- Published on
Azure Entra ID SSO – Setting up Sitecore Cloud Portal
- Authors
- Name
- Matthew Lam
Introduction
Now that the Azure Entra ID side is complete, it’s time to bring Sitecore Cloud Portal into the loop.
This article focuses on the Cloud Portal side of the SAML setup — uploading the IdP metadata, creating the SSO connection, mapping incoming claims (like groups) into target claims Cloud Portal adds to tokens, and running the first authentication tests.
Before you begin, make sure you’ve already collected:
- The Federation Metadata XML exported from Azure:
/sso/cloudportal-saml-[ENV].xml - A list of Azure Group Object IDs and test users from your Preparation Checklist
This is the foundation step for SSO across Sitecore services; the same connection will later drive role propagation into XM Cloud.
1. Add a New SSO Connection in Cloud Portal
- Sign in to Sitecore Cloud Portal as an organisation or cloud administrator.
- Navigate to Admin → SSO.
- Click Add SSO Connection → SAML.
- Name the connection by environment:
Azure-SAML-DEVAzure-SAML-UATAzure-SAML-PROD
- Add allowed email domains (e.g.,
yourcompany.com) so only trusted corporate accounts use SSO.
Pro Tip: Keep your connection names consistent across environments — it simplifies configuration, logging, and certificate management.
2. Upload Federation Metadata
- Choose Upload IdP Metadata.
- Select your exported XML:
[Cloud Portal Metadata File]. - Save.
Cloud Portal parses and displays the IdP Issuer, SSO URL, and Certificate.
Double-check these against Azure’s Enterprise Application → Single sign-on → SAML pane to confirm they match.
If you see an error parsing the XML, re-download the metadata from Azure — older cached versions often contain outdated certificates.
3. Claims Mapping for Role Propagation
Cloud Portal can transform IdP claims into new claims attached to the issued Sitecore access token.
This is where you bridge Azure group membership to Sitecore roles by generating an xmc_role claim.
3.1 Design your mapping
Create a mapping table per environment:
| Azure Group (Object ID) | Target Claim Name | Target Claim Values (Array) |
|---|---|---|
[Entra ID GUID] | xmc_role | ["sitecore\\Administrator"] |
[Entra ID GUID] | xmc_role | ["sitecore\\Author"] |
[Entra ID GUID] | xmc_role | ["sitecore\\Sitecore Client Publishing"] |
Why
xmc_role?
The target claim name is arbitrary —xmc_roleis a common convention since it’s later referenced in XM Cloud role mappings.
Cloud Portal automatically prefixes it with your SSO Connection ID during token issuance, e.g.:xmc-connection-12345.xmc_role
3.2 Configure mapping in Cloud Portal UI
- Go to Claims Mapping in your SSO connection.
- Click Add Mapping.
- Add a Source Claim:
- Name:
groups - Value (Regex): match the group Object ID (e.g.,
^00000001-0001-0001-0001-000000000001$)
- Name:
- Add a Target Claim:
- Name:
xmc_role - Values:
sitecore\\Administrator
- Name:
- Save the mapping and repeat for each group/role.
3.3 JSON representation (optional via API)
If you prefer to define mappings via JSON configuration (for automation or documentation):
{
"claimsMapping": [
{
"sourceClaims": [
{ "name": "groups", "value": "^00000001-0001-0001-0001-000000000001$" }
],
"targetClaims": [
{ "name": "xmc_role", "value": "sitecore\\Administrator" }
]
},
{
"sourceClaims": [
{ "name": "groups", "value": "^00000001-0001-0001-0001-000000000001$" }
],
"targetClaims": [
{ "name": "xmc_role", "value": "sitecore\\Author" }
]
}
]
}
Role Mapping Pro Tip: Claims Mapping in Cloud Portal — you add source claims (from the IdP) and target claims (added by Cloud Portal to ID/access tokens). Target claim names are arbitrary (e.g.,
xmc_role). Source claim values can use regex; values must be strings or arrays; up to 20 source claims per mapping; and target claim names are prefixed with the SSO connection ID at issue time.
Official documentation:
4. Testing SSO and Token Claims
Once mapping is saved:
Sign out of Cloud Portal.
Sign in again — it should redirect to Azure Entra ID.
Use your test accounts:
[admin-test@yourcompany.com][editor-test@yourcompany.com]
Confirm:
The login flow completes successfully.
The token now includes your prefixed target claim:
"xmc-connection-12345.xmc_role": ["sitecore\\Administrator"]
Hot Tip – Token Inspection: Cloud Portal doesn’t always show the full token. To verify claims, copy the Bearer token from your browser’s Network tab (
Authorization: Bearer ...) and paste it into jwt.ms for decoding. Sometimes the token appears in the UI under “System Information” — otherwise you must capture it from the network traffic.
5. Troubleshooting Role Mapping
| Symptom | Likely Cause | How to Fix |
|---|---|---|
| Login works, but no roles appear in XM Cloud | Wrong or missing target claim prefix | Use the exact prefixed name (e.g., xmc-connection-12345.xmc_role) in XM Cloud. |
| Cloud Portal shows claim warning | Source claim is not a string/array | Azure must emit Object IDs as strings. |
| Only some users receive roles | Regex too restrictive | Loosen the expression or duplicate entries for each matching group. |
| Duplicate or conflicting roles | Multiple target claim names | Use one target claim name (xmc_role) with multiple role values to avoid ambiguity. |
| Domain conflict when adding connection | Domain already mapped to another SSO | Each domain can belong to only one SSO connection. |
| Metadata expired | Old certificate or outdated XML | Re-upload current metadata from Azure. |
| Overlapping mappings / multiple target claims | Several mappings fire on the same source claim | Keep a single target claim name (e.g., xmc_role) and define multiple roles in the same array. |
| Token inspection in UI | Claims not visible | Use jwt.ms to decode the Bearer token from browser traffic. |
Validate
By this stage, you should have:
- Working SAML trust between Azure Entra ID and Sitecore Cloud Portal
- Valid token inspection showing your
xmc_roleclaim - A functional base for role propagation into XM Cloud
Summary
You’ve:
- Created a SAML connection in Cloud Portal
- Uploaded Azure metadata
- Configured claims mapping with target
xmc_roleclaims - Tested SSO and verified the token
- Prepared for downstream XM Cloud role mapping
In the next article, we’ll walk through how to setup Content Hub, configure the SAML connection there, and conduct validation checks.