Sitecore Setup

Connection to the Sitecore ItemService REST API

The Sitecore connector connects to the Sitecore server via the ItemService REST API of Sitecore in order to retrieve content data from Sitecore. By default, Sitecore Security Policies restrict access to the REST API to requests that originate from the Sitecore Server.

If the Sitecore connector runs on a different server, the Security Policies have to be adjusted. This is done by changing the value of Sitecore.Services.SecurityPolicy in the Sitecore.Services.Client.config file. This configuration file is located in the directory Website\App_Config\Include of the Sitecore installation.

The possible value are:

Sitecore.Services.Infrastructure.Web.Http.Security.ServicesOffPolicy: This policy denies access to the ItemServices.
Sitecore.Services.Infrastructure.Web.Http.Security.ServicesLocalOnlyPolicy: This policy denies access to the ItemServices from requests originating from remote clients. This is the default value.
Sitecore.Services.Infrastructure.Web.Http.Security.ServicesOnPolicy: This policy allows access to the ItemServices. This is the value that is necessary if the connector is installed on a remote server.

Refer to the Sitecore documentation for details about Sitecore Security Policies.

Connection to Microsoft Azure

The Sitecore connector does not retrieve principal information from Sitecore directly. Instead, it is assumed that the Sitecore instance uses federated authentication with a Microsoft Azure AD identity provider. Thus, the connector retrieves user and group information from Azure AD. This requires setting up the connection to Azure AD.

Execute the following steps:

Create a self-signed certificate. Ensure that you have the certificate information readily available for the configuration process. Note the location of the certificate file and the certificate password to use it later in the connector configuration).
Register an Azure application in the Azure Portal:
1. Visit the Azure Portal and login as a tenant administrator.
2. Go to App registrations.
3. Register an application and follow the instructions. Supported account types should be Accounts in this organizational directory only. A redirect URL is neither needed nor supported.
4. Configure the following Application API permissions for Microsoft Graph (see API Permissions for further explanation):
  - Group.Read.All
  - User.Read.All
5. Grant admin consent for your tenant.
6. Go to Certificates & secrets and upload a certificate. Note the location of the certificate file and the certificate password to use it later in the connector configuration).
7. Use the Application (client) ID and Directory (tenant) ID from the overview tab to configure the connector.

API Permissions

The following Application API permissions are required by the connector:

Permission Name Description

Permission Name	Description
`Group.Read.All`	Permission to read Azure AD groups. Used in the principal synchronization to list all Azure AD groups and their members.
`User.Read.All`	Permission to read Azure AD users. Used in the principal synchronization to list all Azure AD users.

Group.Read.All

Permission to read Azure AD groups. Used in the principal synchronization to list all Azure AD groups and their members.

User.Read.All

Permission to read Azure AD users. Used in the principal synchronization to list all Azure AD users.