Specifying application Information in LiveContentSSO.xml
As part of configuring Single Sign-On (SSO), specify SDL LiveContent Reach application information in the LiveContentSSO.xml file in the WEB-INF folder in the SDL LiveContent Reach Web application installation.
Procedure
- Open the LiveContentSSO.xmlfile for Windows or Linux in a text editor.
- SDLLiveContentReachHome\webapps\WEB-INF\LiveContentSSO.xml
- SDLLiveContentReachHome/webapps/WEB-INF/LiveContentSSO.xml
- Modify the
<audienceItem>element content to specify the web address for SDL LiveContent Reach.The web address should be of this format:
<audienceItem>https://domain.name:port/context/</audienceItem>For example:
<audienceItem>https://mycompanyname.com:8910/LiveContent/</audienceItem> - Modify the
<keyStore>element content to specify the location of the keystore file you copied into the Apache Tomcat web application server and the keystore password.For example:
On Windows:
<keyStore file="conf\tomcat_keystore.jks" password="*****" type="JKS" />On Linux:
<keyStore file="\usr\conf\tomcat_keystore.jks" password="*****" type="JKS" />where ***** is the keystore password.
Note: The keystore file location is specified relative to the Apache Tomcat installation directory on the web server. - Extract the Subject information from the Secure Token Service (STS) token signing certificate file c:\sts_signing_cert.cer (/usr/sts_signing_cert.cer on Linux) that you obtained from the STS provider.
- Open the token signing certificate c:\sts_signing_cert.cer (/usr/sts_signing_cert.cer on Linux) in the Certificate Manager application (certmgr.exe).
Note: Typically, double-clicking the certificate file in Windows Explorer opens that file in Certificate Manager.
- On the Details tab, under Field, click Subject.
- Copy the text that appears in the text box below the Field/Value display.
Note: You will paste this text into the
subjectfield of the<issuer>element in the next step.
- Open the token signing certificate c:\sts_signing_cert.cer (/usr/sts_signing_cert.cer on Linux) in the Certificate Manager application (certmgr.exe).
- Under the
<trustedIssuers>element, modify the<issuer>element to specify the Subject information obtained from the STS (Security Token Service).Note: Even though the Certificate Manager inserts spaces around the equal sign (for example, "CN = ADFS Signing - somename.company.development") thesubjectfield under theissuerelement does not allow spaces around any equal sign.For example, the subject field might be specified as shown below:- For ADFS STS:
<issuer subject=".*CN=ADFS Signing - somename.company.development.*" certificateValidation="ChainTrust" name="DoubleItSTSIssuer" /> - For SDL LiveContent Architect STS (InfoShareSTS):
<issuer subject=".*CN=servername.domainname.companyname.corp.*" certificateValidation="ChainTrust" name="InfoShareSTS" />
- Uncomment the entire
<issuer>element. - Paste the text you copied from the token signing certificate file in the preceding step into the subject field. For example :
<issuer subject="CN = MECPSUSP01.global.sdl.corp" certificateValidation="ChainTrust" name="InfoShareSTS" /> - Delete the whitespaces before and after the equals sign. For example:
<issuer subject="CN=MECPSUSP01.global.sdl.corp" certificateValidation="ChainTrust" name="InfoShareSTS" /> - Add
.*before and.*after. For example<issuer subject=".*CN=MECPSUSP01.global.sdl.corp.*" certificateValidation="ChainTrust" name="InfoShareSTS" />
- For ADFS STS:
- The recommended default value for the
<maximumClockSkew>element is 300 (seconds), or five minutes. - Under the
<protocol>element, modify the<issuer>element to specify the web address for the STS service.For example:- For ADFS STS:
<issuer>https://servername.domainname.companyname.corp/adfs/ls/</issuer> - For SDL LiveContent Architect STS (InfoShareSTS):
<issuer>https://servername.domainname.companyname.corp/InfoShareSTS/issue/wsfed</issuer>
Note: When modifying the<protocol>element, consider these issues:- The schemas and content for the
<protocol>element and the content of its child node<roleURI>as delivered are compatible with ADFS STS and SDL LiveContent Architect STS (InfoShareSTS). However, if you choose a different STS service that relies on different schemas, you might be required to customize those elements. - Changing the value of the
<freshness>element has no effect on the implementation or product behavior at this time. SDL LiveContent Reach does not yet support this functionality.
- For ADFS STS: