Let’s imagine that you need to restrict to secure your whole site, or only your Content Management instance. No anonymous access. As a Sitecore old school guy I tough about site requireLogin setting set to true and loginPage to /sitecore/login

From old Sitecore Developer Network

It changes with Sitecore 9.1 and Identity Server . A must read article, Understanding Sitecore authentication behavior changes,  says that the new format is  /identity/login/{your_sxa_site_name}/SitecoreIdentityServer. 

My first attempt – adding loginPage and requireLogin settings into Other Properties section in SXA Site Manager. Settings added, published – I dramatically filed. I got into some infinit loop. No able to log into Sitecore and revert my changes back. Remember SXA Site Manger Settings deployed to web.

The missing part is to configure Sitecore Identity Server to be recognized as the identity provider for your SXA site. As mentioned in the article, there are a few predefined mappings. They are defined in the “\App_Config\Sitecore\Owin.Authentication\Sitecore.Owin.Authentication.config” file.

You might create a configuration patch to either assign SitecoreIdentityServer to one of the existing mappings or create a new one, for example:

<mapEntry name="some meaningful mapping name" type="Sitecore.Owin.Authentication.Collections.IdentityProvidersPerSitesMapEntry, Sitecore.Owin.Authentication">
  <sites hint="list">
    <site>{your SXA site name}</site>
    <site>{your another SXA Site name}</site>
  </sites>
  <identityProviders hint="list:AddIdentityProvider">
    <identityProvider ref="federatedAuthentication/identityProviders/identityProvider[@id='SitecoreIdentityServer']" id="SitecoreIdentityServer" />
  </identityProviders>
</mapEntry>

In  my case,  I wanted to restrict access only to Content Management Server and I leverage SXA multisite feature -> Manage multiple sites with the SXA Site Manager.

I had a site definition only for my PROD CM server  where I set those 2  new settings

The value for each sitecore instance can be set in Sitecore.XA.SitesToResolveAfterSxa.config file.

If you are adding more than 1 site you may run into this error on login page -> Sorry, there was an error : unauthorized_client

You need to add all Site URL that visitors will need to authenticate. On Identity Server, modify the  file  <SIServer>\Config\production\Sitecore.IdentityServer.Host.xml but adding all Allowed Cors Origines URL

<?xml version="1.0" encoding="utf-8" ?>
    <Settings>
        <Sitecore>
           <IdentityServer>
               <CertificateThumbprint>XXXXXXXXXXXXXX</CertificateThumbprint>
               <CertificateStoreLocation>LocalMachine</CertificateStoreLocation>
               <CertificateStoreName>My</CertificateStoreName>
               <SitecoreMembershipOptions>
                   <ConnectionString>Data Source=.;Initial Catalog=xxx-local_Core;User ID=coreuser;Password=xxx</ConnectionString>
               </SitecoreMembershipOptions>
               <AccountOptions>
                   <PasswordRecoveryUrl>http://xxx-local.sc/sitecore/login?rc=1</PasswordRecoveryUrl>
               </AccountOptions>
               <Clients>
                   <DefaultClient>
                       <AllowedCorsOrigins>
                           <AllowedCorsOriginsGroup1>http://first-site-url</AllowedCorsOriginsGroup1>
                           <AllowedCorsOriginsGroup2>http://second-site-url</AllowedCorsOriginsGroup2>
                       </AllowedCorsOrigins>
                    </DefaultClient>
                    <PasswordClient>
                        <ClientSecrets>
                            <ClientSecret1>Password1</ClientSecret1>
                        </ClientSecrets>
                    </PasswordClient>
                  </Clients>
               </IdentityServer>
          </Sitecore>
 </Settings>

Note:  It is also possible to define the AllowedCorsOrigins pipe-separated.