Created: 20 Jun 2025, last update: 20 Jun 2025
SSO and Sitecore XM Cloud with OpenID Connect, Microsoft Entra ID
Sitecore Cloud Portal now supports both SAML 2.0 and OpenID Connect (OIDC). Because OIDC is JSON based and modern unlike the older, XML/SOAP centric SAML, this post focuses on setting up OpenID Connect with Microsoft Entra ID (formerly Azure Active Directory). The official documentation does a great job covering the basics Configuring OpenID Connect (OIDC). That said, a few practical gotchas only surfaced once I rolled up my sleeves. Below are the lessons I wish I’d had on day one.
Empty User Name in the Portal
If Given name and Family name show as null, null in the Cloud Portal, features such as Sitecore Stream project can not use fully because they rely on a valid username. The Portal does not allow you to edit those fields directly, they must come from the identity provider.
Fix
1. In the Azure Portal open your Entra ID → App registrations → Your Enterprise App.
2. Go to Token configuration → Add optional claim → ID token → add given_name and family_name.
3. Save and grant admin consent.
Claim mapping is not working
You can confirm which claims you’re getting by decoding the ID token. (In the Portal UI this is Check the mapped claims of your account or simply paste the JWT into jwt.io)
Check which claims you’re getting by decoding the ID token.
You can easily verify which claims are included in your token. Similar to the Sitecore Cloud Portal documentation Check the mapped claims of your account, you can also manually inspect the token returned by Microsoft Entra ID.
To do this, capture the ID token from Entra not Sitecore. (usually found in the payload of the callback request after authentication), and decode it using a tool like jwt.io. This gives you a clear view of all the claims being sent, including optional fields like given_name, family_name, groups, and others that may be essential for your role mapping and login flow.
Claim Mapping Isn’t Working (Groups vs. Group)
When you decode the token you might see a claim called groups that contains GUIDs, e.g.
"groups": [
"4e23c8e1 987b 4a18 b6ed 4b7f1a601234",
"bf2b19ac ..."
]
Sitecore’s documentation example (see Mapping Sitecore ID token claims) uses group (singular) and the display names of the groups. With Entra ID those names are not present unless you add an extra claim.
Fix
Map the claim exactly as it appears:
Use groups instead of group and reference the GUIDs in your role mapping file. After that, Sitecore will resolve the roles correctly.
Item Rights Missing in Pages (Bearer Transformation)
Earlier versions of the docs omitted the Bearer identityProvider transformation, which is essential for mapping the virtual roles produced by your claim mapping. Without it, users can log in but won’t see their item level permissions in Pages or other Portal apps.
<identityProvider id="Bearer">
<transformations>
<transformation name="roles" type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication">
<sources hint="raw:AddSource">
<claim name="con_youridxxx.xmc_role" />
</sources>
<targets hint="raw:AddTarget">
<claim name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" />
</targets>
<keepSource>true</keepSource>
</transformation>
</transformations>
</identityProvider>
E-mail Address Is Invalid in Sitecore User Manager
Can not edit user in User Manager in Sitecore. If you need to edit a user inside Sitecore CMS (to set default language, assign custom roles, etc.) you may hit: The e mail address is invalid. Sitecore CMS’s default regex is stricter than the Cloud Portal’s and even stricter than RFC 5322. Addresses like j.bluemink@customer.com fail. Patch it with
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:set="http://www.sitecore.net/xmlconfig/set/">
<sitecore>
<settings>
<setting name="EmailValidation">
<patch:attribute name="value">^[a-zA-Z0-9][a-zA-Z0-9._%+\-]*@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}$</patch:attribute>
</setting>
</settings>
</sitecore>
</configuration>
Can I disable the SSO after enabling
No only delete.
Can I Enable SSO Only for Test Environment
SSO is enabled at organization level and is tied to one or more e‑mail domains. For testing use the Test button before enabling.
