Documentation Center

Establishing a trust for Collaborative Review

Establish a trust for Collaborative Review with a Security Token Service.

For Collaborative Review to integrate with a Security Token Service we need to first establish a trust on the Security Token Service.

To achieve this we first need the identifier of Collaborative Review . This is the URL of Collaborative Review . e.g. https://example.com/LC/.

The Security Token Service generates tokens that are processed by Collaborative Review . For the token to be valid and useful the following conditions have to be met:

  • The token format must be SAML1.1 (urn:oasis:names:tc:SAML:1.0:assertion). For example in the generated token there should be an element
    <t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
  • You have a set of claims to drive the Collaborative Review authorization.

The generated token's attribute composition must be as follows:

NameClaim typeRequired
Name identifierYes
Given namehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameYes
Surnamehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameYes
Email addresshttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressYes
Rolehttp://schemas.microsoft.com/ws/2008/06/identity/claims/roleNo
Grouphttp://schemas.xmlsoap.org/claims/groupNo
Display Namehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/displaynameNo
Departmenthttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/departmentNo

Here is an example token where private information is deducted:

<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
	<t:Lifetime>
		<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2015-11-05T09:55:42.162Z</wsu:Created>
		<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2015-11-05T10:55:42.162Z</wsu:Expires>
	</t:Lifetime>
	<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
		<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
			<wsa:Address>https://example.com/LiveContent/</wsa:Address>
		</wsa:EndpointReference>
	</wsp:AppliesTo>
	<t:RequestedSecurityToken>
		<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_2609f1cf-a664-49eb-bffd-68ab598724e9" Issuer="deducted" IssueInstant="2015-11-05T09:55:42.169Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
			<saml:Conditions NotBefore="2015-11-05T09:55:42.162Z" NotOnOrAfter="2015-11-05T10:55:42.162Z">
				<saml:AudienceRestrictionCondition>
					<saml:Audience>https://example.com/LiveContent/</saml:Audience>
				</saml:AudienceRestrictionCondition>
			</saml:Conditions>
			<saml:AttributeStatement>
				<saml:Subject>
					<saml:NameIdentifier>user@example.com</saml:NameIdentifier>
					<saml:SubjectConfirmation>
						<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
					</saml:SubjectConfirmation>
				</saml:Subject>
				<saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
					<saml:AttributeValue>user@example.com</saml:AttributeValue>
				</saml:Attribute>
				<saml:Attribute AttributeName="givenname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
					<saml:AttributeValue>deducted</saml:AttributeValue>
				</saml:Attribute>
				<saml:Attribute AttributeName="surname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
					<saml:AttributeValue>deducted</saml:AttributeValue>
				</saml:Attribute>
				<saml:Attribute AttributeName="role" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims">
					<saml:AttributeValue>deducted</saml:AttributeValue>
				</saml:Attribute>
				<saml:Attribute AttributeName="group" AttributeNamespace="http://schemas.xmlsoap.org/claims">
					<saml:AttributeValue>deducted</saml:AttributeValue>
				</saml:Attribute>
				<saml:Attribute AttributeName="displayname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname">
					<saml:AttributeValue>deducted</saml:AttributeValue>
				</saml:Attribute>
				<saml:Attribute AttributeName="department" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
					<saml:AttributeValue>deducted</saml:AttributeValue>
				</saml:Attribute>
			</saml:AttributeStatement>
			<saml:AuthenticationStatement AuthenticationMethod="urn:federation:authentication:windows" AuthenticationInstant="2015-11-05T09:55:42.106Z">
				<saml:Subject>
					<saml:NameIdentifier>user@example.com</saml:NameIdentifier>
					<saml:SubjectConfirmation>
						<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
					</saml:SubjectConfirmation>
				</saml:Subject>
			</saml:AuthenticationStatement>
			<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<ds:SignedInfo>
					<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
					<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
					<ds:Reference URI="#_2609f1cf-a664-49eb-bffd-68ab598724e9">
						<ds:Transforms>
							<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
						</ds:Transforms>
						<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
						<ds:DigestValue>deducted</ds:DigestValue>
					</ds:Reference>
				</ds:SignedInfo>
				<ds:SignatureValue>deducted</ds:SignatureValue>
				<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
					<X509Data>
						<X509Certificate>deducted</X509Certificate>
					</X509Data>
				</KeyInfo>
			</ds:Signature>
		</saml:Assertion>
	</t:RequestedSecurityToken>
	<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
	<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
	<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
</t:RequestSecurityTokenResponse>