Troubleshooting SSO and Azure AD Groups November 18, 2021
AzureSitecore
0 Comment

We’re currently in the middle of an upgrade project and one of the new requirements was to add in Azure AD for Single Sign On. This is relatively easy, given you just have to update a single config file in Identity Server (And configure AD, but that’s not my job!). You can read all about this process at Mukesh’s blog here: https://www.altudo.co/resources/blogs/azuread-setup-for-sitecore

Seriously, go read it. It’s straight to the point.

Once AD was configured, we were getting the dreaded “You do not have access to the system” message which meant Sitecore thought I was full of it. Here’s some steps I did to see where the error was (based on a blog I found here: https://viniciusdeschamps.com.br/troubleshooting-guide-to-you-do-not-have-access-to-the-system-in-sitecore-identity-server/):

  1. Validated my claims were mapped correctly: Check
  2. Validated I was part of the right AD Group: Check
  3. Made sure that the role had login rights (I added a vanilla user to it and was fine): Check

One thing that I didn’t know how to check was whether or not Azure AD was passing the right groups back to me before I was directed back to the ID Server. Then I chatted a bit with our IT Guys:

Fix it, Nerd! Technical Assistance by Pixel Lunch LLC
Not him. Maybe not him. Ok, could be him.

He suggested I “check the id token returned by oidc” and see what’s in there. Ok. What?

OIDC = OpenID Connect – RTFM here: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc

So if you’re connected to Azure AD via the ID Login Page, you’ll see a traffic list like this:

That’s a lot of Redirects, boss

As you can see, there’s a lot of hand shaking going on. Anywho, click on the one called “signin-oidc” and then click the “Request” tab. You’ll see something like this:

That’s a lot of… stuff

You’re probably wondering…what in the same hell do I do with THAT? Simple, head over to https://jwt.ms and paste it in the box. Make sure you remove the “id_token: ” portion. Once you do, you should see it populate the Decoded Token tab with a whole bunch of data:

Well that makes a LOT more sense.

I was able to scroll down and see that the groups I belonged to weren’t right (they were actually missing) so I was able to get back to the AD Admin and point this out. He did some digging and viola, I then saw my groups come across in the id_token. After that, I was able to hop into Sitecore without any problem at all. Thanks IT Guy!

Peralta GIFs | Tenor