Sitecore Non-admin users able to access Powershell ISE window

[abamboria]

I created custom role using powershell script to get the access of powershell ISE for non-admin users and assigned this custom role to Sitecore & Corporate users. Corporate users are Azure AD users.

Script are working fine when i assigned custom role via Sitecore Role Manager for Sitecore & Corporate users but when i assigned custom role via Azure Portal, user is getting logged out from Sitecore when we click on Powershell ISE button on launchpad.

Sitecore Users (Ex :- sitecore/testUser & corporate/testUser) :

1. Here I assigned custom role to Sitecore & Corporate users from Sitecore Role Manager.

2. After assigned custom role to Sitecore users , I am able to login and when i clicked on PowerShell ISE button on launchpad. user is able to access PowerShell ISE.

Azure AD users (Ex :- corporate/testUser) :

1. I assigned custom role to Azure AD users from Azure portal.

2. After assigned custom role to Azure AD users , I am able to login but when i clicked on PowerShell ISE button on launchpad , user is getting logged out from Sitecore. This is issue which i am facing for Azure AD Users.

Please find below steps which i followed to assign custom role to Corporate users from Azure portal :

1. Created a new Azure AD group, possibly with same name with the role.
2. This new Azure AD group's, created in step #1, object id needs to be mapped on identity server.
3. Run the updated power-shell script in Sitecore 4.Add the user (test/testuser) in the group created in #1.
4. Login and test.

[michaellwest]

What version of SPE?

For Sitecore 9.1 and newer there is a patch typically required for use with Sitecore Identity Server.

[abamboria]

SPE Version :- Sitecore PowerShell Extensions 5.0.0.42513

Did you attach the Patch file ?

[michaellwest]

No, but you can try this.

<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:role="http://www.sitecore.net/xmlconfig/role/" xmlns:security="http://www.sitecore.net/xmlconfig/security/">
<sitecore role:require="Standalone or ContentManagement" security:require="Sitecore">
  <pipelines>
    <owin.cookieAuthentication.validateIdentity>
      <processor type="Sitecore.Owin.Authentication.Pipelines.CookieAuthentication.ValidateIdentity.ValidateSiteNeutralPaths, Sitecore.Owin.Authentication">
        <siteNeutralPaths hint="list">
          <!-- This entry corrects the infinite loop of ExecuteCommand in the SPE Console -->
            <path hint="spe">/sitecore%20modules/PowerShell</path>
          </siteNeutralPaths>
        </processor>
      </owin.cookieAuthentication.validateIdentity>
    </pipelines>
  </sitecore>
</configuration>

[michaellwest]

What version of Sitecore are you using?

[abamboria]

Sitecore 9.1 (update-1)

[michaellwest]

I'm not sure if the patch will fix the issue you reported, but it is typically required for 9.1+ when Identity Server is used. There is currently no Azure-specific code included with SPE.

[abamboria]

Let me try , will update you the result. Thanks for help.

[abamboria]

I already have same setup of configuration at my side but it is not working for me. I found similar question on Github but didn't find any comment on this question. Please see below mentioned link.

https://github.com/SitecorePowerShell/Console/issues/1150

[michaellwest]

When this happens, does SPE log a message to one of the log files which might give a clue?

When the forms open there is a call the Sitecore SecurityHelper to check if access is allowed. Perhaps that causes the redirect.