Content Manager Security Token Service Requirements
Required Identifiers and certificates for a Security Token Service configuration applicable to Content Manager.
Profiles
Content Managerrelies on both the Passive profile and the Active profile to do Federated Authentication.
| Content Manager service name | Profile | Remarks |
|---|---|---|
| ISHCM | Passive profile | Refers to web applications. Token encryption is optional. |
| ISHWS | Active profile | Refers to SOAP based web services implementing the WS Trust protocol. Token encryption is mandatory. |
Identifiers and encryption certificates
For each service Content Manager expects the following combination of identifiers and encryption certificate to be configured on a Security Token Service.
| Content Manager service name | Identifiers | Encryption certificate |
|---|---|---|
| ISHCM |
| None |
| ISHWS |
| The public key of the certificate referenced through the servicecertificatethumbprint input parameter. |
Claims in the token
Content Manager maps an incoming token to a user in the users repository by the external identifier.
The mapping is done through the token's attribute matching the claim type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name.
For a token to be useful for Content Manager, the token's subject name should match a user in the Content Manager users repository.
Token claims example
For a user that can be identified as user@company.com, the External ID in the users repository is expected to be user@company.com.
A valid incoming token must have at least the following attributes defined in it:
<saml:AttributeStatement>
<saml:Attribute AttributeName="name" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>user@company.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>