Azure Active Directory integration and roles

Aaron Macdonald asked on January 30, 2023 07:57

Hi all

We have a simple requirement for k13 AAD authentication and need some additional guidance.

The requirement is just to allow admin users to log in via AAD, and that when their k13 user is created it's assigned a role which matches the corresponding AAD user's security group.

As far as Kentico documentation on this issue, we're only aware of the following article on OOB setup, but it doesn't mention anything about role assignment.

https://devnet.kentico.com/articles/integrate-azure-active-directory-with-kentico

We've also found the following article which explains how to explicitly implement the OIDC cycle in the admin app, via which roles can be manipulated.

https://dev.to/wiredviews/kentico-cms-quick-tip-azure-active-directory-authentication-n9j

The latter is a workaround and presumably not recommended by Kentico, so we'd prefer not to take that approach if role assignment is possible OOB.

We'd appreciate any advice on the recommended way to achieve the desired result, and hopefully this can serve as a future reference for anyone attempting the same.

Correct Answer

Dmitry Bastron answered on January 30, 2023 13:37

Hi Aaron,

There isn't any OOTB solution to map roles from AAD, unfortunately. At least not that I'm aware of. In the documentation you will see this note:

The claims-based authentication implemented in Xperience handles only the authentication of users (uses only the name and email of users from the tokens), you have to configure the authorization of users (permissions and roles) in Xperience itself.

The other thing, if you look at the Global events, there is one for Authenticate where you could have mapped Roles during sign in, however, unfortunately, this event doesn't contain token details (groups in your case) from AAD.

Therefore, Sean's approach you listed in your question is perhaps the only way of dealing with this case. I don't think there is a significant risk associated with this solution for you, because the new version of Kentico will have CMS admin on .net Core anyways, therefore any custom code you will write here will only target your current site.

0 votesVote for this answer Unmark Correct answer

Recent Answers

Not Applicable answered on January 30, 2023 20:36

There is the Kentico Xperience Active Directory Import Utility. Depending on your specific needs, this may be an alternative solution. It can both import and update users and roles in Kentico.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.