Sitecore and Identity Server 3 - Roles missing for authenticated users

Question

I am trying to integrate a federated authentication / single sign on with Sitecore using Identity Server 3. Please note that I am not using Azure Active Directory in any way.

I've been following these pages: http://blog.baslijten.com/enable-federated-authentication-and-configure-auth0-as-an-identity-provider-in-sitecore-9-0/

and

https://dhalgara.com/2018/05/01/sitecore-9-integrating-azure-ad-along-with-identity-server-3/

I believe I am close, as I'm able to set the login button to appear that takes me away to the Identity Server for authentication. I then enter in a username/password, and then it properly authenticates and redirects me back to the Sitecore login page with the following error:

You do not have access to the system. If you think this is wrong, please contact the system administrator.

I confirmed that I am authenticating and that when I go to the user management screen in Sitecore, I find some users with funny names that must have been created via the login process I mentioned. They are also not a part of any roles, which is why I suspect I can't log in.

Almost all the sites mention configuring this block of XML is key:

<transformation type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication">
  <sources hint="raw:AddSource">
    <claim name="x" value="y" />
  </sources>
  <targets hint="raw:AddTarget">
    <claim name="something here" value="Sitecore\Developer" />
  </targets>
  <keepSource>true</keepSource>
</transformation>

But what does this really mean? I inspected my JWT and I don't have any claims coming back such as "roles" or "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", but is that even necessary to assign a developer role to my user? What should be in the X/Y values above, and what should the value of "something here" be so that my user is made a Sitecore\Developer role (or some other role that I want)?

How can I ensure that when my user is signed in, I can put them as part of a particular group?

Thank you for your assistance.

Answer 1

If you are getting below error, it means there is something wrong in the app configuration on Identity Server, check the configuration it could be Redirect url or Site Host name.

You do not have access to the system. If you think this is wrong, please contact the system administrator.

RECOMMENDED: Revisit your App configuration in the Identity Server / Azure AD.

The block you mentioned is basically to set the Role permission for the user. The below configuration will allow you to set the default claims for Sitecore/Developer Role.

<transformation name="Transform to Sitecore DEV Role" type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication">
              <sources hint="raw:AddSource">
                <claim name="groups" value="<GUID>" />
              </sources>
              <targets hint="raw:AddTarget">
                <claim name=__"http://schemas.microsoft.com/ws/2008/06/identity/claims/role" value="Sitecore\Developer" />
                <claim name="__http://schemas.microsoft.com/ws/2008/06/identity/claims/role" value="Sitecore\Author" />
                <claim name="__http://schemas.microsoft.com/ws/2008/06/identity/claims/role" value="sitecore\Analytics Personalization" />
                <claim name="__http://schemas.microsoft.com/ws/2008/06/identity/claims/role" value="sitecore\Analytics Maintaining" />
                <claim name="__http://schemas.microsoft.com/ws/2008/06/identity/claims/role" value="sitecore\Forms Editor" />
              </targets>
              <keepSource>true</keepSource>
            </transformation> 

If you are seeing funny names get added to Sitecore, then try the solution recommended in the Sitecore community in the below link.

https://community.sitecore.net/developers/f/5/t/8801