Create a recycling bin for logging and restoring deleted documents
Official(made by Sanity team)
Help you editors restore deleted documents in a dataset using a webhook and a singleton bin document type.
Last updated December 12, 2023
Set up SSO authentication with SAML and Azure
Configure and enable SSO authentication in your Sanity instance using the SAML protocol and Microsoft Azure AD as an identity provider (IdP.)
During the setup and configuration process, it's a good idea to keep two windows side by side:
- One with Sanity Manage.
- The other with the configuration settings of the IdP; in this case, Azure.
Go to Sanity Manage and select the organization you want to enable SSO for.
To navigate to the service provider configuration inside Sanity Manage:
- In the organization you intend to add SSO to, go to Settings → SAML SSO.
- If no SAML SSO provider exists, click Open SAML SSO configuration and proceed to create and configure a SAML SSO provider.
To navigate to the identity provider configuration in Azure:
- Log into Azure.
- Go to Azure Active Directory.
- On the sidebar, go to Enterprise applications.
In Enterprise applications:
- Select an existing SAML application or create a new enterprise application.
If you create a new application, you can also integrate any other applications not available in the gallery. - Go to Set up single sign on, and then choose the SAML sign-on method to use.
If you're keeping two browser tabs or windows open side by side, now you should have one on the configuration screen inside Sanity Manage, and the other on the configuration screen in Azure.
- In Azure, edit the Basic SAML Configuration form.
- Add an Identifier (Entity ID) to the basic SAML configuration.
Inside Sanity Manage, this ID corresponds to the Sanity entity ID. - Add a Reply URL (Assertion Consumer Service URL).
Inside Sanity Manage, this URL corresponds to the Sanity callback URL. - Click Save.
- In Azure, edit the Attributes & Claims form.
- Edit the Unique User Identifier (Name ID) claim, and change the Name identifier format to Persistent.
- Click Save.
Now, configure Azure to send the claims that Sanity requires in the expected form.
The claims (attributes) that Sanity expects are listed inside Sanity Manage:
For each claim:
- Ensure the claim Name matches the attribute name in the table above.
- Ensure the Namespace is deleted.
- Ensure the Name format is set to Unspecified.
- Ensure the Source attribute is mapped correctly. This varies, and it depends on the specific Azure Active Directory configuration.
Once all claims have been added:
Sanity requires user.firstName and user.surname. The mapping in the example replaces both fields with user.displayname.
Enterprise customers can map user identity provider roles to service provider roles. For example, users with an Azure example-azure-user-role role are mapped to the Sanity viewer role when they log in.
- To support the mapping functionality, you must configure the identity provider to send the groups of the user.
- To do so, Sanity Manage expects a
groupsclaim with the format set tounspecified.
In Azure, add a new group claim:
Select the groups that you want Azure to send to Sanity, and assign the group claim a descriptive name:
Once you're done, save the changes.
In Azure, browse to the Set up {application name} block:
Get the Azure URLs for login and authentication, and add them to the Your Identity Provider details configuration section inside Sanity Manage:
In this scenario:
- Azure Login URL maps to Sanity Identity Provider Single Sign-On URL.
- Azure Azure AD Identifier maps to Sanity Identity Provider issuer.
In the SAML specification, InResponseTo is defined as
The ID of a SAML protocol message in response to which an attesting entity can present the assertion.
This setting is identity provider-specific. Azure doesn’t support it. Therefore, ensure that Enable InResponseTo is deselected/disabled.
The Signed SAML Assertion option notifies the Sanity instance that the identity provider is configured to use the signing certificate found in the Sanity service provider details section.
This is an optional step configured in Verification certificates:
Unless you have already uploaded the certificate, leave the Want assertion signed deselected under Signed SAML Assertion.
To get an X.509 certificate:
- Go to SAML Certificates and click Edit.
- Download the certificate as PEM certificate download.
- Open the downloaded certificate file with any text editor, and copy-paste the certificate content into Sanity Manage.
Ensure you save all changes inside Sanity Manage and in Azure.
Sanity – build remarkable experiences at scale
Sanity Composable Content Cloud is the headless CMS that gives you (and your team) a content backend to drive websites and applications with modern tooling. It offers a real-time editing environment for content creators that’s easy to configure but designed to be customized with JavaScript and React when needed. With the hosted document store, you query content freely and easily integrate with any framework or data source to distribute and enrich content.
Sanity scales from weekend projects to enterprise needs and is used by companies like Puma, AT&T, Burger King, Tata, and Figma.
Other guides by authors
Dynamic folder structure using the currentUser and workflow states
In this guide you will learn how to setup such a listener-based structure and also how to combine the results with the workflow plugin metadata.
Saskia Bobinska
Use Comments for authors and editors
Streamline your editorial workflow: use comments to manage asynchronous collaborative reviews in the studio.
Marco Spinello
Enable Comments inside Sanity Studio
Set up comments so that they’re available in the studio to authors and editors.
Marco Spinello