Documentation Center

Configuring LDAP and single-sign on (SSO)

This task describes how to configure Online Marketing Explorer to use LDAP or SSO.

Before you begin

If you are configuring Online Marketing Explorer for LDAP, you first need to configure LDAP authentication for the Content Manager of SDL Tridion. For more information, refer to the implementer's documentation portal.

About this task

Procedure

  1. Open Internet Information Services (IIS) Manager.
  2. Go to your SDL Tridion Web site.
  3. Go to the OnlineMarketing Web application running in the SDL Tridion Web site:
    1. Change the Authentication from Windows Authentication to Anonymous Authentication.
    2. Open the Online Marketing Explorer web.config file, located in \OnlineMarketing\Web\Services\ folder, in a text editor.
    3. For SSO, in the <tridionOnlineMarketing> element, set useProxyServer="True" .
    4. For SSO, uncomment the following section:
      <httpRuntime requestPathInvalidCharacters="" />
          <pages validateRequest="false" />
    5. Uncomment the following sections:
      <serviceCredentials>
           <windowsAuthentication allowAnonymousLogons="false"/>
      </serviceCredentials>
      <serviceAuthorization principalPermissionMode="Custom">
          <authorizationPolicies>
               <add policyType="Tridion.Web.ServiceModel.HttpIdentityPolicy, Tridion.Web.ServiceModel"/>
                <add policyType="Tridion.Web.ServiceModel.HttpPrincipalPolicy, Tridion.Web.ServiceModel"/>
               </authorizationPolicies>
      </serviceAuthorization>
    6. Search for clientCredentialType="Windows" and change to clientCredentialType="None".
    7. Save and close web.config file.
    8. Restart IIS.
  4. Configure Tridion.OnlineMarketing.config:
    1. If you have encrypted passwords, run the command line tool delivered with Online Marketing Explorer to decrypt them. For more information, see Encrypting sensitive strings.
    2. Open the Tridion.OnlineMarketing.config file, by default located in your Tridion installation config folder, in a text editor.
    3. In the <customUserPasswordConfigurationSection> element, specify the SSO admin user and set useCustomUser attribute value to true:
      <customUserPasswordConfigurationSection useCustomUser="true"
      				  username="Username" password="Password">
    4. Run the command line tool to encrypt passwords. For more information, see Encrypting sensitive strings.
  5. Configure AggregationService.exe.config:
    1. Open the AggregationService.exe.config file, by default located in your Tridion installation config folder, in a text editor.
    2. In <configSections>, uncomment the <tridion.security> section.
    3. In <tridionConfigSections>, uncomment the <tridion.security> section.
    4. Search for clientCredentialType="Windows" and change to clientCredentialType="None", except <binding name="BasicHttpBinding_IOnlineMarketingConnectorService" ..> which you need to set to clientCredentialType="Basic".
    5. For SSO, in the basicHttpAggService binding, comment out the following line:
      <!--message clientCredentialType="UserName" algorithmSuite="Default" /-->
    6. For SSO, change the server name (ome in the endpoint addresses below) to the virtual host specified on your SSO Policy Server:
      <endpoint address="http://ome/OnlineMarketing/OnlineMarketingConnectorService.svc" binding="basicHttpBinding" behaviorConfiguration="OnlineMarketingBehavior" bindingConfiguration="BasicHttpBinding_IOnlineMarketingConnectorService" contract="OnlineMarketingConnectorService.IOnlineMarketingConnectorService" name="BasicHttpBinding_IOnlineMarketingConnectorService" />
      and
      <endpoint address="http://ome/webservices/CoreService2011.svc/basicHttp" binding="basicHttpBinding" bindingConfiguration="basicHttp_2010" contract="Tridion.ContentManager.CoreService.Client.ICoreService" name="basicHttp_2010" />
    7. Save and close AggregationService.exe.config.
    8. Open Component Services and restart the Tridion Aggregation Service.
  6. Secure a connection between the Aggregation service and Online Marketing Explorer services:
    1. Open the AggregationService.exe.config file.
    2. For SSO, add principalPermissionMode="Custom" attribute to <serviceAuthorization> element:
      <serviceAuthorization principalPermissionMode="Custom">
    3. For SSO, in <authorizationPolicies> section, uncomment the following policy:
      <add policyType="Tridion.OnlineMarketing.Common.WcfUtils.WcfSecurity.SsoAgentAuthenticationPolicy,
      				  Tridion.OnlineMarketing.Common, Version=1.1.0.4662, Culture=neutral,
      				  PublicKeyToken=ddfc895746e5ee6b" />
    4. For LDAP, in <authorizationPolicies> section, uncomment the following policy:
      <add policyType="Tridion.Security.IdentityModel.ClaimsPrincipalAuthorizationPolicy, Tridion.Security, Version=6.1.0.25, Culture=neutral, PublicKeyToken=ddfc895746e5ee6b" />
    5. In Tridion.AggregationFramework.AggregationService.WebService and Tridion.OnlineMarketing.DataService.ODataService sections, change behaviorConfiguration to CustomSecurity.
    6. For LDAP, in <serviceCredentials> section, uncomment the following:
      <serviceCredentials type="Tridion.Security.IdentityModel.LdapSecurityTokenCredentials, Tridion.Security, Version=6.1.0.25, Culture=neutral, PublicKeyToken=ddfc895746e5ee6b">
      <userNameAuthentication customUserNamePasswordValidatorType="Tridion.Security.IdentityModel.LdapUserNamePasswordValidator, Tridion.Security, Version=6.1.0.25, Culture=neutral, PublicKeyToken=ddfc895746e5ee6b"                                                                                                                                      userNamePasswordValidationMode="Custom" />
      </serviceCredentials>
    7. Go to the OnlineMarketing Web application running in the SDL Tridion Web site.
    8. Open the Online Marketing Explorer web.config file, located in \OnlineMarketing\Web\Services\ folder, in a text editor.
    9. For SSO, change the server name in the AggregationDataService endpoint to the virtual host:
      <endpoint
      				  address="http://agg/AggregationDataService" binding="basicHttpBinding"
      				  bindingConfiguration="basicHttpBinding_IDataProviderService"
      				  contract="AggregationDataService.IDataProviderService"
      				  name="Reporting_IDataProviderService">
    10. In the basicHttpBinding_IDataProviderService binding, change the transport clientCredentialType from None to Basic.
      <transport clientCredentialType="Basic" />
      (and then configure your web.config described below).
  7. To secure a proxy connection between the OnlineMarketingODataService and Online Marketing Explorer dashboard, set:
    1. Open the Online Marketing Explorer web.config file, located in your Tridion installation OnlineMarketing\Web\Models folder, in a text editor.
    2. In the <bindings> section, in the ODataWebHttpBinding binding, set:
      <transport clientCredentialType="None" />
    3. Save and close web.config.
  8. If you have a secured connection between the Online Marketing Explorer Web application and the Aggregation Service to enable SSO perform the following:
    1. Open the Online Marketing Explorer web.config file, located in your Tridion installation OnlineMarketing\Web\Models folder, in a text editor.
    2. In the <bindings> section, In the ODataWebHttpBinding binding, set:
      <transport clientCredentialType="Basic" />
    3. In the <appSettings> section, set the server name to the virtual host:
      <add key="OMEODataService" value="http://agg2/OnlineMarketingODataService" />
    4. Save and close web.config.