External Identity Providers

The Redakt back office supports authenticating via external identity providers. A separate NuGet package is available to add authentication for a number of popular OpenID Connect / oAuth2 identity providers. Others can be added through custom implementation if required.

The following NuGet package supports authentication for Google, LinkedIn, Facebook, Slack, Salesforce, and Azure Active Directory.

Installation

Install the package with the NuGet package manager or the Package Manager Console.

PM> Install-Package Redakt.BackOffice.OpenIdConnect

Register authentication methods services in the ConfigureServices method in your project's Startup.cs file. The example below shows how to add all available authentication methods to the back office. You should add only the ones you would like your users to authenticate with.

public void ConfigureServices(IServiceCollection services)
{
    // ... framework and other services here

    services.AddRedakt(this.Configuration, builder =>
    {
        // ... other Redakt services
        builder.AddRedaktBackOffice()
            .AddGoogleAuthentication()
            .AddLinkedInAuthentication()
            .AddFacebookAuthentication()
            .AddSlackAuthentication()
            .AddSalesforceAuthentication()
            .AddAzureADAuthentication();
    });
}

Configuration

All OpenID Connect / oAuth2 authentication methods share the same base configuration. The authentication methods are configured through the appsettings.json file. The following is an example of Google authentication configuration. For other authentication methods, add a similar configuration section for the authentication method name.

{
    "Redakt": {
        "BackOffice": {
            "Authentication": {
                "Google": {
                    "ClientId": "",
                    "ClientSecret": "",
                    "Scope": "",
                    "EnableAutoRegistration": false,
                    "AutoRegistrationUserGroups": [],
                    "AuthorizedEmailDomains": []
                }
            }
        }
    }
}

Client Id & Secret

Required. Sets the oAuth 2.0 client id and client secrets. See the respective identity provider developer documentation for how to create an application and obtain the client id and secret.

Enable Auto Registration

If enabled, any external account that sucessfully logs in and does not yet exist in the system, is registered automatically as a user in Redakt CMS. This is useful if you want to allow all your organization user accounts access to Redakt CMS by default.

Important: If you enable auto registration, you should also set authorized email domains, otherwise any person with a supported external account will have access to your system!

Auto Registration User Groups

A string array of user group names that automatically registered users will belong to. If you enable auto registration, you should set at least one user group here, otherwise the user will have no permissions (including read permissions) and will not be able to do anything in the back office.

Authorized Email Domains

If set, the back office allows login only for accounts with the specified email domains. This is an array of string values, for example [ "redaktcms.com", "mydomain.net" ]. This is useful mainly for the auto registration feature, but it will restrict known system accounts as well.