(Assuming that reader has knowledge on Single Sign On)
Single sign on functionality needs the site not to be in anonymous authentication. In IIS, Basic or Windows authentication should be enabled.
Single sign on functionality comes along with Active Directory Module from Sitecore. You can get the latest version from SDN. This module integrates AD to the Sitecore instance. This module needs the LDAP path and few provider configuration settings in web.config file.
This module installs LDAP dll, configuration and few aspx pages. Once installed, we get the LDAP login page under /website/Sitecore/admin/ldaplogin.aspx. Along with that, we will be having few more roles in Sitecore.
sitecore\Sitecore Client Account Managing
sitecore\Sitecore Client Authoring
sitecore\Sitecore Client Configuring
sitecore\Sitecore Client Designing
sitecore\Sitecore Client Developing
sitecore\Sitecore Client Forms Author
sitecore\Sitecore Client Maintaining
sitecore\Sitecore Client Publishing
sitecore\Sitecore Client Securing
sitecore\Sitecore Client Translating
sitecore\Sitecore Client Users
How Single Sign on works with LDAP (AD) module
Since site is windows authenticated, LDAP gets the currently logged in user from the browser and tries login into the Sitecore client. The minimum role that user should have is Sitecore Client Users. If the user doesn’t have proper roles, then LDAP module throws access denied error and redirects to default Sitecore login page.
Each group has different access levels. For minimum level of access, the particular user should be a member of Sitecore Client Users.
The brief information on each group.
Group
|
Members – (Domain - Sitecore)
|
Member Of
|
sitecore\Sitecore Client Account Managing
|
Sitecore Local Administrators
|
Sitecore Client Users
|
sitecore\Sitecore Client Authoring
|
Author
|
Sitecore Client Users
|
sitecore\Sitecore Client Configuring
|
Developer
|
Sitecore Client Users
|
sitecore\Sitecore Client Designing
|
Design
|
Sitecore Client Users
|
sitecore\Sitecore Client Developing
|
Developer
|
Sitecore Client Users
|
sitecore\Sitecore Client Forms Author
|
Sitecore Marketer Form Author
|
Sitecore Client Users
|
sitecore\Sitecore Client Maintaining
|
Developer
|
Sitecore Client Users
|
sitecore\Sitecore Client Publishing
|
-
|
Sitecore Client Users
|
sitecore\Sitecore Client Securing
|
Sitecore Local Administrators
|
Sitecore Client Users
|
sitecore\Sitecore Client Translating
|
-
|
Sitecore Client Users
|
sitecore\Sitecore Client Users
|
-
|
All Other Groups
|
Ex: A normal content author should be at least a member of Sitecore Client Authoring group.
Setting up of LDAP login as the default login
Default login site in Sitecore is /Sitecore/Login and the default page is Default.aspx.
The following tweak will allow us to have LDAP login as default
1. Rename default.aspx to default-login.aspx in /Sitecore/login folder.
2. Copy LDAP login from /Sitecore/admin folder to /Sitecore/login folder.
3. Rename LDAPLogin.aspx to Default.aspx in /Sitecore/Login folder.
4. Add the following JavaScript in Default.aspx (LDAPLogin.aspx) to redirect to default login page when LDAP login fails.
<script type="text/javascript">
function getQuerystring(key, default_) {
if (default_ == null) default_ = "";
key = key.replace(/[\[]/, "\\\[").replace(/[\]]/, "\\\]");
var regex = new RegExp("[\\?&]" + key + "=([^&#]*)");
var qs = regex.exec(window.location.href);
if (qs == null)
return default_;
else
return qs[1];
}
if (getQuerystring('sc_error') == '') {
window.location = '/sitecore/login/default-login.aspx?sc_error=You do not have access to the system.';
}
</script>
By doing this, we make the LDAP login page as the default one. Even Sitecore domain user can also login using /Sitecore/Login/Default-login.aspx url.
This helps the user to have Single Sign On Functionality.
Note: Sitecore Admin users need not be in any of the above group to access the Content editor. They will be able to access the whole system.
Access Levels of each Group – Ref: Link
1. Everyone
Applications:
§ Content Editor
§ Media Library
§ WebEdit
§ Preview
§ Carousel
§ Recycle Bin
§ Search
§ Workbox
§ Control Panel
Content Editor Commands
· Navigate
· Review
· Versions
· View
Control Panel Commands
· Administration
· Preferences
· Reports
2. Sitecore Client Users
Every User who wants to login using LDAP or Single Sign On has to be a member of this group. If not, LDAP login will not allow the user to login.
Cannot log in: The user '<DOMAIN>\<USERNAME>' is not a member of the 'sitecore\Sitecore Client Users' role
3. Sitecore Client Authoring
This is the basic role for a user to author in the site.
Access to:
· The Home tab, all chunks and commands.
· The Review tab, Validate and Workflow chunks.
· The Publish tab, Restrictions chunk.
· The Versions tab, Versions chunk.
4. Sitecore Client Configuring
Access to:
· Change the appearance
· Configure tab to the Content Editor
5. Sitecore Client Maintaining
This role is for the Sitecore developer. Almost like second higher level access after Admin role
Application Access:
§ Template Manager
§ Development Tools
§ Reporting Tools
§ All Applications
Content Editor Commands
§ Versions tab Reset command
§ Configure tab Change Template and Edit Template
§ Presentation
Control Panel Commands
§ Administration
§ Database
§ Globalization
§ Reports
6. Sitecore Client Publishing
This role provides access to trigger publishing. This enables the publish chunks in publish tab in the content tree.
7. Sitecore Client Account Managing
Sitecore Client Account Managing provides access to applications used to maintain users, roles, and domains.
8. Sitecore Client Designing
Sitecore Client Designing provides access to the Page Editor Design Pane features.
9. Sitecore Client Translating
Provides access to languages other than site’s default language.
Content Editor Commands
§ Review
§ Versions
Control Panel
§ Reports
10. Sitecore Client Securing
Provides access to maintain users, roles and access rights.
Application
§ Security Editor
§ Security Tools
Content Editor
§ Security Tab
Control Panel
§ User Manager
§ Create a new User
11. Sitecore Client Developing
Developer role needs other roles like
§ Sitecore Client Authoring
§ Sitecore Client Maintaining
§ Sitecore Client Configuring
§ Sitecore Client Securing
Application
§ Developer Center
§ Debug
§ Development Tools
Content Editor Commands
§ View chunk’s Hidden Items, Standard Fields, and Raw Values toggles
Control Panel
§ Database
12. Sitecore Client Forms Author
This role provides user to design web forms using web form for marketer’s module.
Recommended Roles and Access Levels
1. An Author:
An author is a person who does content changes, add a new version, configuring an item (ex: Icon to an item) and design forms using WFM.
Roles:
a. Sitecore Client Users (Base to other roles.)
b. Sitecore Client Authoring
c. Sitecore Client Translating
d. Sitecore Client Forms Author
e. Sitecore Client Configuring
f. Sitecore Client Designing – (Higher access to set layouts)
2. A Security Administrator:
A security admin is the one who does administrative tasks like adding a new user, providing access to Sitecore items, verify the user access levels etc.
Roles:
a. Sitecore Client Users (Base to other roles.)
b. Sitecore Client Securing
c. Sitecore Client Account Managing
3. A Release manager:
A release manager is the one who takes care of deployments, manages the content tree. He is one who takes care of Package Installation and publishing.
(Facilitator, Gatekeeper, Architect, Coordinator)
Roles:
a. Sitecore Client Users (Base to other roles.)
b. Sitecore Client Maintaining
c. Sitecore Client Publishing
d. Sitecore Client Configuring
4. A developer:
A developer needs access to the developer specific functionality in the user interface.
Roles:
a. Sitecore Client Users (Base to other roles.)
b. Sitecore Client Developing
c. Sitecore Client Maintaining
d. Sitecore Client Designing
e. Sitecore Client Configuring
f. Sitecore Client Authoring
g. Sitecore Client Translating
h. Sitecore Client Forms Author
i. Sitecore Client Securing – (Higher Access - Not recommended)