Documentation Center

Configuring ADFS STS to Recognize SDL LiveContent Reach

When using ADFS STS as the secure token service, you must specify SDL LiveContent Reach as a relying party.

Procedure

  1. Log on to the ADFS server using the STS credentials for an administrative user.
  2. Click Start > Administrative Tools > AD FS 2.0 Management to start the AD FS 2.0 Management Console.
  3. Under Trust Relationships, click Relying Party Trusts.
  4. In the right pane, click Add Relying Party Trust.

    The Add Relying Party Trust Wizard starts.

  5. Click Start.
  6. On the Select Data Source page, select Enter data about the relying party manually and then click Next.
  7. On the Specify Display Name page specify a name under Display name (for example, Reach), and then specify any additional notes to describe the application (for example, it might be helpful to specify the server name and IP address).
    For configuration-driven claim set generation, specify one of the following application names:
    • Architect
    • Reach
    • Enrich
  8. On the Choose Profile page, select AD FS 2.0 profile.
  9. On the Configure Certificate page, do not specify an optional token encryption certificate.
  10. On the Configure URL page:
    1. Select Enable support for the WS-Federation Passive protocol.
    2. Under Relying party WS-Federation Passive protocol URL, specify the URL to the web application for the web application for SDL LiveContent Reach.

      For example:

      https://machinename.domain.company.com:8843/LiveContentAppName/

  11. On the Configure Identifiers page, do not provide any additional relying party trust identifier strings.
  12. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party.
  13. On the Ready to Add Trust page, confirm your selections by exploring the tabs, and then click Next to add the relying party trust to the AD FS configuration database.
  14. On the Finish page, select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and then click Close.
    A dialog box for editing the claim rules for the SDL LiveContent Reach product appears.
  15. On the Issuance Transform Rules tab, click Add Rule.

    The Add Transform Claim Rule Wizard opens.

  16. On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims from the list.
  17. On the Configure Claim Rule page, specify these settings:
    Claim rule name
    Specify a descriptive name (for example, Mappings for SDL LiveContent Reach).
    Attribute store
    Select Active Directory from the list.
    Mapping of LDAP attributes to outgoing claim types
    Specify these mappings:
    LDAP attributeOutgoing claim type
    DepartmentDepartment
    E-Mail-AddressesE-Mail Address
    Given-NameGiven Name
    SurnameSurname
    TitleRole
    User-Principal-NameName ID
  18. If the outgoing claim type is not included in the list, you can specify it manually. For example, if the Department claim type was not included in the list:
    1. In the left pane of the AD FS 2.0 Management Console, click Service > Claim Descriptions.
    2. In the right pane, click Add claim description.
    3. Specify these values and selections:
      • Display name: Department
      • Claim identifier: https://schemas.xmlsoap.org/ws/2005/05/identity/claims/department
      • Select both Publish this claim items.
    4. Click Apply, and then click OK.

      The claim is now included in the list.

  19. Click Finish and Apply to apply the claim rule changes, and then click OK to exit the wizard.
  20. Import the SSL certificate file for the new SDL LiveContent Reach relying party trust.
    1. In the Relying Party Trusts list, select the SDL LiveContent Reach relying party trust you just created.
    2. In the Actions pane on the right, click Properties.
    3. On the Signature tab, click Add.
      The Select a Request Signature Verification Certificate dialog box appears.
    4. Find the SSL certificate file for the SDL LiveContent Reach application and click Open to load that certificate for the new SDL LiveContent Reach relying party trust.

      This is the signed certificate file you obtained from the Certificate Authority for the SDL LiveContent Reach application server. For example, c:\signedTomcatCert.cer (/usr/signedTomcatCert.cer on Linux).

      The certificate file is imported into ADFS STS.

    5. Click Apply, and then click OK.
  21. Verify that the Secure Hash Algorithm setting in AD FS 2.0 Management Console matches the Signature Hash Algorithm setting in the certificate properties.
    1. In the Relying Party Trusts list, select the SDL LiveContent Reach relying party trust you just created.
    2. In the Actions pane on the right, click Properties.
    3. On the Advanced tab, check the setting for the Secure Hash Algorithm (typically, SHA-1 or SHA-256).
    4. On the Signature tab, click the certificate for the relying party trust and then click View.
    5. On the Details tab, check the setting for the Signature Hash Algorithm.

      Verify that this Signature Hash Algorithm setting matches that of the Secure Hash Algorithm you checked on the Advanced tab.