Dev GuideAPI ReferenceUser Guide
HomeDev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunityDoc feedbackLog In
GitHubNuGetDev CommunityDoc feedback

This topic explains how to configure mixed mode authentication with OpenID Connect and Membership provider. That is, how an Episerver Commerce application can authenticate admins/editors and shoppers/users through different authentication components. To accomplish these goals, you need to

  • use OpenID Connect to sign-in admins from a single/multi-tenant environment. To accomplish this, use the ASP.Net OpenID Connect OWIN middleware.

  • use a built-in Membership provider to authenticate users/shoppers.

You need to follow these steps in both your front-end site and in Commerce Manager.

## About Azure Active Directory and OpenID

[Azure Active Directory (Azure AD)](🔗) is Microsoft's multi-tenant cloud-based directory and identity management service. Azure AD provides single sign-on (SSO) access to many cloud-based SaaS applications, and includes a full suite of identity management capabilities.

[OAuth](🔗) is an open standard for authorization used by Azure AD. [OpenID Connect](🔗) is built on top of OAuth and extends it. You can use [OpenID Connect](🔗) as an authentication protocol rather than just an authorization protocol.

For more information about the protocols, [Authorize access to web applications using OpenID Connect and Azure Active Directory](🔗).

## Prerequisites

#### Create and configure an Azure Active Directory Application

  • Follow this guide as a template for creating your Azure AD Application to use with OpenID Connect: [Register your application with your Azure Active Directory tenant](🔗)

  • Update the AD Application manifest to include the admin roles of your preference: [Adding application roles in Azure AD.](🔗)

#### Configure both sites to support HTTPS

  • Follow this guide to enable HTTPS in Visual Studio: [Enable SSL in IIS Express from Visual Studio](🔗).

  • Make sure not to use system or well-known ports. See [Wikipedia Registered port](🔗) for suggestions on port numbers available.

## Configure mixed mode authentication in the front-end site 

### 1\. Disable the Role Provider

In _web.config_, disable the built-in Role provider_._ But leave the profile system enabled, since edit and admin views use it for language settings. You can use another profile system on the website.


### 2\. Configure Optimizely to support claims
Enable claims on virtual roles by setting the addClaims property. Also, add the provider SynchronizingRolesSecurityEntityProvider for security entities, which is used by the set access rights dialog box, content approval, and impersonating users among other things.
Users and groups are synchronized to custom Optimizely tables in the database when a user is authenticated (see ISynchronizingUserService in the code example below). There is no background synchronization, so for a role change to take effect, the user must login to the site again.

You can also replace virtual roles with roles defined in the manifest to delegate this control from the application to Azure. See [Adding application roles in Azure Active Directory](🔗).
### 3\. Install NuGet packages
In Visual Studio, open Package Manager and install the following packages.

Note
Always use _Microsoft.IdentityModel.Protocol.Extensions_ package version 1.0.2 or later. Previous versions contain a critical bug that might cause threads to hang. The Katana team is working hard on updating performance and security, however sometimes bugs are logged. Visit [the Katana teams Github page](🔗) to stay on top of issues that could affect your implementation.
### 4\. Configure the _Startup.cs_ class to support mixed mode authentication
To configure the OpenID Connect and Membership provider, replace the code in the startup class for OWIN middleware with the following example. The SecurityTokenValidated-event is used to synchronize the user and group membership to Episerver. You can also use this event for custom logic (for example, to add custom data to the user profile).

## Configure OpenID Connect in Commerce Manager
Note
OpenID Connect with Azure Active Directory delegates authentication of users with the right roles defined in the Azure AD Application Manifest. As Commerce Manager is business-critical software, we recommend _not_ using it in mixed-mode authentication.
### 1\. Configure the _web.config_ file and install the same packages as above 
See 2 and 3 above. 
### 2\. Configure the Commerce Manager Startup.cs class to use OpenID Connect
To configure OpenID Connect, replace the code in the startup class for OWIN middleware with the following example. 

## Add application roles in Azure Active Directory
By default, you need to declare application roles, such as WebEditors and WebAdmins, in the active directory application. Either the application owner (developer of the app) or the global administrator of the developer’s directory can declare roles for an application.
  1. In the [Azure portal](🔗), choose your Azure AD tenant by selecting it from the top right corner of the page (Click your name. In the dropdown, you will see **Directory**. Select the Azure AD directory where you created the AD application).
  2. Select **Azure Active Directory** extension from the left navigation panel and click **App Registrations**.
  3. Click to open the application for which you want to declare application roles.
  4. From the application page, click **Manifest** to open the inline manifest editor. From here, you can choose to download the manifest or upload a modified copy if you would rather use another editor.
  5. Locate the **appRoles** setting and insert the appRole definitions in the array.  
   Below is an example of approles that declares WebAdmins and WebEditors. Modify it according to your application roles.
    Note
    You need to generate a new Guid for each role declaration.
    
  6. Upload the edited manifest using the inline manifest editor or save your changes if you used the inline manifest editor. For more information, see [Understanding the Azure Active Directory application manifest](🔗).
### Assign users and groups to roles in the AD application
To assign users and groups to specific roles in your AD application, you need to:
  1. Navigate to the registered Azure Active Directory application which you have configured to use with OpenId Connect.
  2. On the AD application main page, click **Managed application in local directory**
  3. In the left pane, click **User and Groups**.
  4. Click **Add User**.
  5. Select or invite a user from **Users**.
  6. From **Select Role**, select a role to assign.
  7. Click **Assign**.
Note
If a user is assigned multiple roles, repeat this process for each role.
Caution
Known issue: If the application throws an antiforgerytoken exception like _AntiForgeryToken: A Claim of Type NameIdentifier or IdentityProvider Was Not Present on Provided ClaimsIdentity_, set AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier.