Authentication Touchpoints

By Optimizely Education
Published: Mar 10, 2026
Rating 1 star 2 stars 3 stars 4 stars 5 stars

Average rating: 0 No reviews

Outline

At a glance

Division of labor: Developers wire the OIDC-based identity flow, while administrators manage users, groups, and content-tree permissions.
Stateless scaling: Delegating authentication to Opti ID keeps the application tier cleaner and more scalable across DXP nodes.
Virtual role abstraction: Configuration-based role mapping lets the code stay stable even when the organization chart does not.
Defense in depth: Strong implementations add programmatic authorization checks instead of relying only on configuration and hope.

In an enterprise Optimizely CMS 13 (PaaS) ecosystem, security is not a standalone feature but a coordinated effort between application architecture and platform operations. As solutions scale to global teams, managing user records in a local database becomes both a maintenance burden and a security liability. CMS 13 addresses this through a layered model where developers wire the identity infrastructure using OpenID Connect (OIDC) and .NET middleware, while administrators manage the real-world lifecycle of users and their permissions.

Understanding where the developer’s technical responsibility ends and the administrator’s operational domain begins is essential for building a professional DXP solution that remains secure, resilient, and manageable at scale.

1. The Developer’s Config: Engineering the Identity Handshake

The developer’s primary role begins inside the ASP.NET Core request pipeline. In CMS 13, you are responsible for the technical handshake that verifies identity before business logic is ever reached. This process is standardized around Opti ID, Optimizely’s identity broker for connecting corporate identity systems with the broader DXP stack.

1.1 Technical Foundation: Registering the Identity Engine

To enable modern authentication in a CMS 13 PaaS solution, developers replace legacy membership approaches with the EPiServer.OptimizelyIdentity package. This delegates trust to the OIDC authority and allows web application instances to remain stateless and performant. Every authentication attempt is validated against Opti ID before the request enters application-specific code.

public void ConfigureServices(IServiceCollection services)
{
    // The definitive registration of the Opti ID handler.
    // Setting useAsDefault: true ensures that all unauthorized attempts 
    // are automatically redirected to the centralized corporate login.
    services.AddOptimizelyIdentity(useAsDefault: true);

    services.AddCms();
}

1.2 The Abstraction Layer: Mapping Virtual Roles

One of the most important technical artifacts in the authorization chain is the virtual role. Virtual roles provide an abstraction layer that maps external claims from Opti ID, Microsoft Entra ID, or other enterprise identity providers into CMS-understood permission groups without creating brittle, manual identity records in local CMS tables.

Technical implementation in appsettings.json: Rather than hardcoding checks for user emails or specific usernames, developers configure functional mappings. The application inspects claims in the incoming OIDC token and projects them into CMS permission groups.

{
  "EPiServer": {
    "Cms": {
      "MappedRoles": {
        "Items": {
          "CmsAdmins": {
            "MappedRoles": [ "DXP_Platform_Admins", "Global_Site_Architects" ]
          },
          "FinanceContentAuthors": {
            "MappedRoles": [ "Corporate_Finance_Group" ]
          }
        }
      }
    }
  }
}

Architectural Decoupling

By defining functional buckets in configuration, the developer keeps the codebase stable. If the Finance team grows from 10 people to 1,000, the code does not change; the administrator simply adjusts membership in the identity provider.

2. The Administrator’s Domain: Operational Lifecycle Management

Once the developer has deployed the solution and defined the virtual role structure, daily governance shifts to the platform administrator. Their work happens primarily in the SaaS administration tools provided by Optimizely and in the CMS administration interface.

2.1 User and Role Orchestration

In a professional PaaS environment, administrators manage the human side of the security model:

Onboarding: Inviting users such as user@organization.com through the Opti ID Admin Center.
Identity alignment: Ensuring enterprise SSO groups are mirrored or connected correctly.
Assignment: Mapping real users or groups to the claims and roles expected by the application.

2.2 Granular Authorization: ACLs in the Site Tree

In the CMS > Admin > Access Rights area, administrators map the virtual roles defined by developers to specific parts of the content tree. For example, they may grant the FinanceContentAuthors role write access to the /investor-relations branch while restricting it to read-only access elsewhere. This tree-level control defines the operational boundaries of editorial teams.

3. Programmatic Authorization Logic

For a mature implementation, authorization does not stop at configuration. Developers should also implement code-level protections for custom admin tools, scheduled jobs, internal data surfaces, or sensitive front-end components.

3.1 The Principal Pattern

Never check for specific usernames or hardcoded email addresses in C#. That creates a fragile system that breaks the moment people leave, change departments, or get renamed in a directory. Instead, check for a role or functional claim on the authenticated principal. This keeps authorization logic aligned with the abstraction layer defined in configuration.

public class InternalDataComponent : ViewComponent
{
    public IViewComponentResult Invoke()
    {
        // Check for the Virtual Role mapped in appsettings.json
        // This decouples the view logic from actual user IDs.
        if (User.IsInRole("FinanceContentAuthors"))
        {
            return View("SecretStats");
        }
        
        // Return an empty result for unauthorized staff
        return Content(string.Empty);
    }
}

Conclusion

Security in Optimizely CMS 13 PaaS is best understood as a handshake between architecture and operations. Developers build the identity and authorization framework through OIDC handlers, virtual role mappings, and claims-based logic. Administrators then operate that framework through user onboarding, group assignment, and tree-level ACL management. By using virtual roles as the abstraction layer between corporate identity providers and CMS permissions, teams keep the codebase stable while allowing operational security to evolve with the organization. That separation is not just tidy architecture; it is what makes enterprise-scale governance sustainable.