Content Manager Security Token Service requirements

Required identifiers and certificates for a Security Token Service configuration applicable to Content Manager.

Profiles

Content Manager relies on both the Passive profile and the Active profile to do Federated Authentication.

Content Manager service nameProfileRemarks
ISHCMPassive profile

Refers to web applications.

Token encryption is optional.

ISHWSActive profile

Refers to SOAP-based web services implementing the WS Trust protocol.

Token encryption is mandatory.

Identifiers and encryption certificates

For each service Content Manager expects the following combination of identifiers and encryption certificate to be configured on a Security Token Service.

Service: ISHCM
No encryption certificate.
Identifier: https://example.com/ISHCM/
Service: ISHWS
The encryption certificate is the public key of the certificate referenced through the servicecertificatethumbprint input parameter
Identifiers:
  • https://example.com/ISHWS/
  • https://example.com/ISHWS/Wcf/API25/Application.svc
  • https://example.com/ISHWS/Wcf/API25/Baseline.svc
  • https://example.com/ISHWS/Wcf/API25/DocumentObj.svc
  • https://example.com/ISHWS/Wcf/API25/EDT.svc
  • https://example.com/ISHWS/Wcf/API25/EventMonitor.svc
  • https://example.com/ISHWS/Wcf/API25/Folder.svc
  • https://example.com/ISHWS/Wcf/API25/ListOfValues.svc
  • https://example.com/ISHWS/Wcf/API25/MetadataBinding.svc
  • https://example.com/ISHWS/Wcf/API25/OutputFormat.svc
  • https://example.com/ISHWS/Wcf/API25/PublicationOutput.svc
  • https://example.com/ISHWS/Wcf/API25/Search.svc
  • https://example.com/ISHWS/Wcf/API25/Settings.svc
  • https://example.com/ISHWS/Wcf/API25/TranslationJob.svc
  • https://example.com/ISHWS/Wcf/API25/TranslationTemplate.svc
  • https://example.com/ISHWS/Wcf/API25/User.svc
  • https://example.com/ISHWS/Wcf/API25/UserGroup.svc
  • https://example.com/ISHWS/Wcf/API25/UserRole.svc
  • https://example.com/ISHWS/Wcf/API20/Application.svc
  • https://example.com/ISHWS/Wcf/API20/DocumentObj.svc
  • https://example.com/ISHWS/Wcf/API20/EDT.svc
  • https://example.com/ISHWS/Wcf/API20/EventMonitor.svc
  • https://example.com/ISHWS/Wcf/API20/Folder.svc
  • https://example.com/ISHWS/Wcf/API20/MetaDataAssist.svc
  • https://example.com/ISHWS/Wcf/API20/OutputFormat.svc
  • https://example.com/ISHWS/Wcf/API20/Publication.svc
  • https://example.com/ISHWS/Wcf/API20/PublicationOutput.svc
  • https://example.com/ISHWS/Wcf/API20/Reports.svc
  • https://example.com/ISHWS/Wcf/API20/Search.svc
  • https://example.com/ISHWS/Wcf/API20/Settings.svc
  • https://example.com/ISHWS/Wcf/API20/Workflow.svc
  • https://example.com/ISHWS/Wcf/API/Application.svc
  • https://example.com/ISHWS/Wcf/API/ConditionManagement.svc

Claims in the token

Content Manager maps an incoming token to a user in the users repository by the external identifier.

The mapping is done through the token's attribute matching the claim type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name.

For a token to be useful for Content Manager, the token's subject name should match a user in the Content Manager users repository.

Token claims example

For a user that can be identified as user@company.com, the External ID in the users repository is expected to be user@company.com.

A valid incoming token must have at least the following attributes defined in it:


<saml:AttributeStatement>
	<saml:Attribute AttributeName="name" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
		<saml:AttributeValue>user@company.com</saml:AttributeValue>
	</saml:Attribute>
</saml:AttributeStatement>