We’re currently in the middle of an upgrade project and one of the new requirements was to add in Azure AD for Single Sign On. This is relatively easy, given you just have to update a single config file in Identity Server (And configure AD, but that’s not my job!). You can read all about this process at Mukesh’s blog here: https://www.altudo.co/resources/blogs/azuread-setup-for-sitecore
Seriously, go read it. It’s straight to the point.
Once AD was configured, we were getting the dreaded “You do not have access to the system” message which meant Sitecore thought I was full of it. Here’s some steps I did to see where the error was (based on a blog I found here: https://viniciusdeschamps.com.br/troubleshooting-guide-to-you-do-not-have-access-to-the-system-in-sitecore-identity-server/):
- Validated my claims were mapped correctly: Check
- Validated I was part of the right AD Group: Check
- Made sure that the role had login rights (I added a vanilla user to it and was fine): Check
One thing that I didn’t know how to check was whether or not Azure AD was passing the right groups back to me before I was directed back to the ID Server. Then I chatted a bit with our IT Guys:
He suggested I “check the id token returned by oidc” and see what’s in there. Ok. What?
OIDC = OpenID Connect – RTFM here: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
So if you’re connected to Azure AD via the ID Login Page, you’ll see a traffic list like this:
As you can see, there’s a lot of hand shaking going on. Anywho, click on the one called “signin-oidc” and then click the “Request” tab. You’ll see something like this:
You’re probably wondering…what in the same hell do I do with THAT? Simple, head over to https://jwt.ms and paste it in the box. Make sure you remove the “id_token: ” portion. Once you do, you should see it populate the Decoded Token tab with a whole bunch of data:
I was able to scroll down and see that the groups I belonged to weren’t right (they were actually missing) so I was able to get back to the AD Admin and point this out. He did some digging and viola, I then saw my groups come across in the id_token. After that, I was able to hop into Sitecore without any problem at all. Thanks IT Guy!