Configure the integration with a Security Token Service
Before you begin
To configure this file you need to gather and prepare the following values
- The WS Federation endpoint. The value is provided by the owner of the target STS. Some examples:
- For ADFS the typical endpoint is https://adfs.example.com/adfs/ls/.
- For ISHSTS the typical endpoint is https://example.com/ISHSTS/issue/wsfed.
- A Java key store file with the STS's token signing certificate. The public key of the token signing certificate is provided by the owner of the target STS.
- The subject name of the token signing certificate. The value is provided by the owner of the target STS.
For example the owner of the STS has provided a token.signing.cer certificate.
Procedure
- Prepare a Java key store file containing the token.signing.cer.
- Choose a location and a name for the key store file. For example in INSTALL_PATH\token.signing.jks.
- Using java'skeytool, import the token.signing.cer into a new Java key store file.
For Windows the command is
keytool -import -keystore INSTALL_PATH\token.signing.jks -alias mystscert -trustcacerts -file token.signing.cer -noprompt -storepass password
For Linux the command is
keytool -import -keystore INSTALL_PATH/token.signing.jks -alias mystscert -trustcacerts -file token.signing.cer -noprompt -storepass password
where INSTALL_PATH is the Content Delivery installation path and password is the password for the key store.
- From the Content Delivery installation folder, open \webapp\WEB-INF\LiveContentSSO.xml.
- Make sure the
name in contextConfig node matches the Web App Context from the installation.
The default is ContentDelivery.
- Set the
audienceItem to Content Delivery URL.
You can add additional entries if necessary.
- Add a
issuer element in the trustedIssuers to accept the token signing certificate. Use a regular expression based on the subject name of the certificate.
Note: Every issuer element defines a subject attribute that is as regular expression to match the signing certificate's subject name for an incoming token. You can add multiple issuers to be trusted by Content Delivery. For every STS you need to import its token signing certificate into the token.signing.cer key store.
<issuer subject="CN=.*TokenSigningSubjectName.*" certificateValidation="ChainTrust" name="NameOfSTS" />
where
TokenSigningSubjectName is the subject name of the token signing certificate and
NameOfSTS the name of the STS. The
NameOfSTS has no functional purpose but helps annotate the entry.
- Add a
issuer element in the protocol to provide the WS Federation endpoint from the Security Token Service.
For
ISHSTS it looks like this
<issuer>https://example.com/ISHSTS/issue/wsfed</issuer>
For
ADFS it looks like this
<issuer>https://adfs.example.com/adfs/ls/</issuer>
- Add a
keyStore element in the trustManager to enable the ChainTrust validation.
The keyStore element is a reference to a Java key store. Use the one containing the token singing certificate INSTALL_PATH\conf\token.signing.jks.
<!--Windows-->
<keyStore file="INSTALL_PATH\token.signing.jks" password="password" type="JKS" />
<!--Linux-->
<keyStore file="INSTALL_PATH/token.signing.jks" password="password" type="JKS" />
where
INSTALL_PATH is the
Content Delivery installation path and
password is the password for the key store.
Example of LiveContentSSO.xml content
This example applies to ADFS. For a ISHSTS application, follow the recommendations provided at the start of this task.
<FedizConfig>
<contextConfig name="/ContentDelivery">
<audienceUris>
<audienceItem>https://example.com/ContentDelivery/</audienceItem>
</audienceUris>
<certificateStores>
<trustManager>
<keyStore file="C:\Program Files\Apache Software Foundation\Tomact 8.0\webapps\LiveContentSTS\token.signing.jks" password="password" type="JKS" />
</trustManager>
</certificateStores>
<trustedIssuers>
<issuer subject="CN=TokenSigningSubjectName.*" certificateValidation="ChainTrust" name="STS" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="federationProtocolType" version="1.0.0">
<issuer>https://example.com/ISHSTS/issue/wsfed</issuer>
<roleDelimiter>,</roleDelimiter>
<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
<freshness>10000</freshness>
<claimTypesRequested>
<claimType type="a particular claim type" optional="true" />
</claimTypesRequested>
</protocol>
</contextConfig>
</FedizConfig>