Configuring hosted systems to use a customer's ADFS
This information is needed when you have on-premises ADFS and you want to use SDL Tridion Docs installations deployed on SDL hosted servers outside your network.
About this task
All client tools (web client, PM, and so on) running from the customers network have access to both ADFS and SDL Tridion Docs. The ADFS system is trusted by the SDL Tridion Docs products through certificate thumbprint configuration. However, flows running on the server need also access to the configured ADFS. This is a situations where you would access an intranet side from outside the customers network and authenticate with windows authentication without being part of the domain.
Elements where this problem exist are:
- ISHCM to ISHWS identity delegation
- TranslationOrganizer
- Publish to a delivery platform
- SynchronizeToLiveContent
Solution:
Redirect all server side activate authentication flows through ISHSTS. This allows the system to work without having dependency on the customer's ADFS nor does it require network access from the hosted domain to the customer's intranet.
The following information assumes that a normal ADFS installation was executed. In this case, the embedded ISHSTS although not active it is also configured for Windows Authentication.
To make things simpler in the following steps, example data, shown below, is used for the Thumbprint and the wsTrustEndpoint.
- Values related to the customer's ADFS are hosted in adfs.example.com (where
adfsrefers to an example server related to ADFS):- Thumbprint of the ADFS token signing certificate:
04F6EB2AA0873A9E38ED66A234D56CF83C2799A4 - wsTrustEndpoint of the ADFS :
https://adfs.example.com/adfs/services/trust/13/windowsmixed. - issueractorusername:
CustomerDomain\User
- Thumbprint of the ADFS token signing certificate:
- Values related to the internal ISHSTS that is installed:
- Thumbprint of the ISHSTS token signing certificate:
E29E9CDD03CB20665230E38A058A68D6A4A52ABF. - wsTrustEndpoint of ISHSTS:
https://ish.example.com/ISHSTS/issue/wstrust/mixed/username(whereishrefers to an example server dedicated to Content Manager). - The actor credentials will have to match a user in the repository e.g. the
ServiceUser.
- Thumbprint of the ISHSTS token signing certificate:
ISHSTS
Switch ISHSTS from windows authentication mode to the username/password one.
- Delete the file App_Data\IdentityServerConfiguration-2.2.sdf if it exists.
- In the Configuration\ISHSTS.config modify the value of authenticationType from
WindowstoUsernamePassword. - Also change the value of actorUsername to a username found in the user repository e.g.
ServiceUser.
Configure ISHSTS to allow identity delegation from issuers other than itself.
To add the above ADFS as a trusted issuer for delegation modify the Web.config file by following the steps below.
- Enable the
addActAsTrustedIssuerbehavior extension - Add a
addActAsTrustedIssuerbehavior referencing the ADFS token signing certificate thumbprint
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="">
<serviceDebug includeExceptionDetailInFaults="false" />
<!--Uncomment to enable ISHSTS to provide identity delegation for tokens issued by other sts-->
<!--Add as many elements as the additional STS you want to support-->
<addActAsTrustedIssuer thumbprint="04F6EB2AA0873A9E38ED66A234D56CF83C2799A4" issuer="ADFS"/>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="">
<setRequestIDEndpoint />
<!--<timerEndpoint/>-->
</behavior>
</endpointBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" minFreeMemoryPercentageToActivateService="0" />
<extensions>
<behaviorExtensions>
<!--Uncomment to enable infoshare sts to provide identity delegation for tokens issued by other sts-->
<add name="addActAsTrustedIssuer" type="Thinktecture.IdentityServer.InfoShare.Wcf.Extensions.AddActAsTrustedIssuerBehaviorExtension, Thinktecture.IdentityServer.InfoShare"/>
<add name="setRequestIDEndpoint" type="Trisoft.Utilities.Logging.Wcf.Extensions.SetRequestIDEndpointBehaviorExtension, Trisoft.Utilities.Logging" />
<add name="timerEndpoint" type="Trisoft.Utilities.Logging.Wcf.Extensions.TimerEndpointBehaviorExtension, Trisoft.Utilities.Logging" />
<add name="timerInvoker" type="Trisoft.Utilities.Logging.Wcf.Extensions.TimerInvokerBehaviorExtension, Trisoft.Utilities.Logging" />
</behaviorExtensions>
</extensions>
<diagnostics>
<messageLogging logMessagesAtTransportLevel="true" logEntireMessage="true" logMalformedMessages="true" />
</diagnostics>
</system.serviceModel>
ISHWS
You must configure the ISHWS to accept token from an additional STS to the ADFS configured by the installation To add the local ISHWS as a valid issuer of token modify the Web.config file by following the steps below.
- Add a trusted issuer referencing the ISHSTS token signing certificate thumbprint
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
<add thumbprint="04F6EB2AA0873A9E38ED66A234D56CF83C2799A4" name="Issuer"/>
<add thumbprint="E29E9CDD03CB20665230E38A058A68D6A4A52ABF" name="ISHSTS"/>
</trustedIssuers>
</issuerNameRegistry>
ISHCM
You must configure the ISHWS to accept token from an additional STS to the ADFS configured by the installation To add the local ISHWS as a valid issuer of token modify the Web.config file by following the steps below.
- Add a trusted issuer referencing the ISHSTS token signing certificate thumbprint
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
<add thumbprint="04F6EB2AA0873A9E38ED66A234D56CF83C2799A4" name="Issuer"/>
<add thumbprint="E29E9CDD03CB20665230E38A058A68D6A4A52ABF" name="ISHSTS"/>
</trustedIssuers>
</issuerNameRegistry>
<issuer>
<uri>https://adfs.example.com/adfs/services/trust/13/windowsmixed</uri>
<bindingtype>WindowsMixed</bindingtype>
<serverappliesto>https://ish.example.com/ISHWS/</serverappliesto>
<websiteappliesto>https://ish.example.com/ISHCM/</websiteappliesto>
</issuer>
<actor>
<credentials>
<username>CustomerDomain\User</username>
<password/>
</credentials>
</actor>
<issuer>
<uri>https://adfs.example.com/ISHSTS/issue/wstrust/mixed/username</uri>
<bindingtype>UserNameMixed</bindingtype>
<serverappliesto>https://ish.example.com/ISHWS/</serverappliesto>
<websiteappliesto>https://ish.example.com/ISHCM/</websiteappliesto>
</issuer>
<actor>
<credentials>
<username>ServiceUser</username>
<password>ServiceUser</password>
</credentials>
</actor>
TranslationOrganizer, Publish and SynchronizeToLiveContent
You must configure TranslationOrganizer, Publish and SynchronizeToLiveContent to use the ISHSTS for authentication instead of the configured ADFS. Modify the following files next to the entities:
- TranslationOrganizer.exe.config
- FeedSDLLiveContent.ps1.config
- SynchronizeToLiveContent.ps1.config
<issuer wsTrustBindingType="WindowsMixed" wsTrustEndpoint="https://adfs.example.com/services/trust/13/windowsmixed" />
<issuer wsTrustBindingType="UserNameMixed" wsTrustEndpoint="https://ish.example.com/ISHSTS/issue/wstrust/mixed/username" />