Documentation Center

Configuring SSO in LiveContentSSO.xml

Configure the integration with a Security Token Service.

Before you begin

To configure this file you need to gather and prepare the following values

  • The WS Federation endpoint. The value is provided by the owner of the target STS. Some examples:
    • For ADFS the typical endpoint is https://adfs.example.com/adfs/ls/.
    • For ISHSTS the typical endpoint is https://example.com/ISHSTS/issue/wsfed.
  • A Java key store file with the STS's token signing certificate. The public key of the token signing certificate is provided by the owner of the target STS.
  • The subject name of the token signing certificate. The value is provided by the owner of the target STS.

For example the owner of the STS has provided a token.signing.cer certificate.

Procedure

  1. Prepare a Java key store file containing the token.signing.cer.
    1. Choose a location and a name for the key store file. For example in INSTALL_PATH\token.signing.jks.
    2. Using java'skeytool, import the token.signing.cer into a new Java key store file.
      For Windows the command is
      keytool -import -keystore INSTALL_PATH\token.signing.jks -alias mystscert -trustcacerts -file token.signing.cer -noprompt -storepass password
      For Linux the command is
      keytool -import -keystore INSTALL_PATH/token.signing.jks -alias mystscert -trustcacerts -file token.signing.cer -noprompt -storepass password
      where INSTALL_PATH is the Collaborative Review installation path and password is the password for the key store.
  2. From the Collaborative Review installation folder, open \webapp\WEB-INF\LiveContentSSO.xml.
  3. Make sure the name in contextConfig node matches the Web App Context from the installation.
    The default is ContentDelivery.
  4. Set the audienceItem to Collaborative Review URL.
    You can add additional entries if necessary.
  5. Add a issuer element in the trustedIssuers to accept the token signing certificate. Use a regular expression based on the subject name of the certificate.
    <issuer subject="CN=.*TokenSigningSubjectName.*" certificateValidation="ChainTrust" name="NameOfSTS" />
    where TokenSigningSubjectName is the subject name of the token signing certificate and NameOfSTS the name of the STS. The NameOfSTS has no functional purpose but helps annotate the entry.
  6. Add a issuer element in the protocol to provide the WS Federation endpoint from the Security Token Service.
    For ISHSTS it looks like this
    <issuer>https://example.com/ISHSTS/issue/wsfed</issuer>
    For ADFS it looks like this
    <issuer>https://adfs.example.com/adfs/ls/</issuer>
  7. Add a keyStore element in the trustManager to enable the ChainTrust validation.
    The keyStore element is a reference to a Java key store. Use the one containing the token singing certificate INSTALL_PATH\conf\token.signing.jks.
    <!--Windows-->
    <keyStore file="INSTALL_PATH\token.signing.jks" password="password" type="JKS" />
    <!--Linux-->
    <keyStore file="INSTALL_PATH/token.signing.jks" password="password" type="JKS" />
    where INSTALL_PATH is the Collaborative Review installation path and password is the password for the key store.

Example of LiveContentSSO.xml content

This example applies to ADFS. For a ISHSTS application, follow the recommendations provided at the start of this task.

<FedizConfig>
	<contextConfig name="/ContentDelivery">
		<audienceUris>
			<audienceItem>https://example.com/ContentDelivery/</audienceItem>
		</audienceUris>
		<certificateStores>
			<trustManager>
				<keyStore file="C:\Program Files\Apache Software Foundation\Tomact 8.0\webapps\LiveContentSTS\token.signing.jks" password="password" type="JKS" />
			</trustManager>
		</certificateStores>
		<trustedIssuers>
			<issuer subject="CN=TokenSigningSubjectName.*" certificateValidation="ChainTrust" name="STS" />
		</trustedIssuers>
		<maximumClockSkew>1000</maximumClockSkew>
		<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
			xsi:type="federationProtocolType" version="1.0.0">
			<issuer>https://example.com/ISHSTS/issue/wsfed</issuer>
			<roleDelimiter>,</roleDelimiter>
			<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
			<freshness>10000</freshness>
			<claimTypesRequested>
				<claimType type="a particular claim type" optional="true" />
			</claimTypesRequested>
		</protocol>
	</contextConfig>
</FedizConfig>