Configuring ADFS STS to Recognize SDL LiveContent Reach
When using ADFS STS as the secure token service, you must specify SDL LiveContent Reach as a relying party.
Procedure
- Log on to the ADFS server using the STS credentials for an administrative user.
- Click Start > Administrative Tools > AD FS 2.0 Management to start the AD FS 2.0 Management Console.
- Under Trust Relationships, click Relying Party Trusts.
- In the right pane, click Add Relying Party Trust.
The Add Relying Party Trust Wizard starts.
- Click Start.
- On the Select Data Source page, select Enter data about the relying party manually and then click Next.
Note: Unless specified otherwise, clicking Next is an assumed step to proceed for all subsequent steps.
- On the Specify Display Name page specify a name under Display name (for example, Reach), and then specify any additional notes to describe the application (for example, it might be helpful to specify the server name and IP address).
For configuration-driven claim set generation, specify one of the following application names:
- Architect
- Reach
- Enrich
- On the Choose Profile page, select AD FS 2.0 profile.
- On the Configure Certificate page, do not specify an optional token encryption certificate.
- On the Configure URL page:
- Select Enable support for the WS-Federation Passive protocol.
- Under Relying party WS-Federation Passive protocol URL, specify the URL to the web application for the web application for SDL LiveContent Reach.
For example:
https://machinename.domain.company.com:8843/LiveContentAppName/
Note: In this example:- The secure https:// protocol is required.
- 8843 is the port number specified for the SDL LiveContent Reach web application.
- The trailing forward slash is required in the URL.
- On the Configure Identifiers page, do not provide any additional relying party trust identifier strings.
- On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party.
- On the Ready to Add Trust page, confirm your selections by exploring the tabs, and then click Next to add the relying party trust to the AD FS configuration database.
- On the Finish page, select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and then click Close.
A dialog box for editing the claim rules for the SDL LiveContent Reach product appears.Note: If you specified some other name for the relying trust, that name appears in this dialog box title instead.
- On the Issuance Transform Rules tab, click Add Rule.
The Add Transform Claim Rule Wizard opens.
- On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims from the list.
Note: Unless specified otherwise, clicking Next is an assumed step to proceed for all subsequent steps.
- On the Configure Claim Rule page, specify these settings:
- Claim rule name
- Specify a descriptive name (for example, Mappings for SDL LiveContent Reach).
- Attribute store
- Select Active Directory from the list.
- Mapping of LDAP attributes to outgoing claim types
-
Specify these mappings:
LDAP attribute Outgoing claim type Department Department E-Mail-Addresses E-Mail Address Given-Name Given Name Surname Surname Title Role User-Principal-Name Name ID
- If the outgoing claim type is not included in the list, you can specify it manually. For example, if the Department claim type was not included in the list:
- In the left pane of the AD FS 2.0 Management Console, click Service > Claim Descriptions.
- In the right pane, click Add claim description.
- Specify these values and selections:
- Display name: Department
- Claim identifier: https://schemas.xmlsoap.org/ws/2005/05/identity/claims/department
- Select both Publish this claim items.
- Click Apply, and then click OK.
The claim is now included in the list.
- Click Finish and Apply to apply the claim rule changes, and then click OK to exit the wizard.
- Import the SSL certificate file for the new SDL LiveContent Reach relying party trust.
- In the Relying Party Trusts list, select the SDL LiveContent Reach relying party trust you just created.
- In the Actions pane on the right, click Properties.
- On the Signature tab, click Add.
The Select a Request Signature Verification Certificate dialog box appears.
- Find the SSL certificate file for the SDL LiveContent Reach application and click Open to load that certificate for the new SDL LiveContent Reach relying party trust.
This is the signed certificate file you obtained from the Certificate Authority for the SDL LiveContent Reach application server. For example, c:\signedTomcatCert.cer (/usr/signedTomcatCert.cer on Linux).
The certificate file is imported into ADFS STS.
- Click Apply, and then click OK.
- Verify that the Secure Hash Algorithm setting in AD FS 2.0 Management Console matches the Signature Hash Algorithm setting in the certificate properties.
- In the Relying Party Trusts list, select the SDL LiveContent Reach relying party trust you just created.
- In the Actions pane on the right, click Properties.
- On the Advanced tab, check the setting for the Secure Hash Algorithm (typically, SHA-1 or SHA-256).
- On the Signature tab, click the certificate for the relying party trust and then click View.
- On the Details tab, check the setting for the Signature Hash Algorithm.
Verify that this Signature Hash Algorithm setting matches that of the Secure Hash Algorithm you checked on the Advanced tab.