Things to be mindful of when selecting an SSO solution for a Sitecore project

Today almost every website requires some form of authentication to access its content and features. With the number of web portals and services rising exponentially nowadays, a Single Sign-On (SSO) authentication is now required more than ever. This post will guide you on things to be considered while choosing an SSO provider for a Sitecore project. Read on!

1. To begin with, create a feature matrix to assess various options: Azure AD, Azure AD B2C, Azure AD B2B, Auth0, Okta, Amazon Cognito, Sitecore Identity etc. or custom solution. Historically the Sitecore recommendation and documentation are tied to Azure AD offer. The key checkpoints are

• Cost;
• Standard SSO features out-of-the-box (OOTB) such as login including social, registration and my account;
• Email confirmation / change is pretty much OOTB;
• Email verification - a third party service needs to be used;
• Initial import of the existing users and login with the existing passwords;
• Security requirements – the modern standards are given OOTB (password encryption, secure data storage and GDPR requirements);
• Change log – a user activity is being tracked OOTB, but typically there is no change log against the user records’ changes. So, anything specific will require a custom development;
• Push notifications to users - a custom development.

2. When choosing between Azure AD, Azure AD B2B and Azure AD B2C. Azure AD is an Active Directory in the cloud aiming to manage the corporate user access to cloud applications at an organisation level. Azure AD B2C is an authentication service from Azure AD providing an identity and access management platform for publicly facing web / mobile applications. Therefore, Azure AD B2C suits more for the end-visitors of a Sitecore website and Azure AD for admin users. For Azure AD B2C: consider using Identity Experience Framework for customisation of user flow over the custom code.

3. Use Sitecore Federated Authentication for the front-end login and Sitecore Identity for all Sitecore (back-end) authentication.

4. Consider use of Virtual vs. Persistent users in Sitecore; there are some drawbacks to using virtual users as user profile data cannot be persisted across sessions as the virtual user profile exists only as long as the user session lasts.

5. Redirect / pop-up integration with an SSO provider will be easier especially if a 2-factor authentication is enabled for day 1, but has some UI limitations. A direct API integration will give more UX freedom, but will be a time-consuming task.

6. Agree on the user unique identifier, it will be used for data aggregation in xDB to present an Experience Profile for a certain visitor.

7. Consider the existing user migration in advance as not always you can keep their existing passwords.