Content Manager Security Token Service requirements
Required identifiers and certificates for a Security Token Service configuration applicable to Content Manager.
Profiles
Content Manager relies on both the Passive profile and the Active profile to do Federated Authentication.
| Content Manager service name | Profile | Remarks |
|---|---|---|
| ISHCM | Passive profile | Refers to web applications. Token encryption is optional. |
| ISHWS | Active profile | Refers to SOAP-based web services implementing the WS Trust protocol. Token encryption is mandatory. |
Identifiers and encryption certificates
For each service Content Manager expects the following combination of identifiers and encryption certificate to be configured on a Security Token Service.
- Service: ISHCM
- No encryption certificate.
- Service: ISHWS
-
The encryption certificate is the public key of the certificate referenced through the
servicecertificatethumbprintinput parameter
Claims in the token
Content Manager maps an incoming token to a user in the users repository by the external identifier.
The mapping is done through the token's attribute matching the claim type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name.
For a token to be useful for Content Manager, the token's subject name should match a user in the Content Manager users repository.
Token claims example
For a user that can be identified as user@company.com, the External ID in the users repository is expected to be user@company.com.
A valid incoming token must have at least the following attributes defined in it:
<saml:AttributeStatement>
<saml:Attribute AttributeName="name" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>user@company.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>