I'm trying to set up Azure Single Sign-On for my Sitefinity site. This requires changing/setting some settings, and also adding new elements. I can get it working manually, but because of the build pipeline, it gets overwritten every time there's a code update.
I had the following code in my web.config:
<!-- Sitefinity SSO -->
<add key="sf-env:authenticationConfig/securityTokenServiceSettings/authenticationProviders/OpenIDConnect:enabled" value="true" />
<add key="sf-env:authenticationConfig/securityTokenServiceSettings/authenticationProviders/OpenIDConnect:clientId" value="<redacted>" />
<add key="sf-env:authenticationConfig/securityTokenServiceSettings/authenticationProviders/OpenIDConnect:scope" value="openid profile email" />
<add key="sf-env:authenticationConfig/securityTokenServiceSettings/authenticationProviders/OpenIDConnect:authority" value="/<redacted>/v2.0/" />
<add key="sf-env:authenticationConfig/securityTokenServiceSettings/authenticationProviders/OpenIDConnect:redirectUri" value="https://<redacted>/Sitefinity/Authenticate/OpenID/signin-custom" />
<add key="sf-env:authenticationConfig/securityTokenServiceSettings/authenticationProviders/OpenIDConnect:postLogoutRedirectUri" value="<redacted>" />
<add key="sf-env:authenticationConfig/securityTokenServiceSettings/authenticationProviders/OpenIDConnect:title" value="Single Sign-On" />
<add key="sf-env:authenticationConfig/securityTokenServiceSettings/authenticationProviders/OpenIDConnect:requireEmail" value="false" />
<!-- Sitefinity SSO groups -->
<add key="sf-env:authenticationConfig/securityTokenServiceSettings/identityServerSettings/scopes/groups:name" value="groups" />
<add key="sf-env:authenticationConfig/securityTokenServiceSettings/identityServerSettings/scopes/groups:displayName" value="Azure AD Groups" />
<add key="sf-env:authenticationConfig/securityTokenServiceSettings/identityServerSettings/scopes/groups:claims" value="roles" />
<add key="sf-env:authenticationConfig/securityTokenServiceSettings/identityServerSettings/scopes/groups:scopeType" value="Identity" />
<add key="sf-env:authenticationConfig/relyingPartySettings:additionalScopes" value="groups" />
<add key="sf-env:authenticationConfig/securityTokenServiceSettings/identityServerSettings/identityServerClients/sitefinity:allowedScopes" value="openid profile rememberMe groups" />
<add key="sf-env:authenticationConfig/relyingPartySettings/claimsToRolesMappings/DEV Administrators:name" value="DEV Administrators" />
<add key="sf-env:authenticationConfig/relyingPartySettings/claimsToRolesMappings/DEV Administrators:claimType" value="roles" />
<add key="sf-env:authenticationConfig/relyingPartySettings/claimsToRolesMappings/DEV Administrators:claimValue" value="<redacted>" />
<add key="sf-env:authenticationConfig/relyingPartySettings/claimsToRolesMappings/DEV Administrators:mappedRoles" value="BackendUsers, Administrators" />
But when Sitefinity tries to start, it throws an error on
<add key="sf-env:authenticationConfig/securityTokenServiceSettings/identityServerSettings/scopes/groups:name" value="groups" />, saying that the ".../identityServerSettings/scopes/groups" element doesn't exist.
(yes, I know it doesn't, I'm trying to add it!)
So - how do I add the element?