• State Suggested Answer
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 47 subscribers
  • Views 3269 views
  • Users 0 members are here
Options
Related

Configuring Single Sign on in SDL Knowledge center SSO ?

Mark Arum

Hi,

I am configuring the SSO configuration of Content Delivery and Content Manager.

I am following the SDL docs but I am finding hard to understand the LiveContentGroup.xml file.

How to create a user that can be authenticated by both CD and CM. I am finding very hard to understand this step

Thanks

Regards,

Mark Arum
Rate translation
×
Suggest better translation
×
Parents
  • 0

    Hi,

    This topic Configuring SSO in LiveContentGroups.xml explains how to map the attributes/claims of an incoming token to the Content Delivery authorization. I'm assuming that you can login so you don't have issues with token validation which is discussed in different topics.

    There are two sides on understanding this process.

    • Knowing how to map to Content Delivery users and groups, you set your requirements from the Security Token Service.
    • Knowing what your incoming token contains, allows you to make the possible configuration to control the authorization on Content Delivery.

     

    As  mentioned, ISHSTS is a Security Token Service build on top of ThinkTecture identity server. consuming the Content Manager user repository. What is interesting for you is that it comes pre-configured to generate token with claims and attributes that are the best for both the Content Manager and Content Delivery. The configuration is available in the c:\InfoShare\ISH\Web\InfoShareSTS\Configuration\infoShareSTS.config.

    <rule name="Content Delivery" rpNameRegEx="^(LC)">
    <transformations>
    <transformation claimType="schemas.microsoft.com/.../role"
    ishFieldName="FISHUSERROLES"
    ishFieldLevel="none"
    ishFieldValueType="element"
    />
    <transformation claimType="schemas.xmlsoap.org/.../emailaddress"
    ishFieldName="FISHEMAIL"
    ishFieldLevel="none"
    ishFieldValueType="value"
    />
    <transformation claimType="schemas.xmlsoap.org/.../displayname"
    ishFieldName="FISHUSERDISPLAYNAME"
    ishFieldLevel="none"
    ishFieldValueType="value"/>
    </transformations>
    </rule>

    Content Delivery's product code is LC and you have to make sure you create relying parties for Content Delivery that start with LC. For those on Knowledge Center 2016 and higher, I would advice using ISHDeploy PowerShell automation module. For what we are discussing there is a very nice tutorial on how to add relying parties that are guaranteed to work without you knowing all the internal details.

    For example

    $name="Content Delivery" $realm="https://review.lc.example.com/"
    # Add relying party

    Set-ISHSTSRelyingParty -ISHDeployment $deploymentName -Name $name -Realm $realm -LC

    Adding a relying party likes this guarantees that the token will contain the information described in the token, so you don't have to worry about how the token is generated.

     

     

     
  • 0 in reply to Alex Sarafian
    Hi Alex, I expect that in your example the value for $deploymentname is the default value e.g.
    $deploymentName = “InfoShare”
    Correct?
Reply Children