Documentation Center

Configuring hosted systems to use a customer's ADFS

This information is needed when you have on-premises ADFS and you want to use SDL Tridion Docs installations deployed on SDL hosted servers outside your network.

About this task

All client tools (web client, PM, and so on) running from the customers network have access to both ADFS and SDL Tridion Docs. The ADFS system is trusted by the SDL Tridion Docs products through certificate thumbprint configuration. However, flows running on the server need also access to the configured ADFS. This is a situations where you would access an intranet side from outside the customers network and authenticate with windows authentication without being part of the domain.

Elements where this problem exist are:

  • ISHCM to ISHWS identity delegation
  • TranslationOrganizer
  • Publish to a delivery platform
  • SynchronizeToLiveContent

Solution:

Redirect all server side activate authentication flows through ISHSTS. This allows the system to work without having dependency on the customer's ADFS nor does it require network access from the hosted domain to the customer's intranet.

The following information assumes that a normal ADFS installation was executed. In this case, the embedded ISHSTS although not active it is also configured for Windows Authentication.

To make things simpler in the following steps, example data, shown below, is used for the Thumbprint and the wsTrustEndpoint.

  • Values related to the customer's ADFS are hosted in adfs.example.com (where adfs refers to an example server related to ADFS):
    • Thumbprint of the ADFS token signing certificate: 04F6EB2AA0873A9E38ED66A234D56CF83C2799A4
    • wsTrustEndpoint of the ADFS : https://adfs.example.com/adfs/services/trust/13/windowsmixed .
    • issueractorusername: CustomerDomain\User
  • Values related to the internal ISHSTS that is installed:
    • Thumbprint of the ISHSTS token signing certificate: E29E9CDD03CB20665230E38A058A68D6A4A52ABF.
    • wsTrustEndpoint of ISHSTS: https://ish.example.com/ISHSTS/issue/wstrust/mixed/username (where ish refers to an example server dedicated to Content Manager).
    • The actor credentials will have to match a user in the repository e.g. the ServiceUser.

ISHSTS

Switch ISHSTS from windows authentication mode to the username/password one.

  1. Delete the file App_Data\IdentityServerConfiguration-2.2.sdf if it exists.
  2. In the Configuration\ISHSTS.config modify the value of authenticationType from Windows to UsernamePassword.
  3. Also change the value of actorUsername to a username found in the user repository e.g. ServiceUser.

Configure ISHSTS to allow identity delegation from issuers other than itself.

To add the above ADFS as a trusted issuer for delegation modify the Web.config file by following the steps below.

  1. Enable the addActAsTrustedIssuer behavior extension
  2. Add a addActAsTrustedIssuer behavior referencing the ADFS token signing certificate thumbprint
The expected outcome of the serviceModel section is:

<system.serviceModel>
	<behaviors>
		<serviceBehaviors>
			<behavior name="">
				<serviceDebug includeExceptionDetailInFaults="false" />
				<!--Uncomment to enable ISHSTS to provide identity delegation for tokens issued by other sts-->
				<!--Add as many elements as the additional STS you want to support-->
				<addActAsTrustedIssuer thumbprint="04F6EB2AA0873A9E38ED66A234D56CF83C2799A4" issuer="ADFS"/>
			</behavior>
		</serviceBehaviors>
		<endpointBehaviors>
			<behavior name="">
				<setRequestIDEndpoint />
				<!--<timerEndpoint/>-->
			</behavior>
		</endpointBehaviors>
	</behaviors>
	<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" minFreeMemoryPercentageToActivateService="0" />
	<extensions>
		<behaviorExtensions>
			<!--Uncomment to enable infoshare sts to provide identity delegation for tokens issued by other sts-->
			<add name="addActAsTrustedIssuer" type="Thinktecture.IdentityServer.InfoShare.Wcf.Extensions.AddActAsTrustedIssuerBehaviorExtension, Thinktecture.IdentityServer.InfoShare"/>
			<add name="setRequestIDEndpoint" type="Trisoft.Utilities.Logging.Wcf.Extensions.SetRequestIDEndpointBehaviorExtension, Trisoft.Utilities.Logging" />
			<add name="timerEndpoint" type="Trisoft.Utilities.Logging.Wcf.Extensions.TimerEndpointBehaviorExtension, Trisoft.Utilities.Logging" />
			<add name="timerInvoker" type="Trisoft.Utilities.Logging.Wcf.Extensions.TimerInvokerBehaviorExtension, Trisoft.Utilities.Logging" />
		</behaviorExtensions>
	</extensions>
	<diagnostics>
		<messageLogging logMessagesAtTransportLevel="true" logEntireMessage="true" logMalformedMessages="true" />
	</diagnostics>
</system.serviceModel>

ISHWS

You must configure the ISHWS to accept token from an additional STS to the ADFS configured by the installation To add the local ISHWS as a valid issuer of token modify the Web.config file by following the steps below.

  • Add a trusted issuer referencing the ISHSTS token signing certificate thumbprint
The expected outcome of the issuerNameRegistry within the system.identityModel section is:
 
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
	<trustedIssuers>
		<add thumbprint="04F6EB2AA0873A9E38ED66A234D56CF83C2799A4" name="Issuer"/>
		<add thumbprint="E29E9CDD03CB20665230E38A058A68D6A4A52ABF" name="ISHSTS"/>
	</trustedIssuers>
</issuerNameRegistry>

ISHCM

You must configure the ISHWS to accept token from an additional STS to the ADFS configured by the installation To add the local ISHWS as a valid issuer of token modify the Web.config file by following the steps below.

  • Add a trusted issuer referencing the ISHSTS token signing certificate thumbprint
The expected outcome of the issuerNameRegistry within the system.identityModel section is:
 
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
	<trustedIssuers>
		<add thumbprint="04F6EB2AA0873A9E38ED66A234D56CF83C2799A4" name="Issuer"/>
		<add thumbprint="E29E9CDD03CB20665230E38A058A68D6A4A52ABF" name="ISHSTS"/>
	</trustedIssuers>
</issuerNameRegistry>
You must configure the ISHCM to use the ISHSTS for identity delegation instead of the configured ADFS. The behavior will switch from windows authentication mode to username/password to match the changes in the ISHSTS. To do this modify Trisoft.InfoShare.Client.config from the following:

<issuer>
	<uri>https://adfs.example.com/adfs/services/trust/13/windowsmixed</uri>
	<bindingtype>WindowsMixed</bindingtype>
	<serverappliesto>https://ish.example.com/ISHWS/</serverappliesto>
	<websiteappliesto>https://ish.example.com/ISHCM/</websiteappliesto>
</issuer>
<actor>
	<credentials>
		<username>CustomerDomain\User</username>
		<password/>
	</credentials>
</actor>
...to the following:

<issuer>
	<uri>https://adfs.example.com/ISHSTS/issue/wstrust/mixed/username</uri>
	<bindingtype>UserNameMixed</bindingtype>
	<serverappliesto>https://ish.example.com/ISHWS/</serverappliesto>
	<websiteappliesto>https://ish.example.com/ISHCM/</websiteappliesto>
</issuer>
<actor>
	<credentials>
		<username>ServiceUser</username>
		<password>ServiceUser</password>
	</credentials>
</actor>

TranslationOrganizer, Publish and SynchronizeToLiveContent

You must configure TranslationOrganizer, Publish and SynchronizeToLiveContent to use the ISHSTS for authentication instead of the configured ADFS. Modify the following files next to the entities:

  • TranslationOrganizer.exe.config
  • FeedSDLLiveContent.ps1.config
  • SynchronizeToLiveContent.ps1.config
from the following:
<issuer wsTrustBindingType="WindowsMixed" wsTrustEndpoint="https://adfs.example.com/services/trust/13/windowsmixed" />
to the following:
<issuer wsTrustBindingType="UserNameMixed" wsTrustEndpoint="https://ish.example.com/ISHSTS/issue/wstrust/mixed/username" />