin> section is missing under the following node:

<identityProvider id="keycloak" type="Sitecore.Owin.Authentication.Configuration.DefaultIdentityProvider, Sitecore.Owin.Authentication">

I see that this section is only added under the out of the box “SitecoreIdentityServer” identity provider’s node:

<identityProvider id="SitecoreIdentityServer" type="Sitecore.Owin.Authentication.IdentityServer.IdentityServerProvider, Sitecore.Owin.Authentication.IdentityServer" resolve="true" patch:source="Sitecore.Owin.Authentication.IdentityServer.Disabler.config">

So, to resolve the issue, please update the configuration of the “\App_Config\Include\XXXX\FederatedAuthenticationSettings.config” file as follows:


 <identityProvider id="keycloak" type="Sitecore.Owin.Authentication.Configuration.DefaultIdentityProvider, Sitecore.Owin.Authentication">  
  <param desc="name">$(id)</param>  
  <param desc="domainManager" type="Sitecore.Abstractions.BaseDomainManager" resolve="true" />  
  <caption>Log in with keycloak</caption>  
  <icon>/sitecore/shell/themes/standard/Custom/24x24/msazure.png</icon>  
  <domain>sitecore</domain>  
  <enabled>true</enabled>  
  <clearroleswhensignin>false</clearroleswhensignin>  
  <transformations hint="list:AddTransformation">  
   <transformation type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication">  
    <sources hint="raw:AddSource">  
     <claim name="groups" value="SitecoreAdmin" />  
    </sources>  
    <targets hint="raw:AddTarget">  
     <claim name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" value="Sitecore\Developer" />  
    </targets>  
    <keepSource>true</keepSource>  
   </transformation>  
  </transformations>  
 </identityProvider>
 

In this case, the behavior should be the same as it was in your Sitecore 10.1.1 instance.

However, the already removed roles should be added again to the affected users.

 
An alternative approach is to use the “Sitecore.Owin.Authentication.dll” assembly that has version 6.0.1.0 from Sitecore 10.1.1 instead of version 6.0.11.0 in your current affected instance.

I hope this will help you as well.

 





Labels:

Comments

Post a Comment

Popular posts from this blog

Azure AD Integration with Sitecore 10.2

 Azure AD Integration with Sitecore 10.2 Sitecore identity server that comes with Sitecore 9.1 allows you to log in through an external identity provider like Azure Active Directory, Facebook, Apple, or Google. It is built on Federation Authentication. What is Federation Authentication? Federation authentication is a technology to allows users to access multiples application, tools, and domains using one credential. Using one set of credential user can access multiple applications, and resources after authentication.  Federation authentication consists of two systems, the Identity provider and the Service provider. Identity providers that maintain/create/manage identity information like name, email address, device, and location. Some examples of identity providers are Azure AD, Google, Facebook, and Apple. Service providers basically refer to a website, software, or app that the user is trying to access and SP basically relies on the identity provider to authenticate the user and provi
Post a Comment
Read more

Sitecore 10.2 - “Failed to start service ‘Sitecore Marketing Automation Engine’” on Windows 11

Sitecore 10.2 - “Failed to start service ‘Sitecore Marketing Automation Engine' ” on Windows 11 Today I started to install Sitecore 10.2 using Sitecore Instance Manager on Windows 11 and I got this issue “Failed to start service ‘Sitecore Marketing Automation Engine' ” . Error : On event viewer it was showing the below error: I also tried to run ‘ Sitecore.MAEngine.exe ’ like this C:\Windows\system32>C:\inetpub\wwwroot\sclocal102xconnect.dev.local\App_Data\jobs\continuous\AutomationEngine\Sitecore.MAEngine.exe Which was throwing below error: Starting Marketing Automation Engine... 2022-01-29 22:21:11 ERR Error initializing XConnect client. System.AggregateException: One or more errors occurred. ---> Sitecore.XConnect.XdbCollectionUnavailableException: An error occurred while sending the request. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected err
Post a Comment
Read more

Sitecore CDP Certification - Tips and Tricks

Sitecore CDP Certification - Tips and Tricks Recently I completed Sitecore CDP (Customer Data Platform) certification. In this blog, I will share my personal experience and the steps I took to successfully complete the Sitecore CDP certification. Before diving into the certification journey, I researched various resources to plan my preparation effectively: CDP Certificate Competency  Competency 1: Customer Data Platform Competency 2: Real-time Behavior Data Ingestion Competency 3: Interactive API Competency 4: Batch Data Ingestion Competency 5: Audience Sync and Batch Segments Official Documentation https://doc.sitecore.com/cdp/en/users/sitecore-cdp/index-en.html   https://doc.sitecore.com/cdp/en/developers/api/index-en.html#UUID-980f86cc-d900-1d49-3523-030e16d197a2  https://doc.sitecore.com/cdp/ https://learning.sitecore.com/pages/66/sitecore-learning-home CDP & Personalize Mind Map A highly beneficial resource you can discover is the Mind Map . Exam Details The Sitecore CDP Cert
Post a Comment
Read more