Configure the integration with a Security Token Service.
Before you begin
To configure this file you need to gather and prepare the following values
- The WS Federation endpoint. The value is provided by the owner of the target STS. Some examples:
- For ADFS the typical endpoint is https://adfs.example.com/adfs/ls/.
- For ISHSTS the typical endpoint is https://example.com/ISHSTS/issue/wsfed.
- A Java key store file with the STS's token signing certificate. The public key of the token signing certificate is provided by the owner of the target STS.
- The subject name of the token signing certificate. The value is provided by the owner of the target STS.
For example the owner of the STS has provided a token.signing.cer certificate.
Procedure
- Prepare a Java key store file containing the token.signing.cer.
- Choose a location and a name for the key store file. For example in INSTALL_PATH\token.signing.jks.
- Using java'skeytool, import the token.signing.cer into a new Java key store file.
For Windows the command is
keytool -import -keystore INSTALL_PATH\token.signing.jks -alias mystscert -trustcacerts -file token.signing.cer -noprompt -storepass password
For Linux the command is
keytool -import -keystore INSTALL_PATH/token.signing.jks -alias mystscert -trustcacerts -file token.signing.cer -noprompt -storepass password
where INSTALL_PATH is the Collaborative Review installation path and password is the password for the key store.
- From the Collaborative Review installation folder, open \webapp\WEB-INF\LiveContentSSO.xml.
- Make sure the
name in contextConfig node matches the Web App Context from the installation.
The default is ContentDelivery.
- Set the
audienceItem to Collaborative Review URL.
You can add additional entries if necessary.
- Add a
issuer element in the trustedIssuers to accept the token signing certificate. Use a regular expression based on the subject name of the certificate.
Note: Every issuer element defines a subject attribute that is as regular expression to match the signing certificate's subject name for an incoming token. You can add multiple issuers to be trusted by Collaborative Review . For every STS you need to import its token signing certificate into the token.signing.cer key store.
<issuer subject="CN=.*TokenSigningSubjectName.*" certificateValidation="ChainTrust" name="NameOfSTS" />
where
TokenSigningSubjectName is the subject name of the token signing certificate and
NameOfSTS the name of the STS. The
NameOfSTS has no functional purpose but helps annotate the entry.
- Add a
issuer element in the protocol to provide the WS Federation endpoint from the Security Token Service.
For
ISHSTS it looks like this
<issuer>https://example.com/ISHSTS/issue/wsfed</issuer>
For
ADFS it looks like this
<issuer>https://adfs.example.com/adfs/ls/</issuer>
- Add a
keyStore element in the trustManager to enable the ChainTrust validation.
The keyStore element is a reference to a Java key store. Use the one containing the token singing certificate INSTALL_PATH\conf\token.signing.jks.
<!--Windows-->
<keyStore file="INSTALL_PATH\token.signing.jks" password="password" type="JKS" />
<!--Linux-->
<keyStore file="INSTALL_PATH/token.signing.jks" password="password" type="JKS" />
where
INSTALL_PATH is the
Collaborative Review installation path and
password is the password for the key store.
Example of LiveContentSSO.xml content
This example applies to ADFS. For a ISHSTS application, follow the recommendations provided at the start of this task.
<FedizConfig>
<contextConfig name="/ContentDelivery">
<audienceUris>
<audienceItem>https://example.com/ContentDelivery/</audienceItem>
</audienceUris>
<certificateStores>
<trustManager>
<keyStore file="C:\Program Files\Apache Software Foundation\Tomact 8.0\webapps\LiveContentSTS\token.signing.jks" password="password" type="JKS" />
</trustManager>
</certificateStores>
<trustedIssuers>
<issuer subject="CN=TokenSigningSubjectName.*" certificateValidation="ChainTrust" name="STS" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="federationProtocolType" version="1.0.0">
<issuer>https://example.com/ISHSTS/issue/wsfed</issuer>
<roleDelimiter>,</roleDelimiter>
<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
<freshness>10000</freshness>
<claimTypesRequested>
<claimType type="a particular claim type" optional="true" />
</claimTypesRequested>
</protocol>
</contextConfig>
</FedizConfig>