Set up site authentication

Deciding how users authenticate when they visit is a core customization in any Power Pages site. If you enforce authentication, users authenticate through an identity provider.

Power Pages includes several built-in OAuth 2.0 identity providers, so users can authenticate with a Microsoft, LinkedIn, Facebook, Google, or Twitter account. A website can have only one instance of an OAuth 2.0 identity provider at a time.

You can add SAML 2.0, OpenID Connect, and WS Federation identity providers if you need them.

Power Pages lets makers and admins set up user authentication easily. After you select an identity provider, prompts in the app guide you through the remaining settings.

To set up user authentication for your site:

1. Select general authentication settings.
2. Enter the settings for a specific identity provider.

Select general authentication settings

Some authentication settings don't depend on the identity provider you choose. They apply generally to your website's authentication method.

1. Sign in to Power Pages.

2. Create a site or edit an existing site.

3. In the left panel, select Security.

4. Under Manage, select Identity providers.

5. Select Authentication settings.

6. Select the general authentication settings you need, then select Save.

Next, enter the specific settings for your identity provider.

General settings

Select the following general authentication settings:

• External login: External authentication is provided by the ASP.NET Identity API. Third-party identity providers manage account credentials and passwords.

  • On: To sign up for access, users select an external identity to register with the website. After it's registered, an external identity has access to the same features as a local account. Learn how to manage external accounts.
  • Off: Users can't register or sign in with an external account.

• Open registration: Controls the sign-up form for creating a local user account.

  • On: The sign-up form allows any anonymous user to visit the website and create a user account.
  • Off: The sign-up form is disabled and hidden.

• Require unique email: Specifies if users must provide a unique email address when signing up.

  • On: A sign-up attempt might fail if a user provides an email address that already exists in a contact record.
  • Off: A new user can sign up with a duplicated email address.

Set up specific identity providers

Each identity provider has specific settings that you need to enter.

1. On your Power Pages site, select Security > Identity providers.

   The list shows all available identity providers.

   

2. To set up an identity provider that appears in the list, select Configure.

   If the provider you want isn't listed, add it.

3. Keep the provider name as it is or change it if needed.

   The provider name appears on the button users select for their identity provider on the sign-in page.

4. Select Next.

5. For the remaining steps, find the provider in the common identity providers table and select the documentation link.

Add an identity provider

If the identity provider you want to use doesn't appear in the list, you can add it.

1. In your Power Pages site, select Security > Identity providers.

2. Select + New provider.

3. In the Select login provider list, select Other.

4. In the Protocol list, select the authentication protocol the provider uses.

5. Enter the provider name as it appears on your site's sign-in page.

6. Select Next.

7. For the remaining steps, select Learn more on the configuration page to open the relevant documentation link:

   • Configure an OpenID Connect provider
   • Configure a SAML 2.0 provider
   • Configure a WS-Federation provider

8. Select Confirm.

Edit an identity provider

1. In your Power Pages site, select Security > Identity providers.

2. Next to the identity provider name, select More Commands (…) > Edit configuration.

3. Change the settings based on the provider's documentation:

   • Set up an OAuth 2.0 provider
   • Set up an OpenID Connect provider
   • Set up a SAML 2.0 provider
   • Set up a WS-Federation provider

4. Select Save.

Delete an identity provider

When you delete an identity provider, only its configuration is deleted. The provider is still available for future use with a new configuration. For example, if you delete the LinkedIn identity provider, your LinkedIn app and app configuration stay intact. Similarly, if you delete an Azure AD B2C provider, only the configuration is deleted, and the Azure tenant configuration for this provider doesn't change.

1. In your Power Pages site, select Security > Identity providers.

2. To the right of the identity provider name, select More Commands (…) > Delete.

Set a default identity provider

Set any configured identity provider as the default. When you set an identity provider as the default, users who sign in to the website aren't redirected to the sign-in page. Instead, they sign in using the selected provider.

You can only set a configured identity provider as the default.

1. In your Power Pages site, select Security > Identity providers.

2. To the right of the identity provider name, select More Commands (…) > Set as default.

To remove the default and let users select a configured identity provider when they sign in, select Remove as default.

Prevent the "Trouble signing you in" error if you recreate your site

If you delete and recreate your Power Pages site, users might receive the following error when they try to sign in:

Sorry, but we're having trouble signing you in. AADSTS700016: Application with identifier '<your site URL>' was not found in the directory 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

Make sure you configure the identity provider correctly after recreating your site.