Toggle menu

Using External Authentication with iCM

iCM can be configured to allow users to log in using third party logins rather than a username and password set in iCM. This allows you to connect iCM logins to a range of technologies including ADFS, OpenID Connect and SAML2.

Beta Development

Beta

All of the functionality described below is still in beta. We'll be making improvements over the next iCM releases as we get feedback and begin to implement logins more widely. We don't recommend setting this up without talking to us first.

Overview

As well as logging in to iCM using a username and password, you can also use third party identity providers, in the same as you can for website logins. 

When you log into iCM using a third party provider, the Authentication worker first creates a website user that corresponds to that third party login (if one doesn't exist already). Your website user is placed in a site group named after the provider (the providerName in the API Server configuration), and all of the usual Linking Providers, Account and Profile Management options are available (depending on how you have configured the Authentication worker). If supported by your authentication provider, group mirroring is also possible. This is exactly the same as what happens for website logins.

Next iCM checks the Site Groups that your website user is a member of. One of those groups must be set as an alias of an iCM user group for the login to work. If there are no aliased groups, the site user will still be created, but the login will fail. iCM's access logs will have an entry for the failed login with further information.

Once an aliased group has been found, one of two things can happen:

  1. If your website user is already aliased to an iCM user, you'll be logged in as that iCM user, in exactly the same way as if you had logged in using the iCM user's username and password
  2. If your website user is not already aliased to an iCM user, iCM will create you a brand new iCM user and alias the new website and iCM users together. Your iCM user will be placed into all of the iCM groups that are aliased to website user groups that your site user is a member of

Each time you log in using a website user login, the user groups of your iCM user will be updated to match the aliased groups that the website user is a member of (ie you could be added to new iCM groups or removed from existing iCM groups).

Setup

All of the following needs to be in place for third party logins to work.

Enable Logins in Enterprise or Subsite Settings

Logins can be enabled in your iCM User Settings or in your Subsite Settings.

Enterprise

The global iCM user settings allow third party logins via the iCM enterprise URL. They can also be inherited by subsites.

  1. Navigate to iCM Settings in the System Configuration menu
  2. Open the iCM Users tab
  3. Under iCM login providers press Create
  4. Pick the login providers you'd like to use (these providers must already exist in your Authentication worker configuration)

The "Other" option lets you enter details manually if you haven't set up you API Server configuration yet - but you'll need to make sure that when you do your configuration matches what you enter here!

Subsite

At the subsite level, you can choose to use the enterprise settings, or to create logins specific to this subsite.

  1. Navigate to Subsites in the Definitions menu
  2. Double-click on your subsite
  3. Open the Settings tab
  4. Open the Login Providers tab
  5. Tick the "Use defaults" checkbox to use the enterprise providers or
  6. Press create to set up login providers specifically for this subsite

Once enabled, you'll see a new button on the iCM login screen:

iCM Login Screen

The text of this button is fixed. Pressing it will display a list of all of the configured providers:

iCM Login with External

The text of this button is "Log in with" followed by the providerDisplayName in the API Server configuration.

Aliased Groups

A website user must be a member of at least one website group aliased to an iCM Group to be able to be used as a login.  When a website user in an aliased group is used as a login, the iCM user that is logged into iCM will be placed into the aliased iCM group. That could be an existing iCM user, or it could be a brand new iCM user, created by iCM, if this is the first time the site login has been used.

Aliased Users

Once an iCM user is aliased to a website user, when that site user is used as a login, you'll be logged into iCM as that iCM user.

Existing iCM Installations

If you are setting up external authentication, and you have existing iCM users, you will (currently) have to manually alias iCM and website users together.

New Installations/New Users

If you don't already have an iCM user, the following happens.

When an external authentication provider is used for the first time, the Authentication worker will create a website user (as normal for website logins) and iCM will create a new iCM user, and alias them together. The new iCM user will have the following properties:

  • A username based on the user profile fields (in order of preference) PREFNAME, FIRSTNAME or GIVENNAMES plus the LASTNAME or FAMILYNAME
  • A randomly generated password set to expire every day (ie the iCM user isn't meant to be used to log in directly)
  • Group membership that matches the aliased groups of the website user
  • No privileges or content roots
  • An alias to the site user that was used as a login

Supported Functionality

All of the features available to website users is available on the iCM login page. This includes:

  • Linking users on login
  • Updating profile fields
  • Two-factor authentication for the iCM site user provider
Last modified on October 18, 2024

Share this page

Facebook icon Twitter icon email icon

Print

print icon