Documentation Center

Planning your Content Manager and Access Management integration

In preparation for setting up user access to Content Management applications, you need to collect information about the external Identity Provider (IdP), including the claim types that are available. These will inform your decisions when defining user and user group access.

The following three activities summarize what you need to so when planning the integration:

  1. Examine IdP claims — Examine the external claim types available from the IdP, as these vary from IdP to IdP. One way to obtain this information is to use the "Validate Login" option for the configured IdP. A successfully validated IdP will display a page with a list of valid claim types/values (specifically, claims for you as the current Access Management user).
  2. Determine access criteria — Determine which IdP claim types can be used as the basis for granting access to Content Manager in general, and moreover, which specific claim types and values (type:value pairs) you want to use for this purpose.
  3. Plan role-based authentication strategy — Decide which IdP claim types are best suited for mapping to role-based user groups, and thus a good way to define what users can to do once they are logged in.

    When planning your strategy, it is important to understand a key difference between general system users and administrative users: how the API role that you select in Access Management maps, or not, to a user group in Content Manager. The two role options are as follows:

    • Administrators — this Access Management role comes already mapped to the System Administrator group in Content Manager.
    • Users — this role is not mapped to any group in Content Manager. In Access Management, you need to define the claim types as forwarded claims, which Access Management to send to Content Manager on request after a user logs in. In Content Manager, you will map these claims to the role-based user groups.

The following diagrams may help clarify how this difference affects the way in which you set things up:

  • For administrators, you map claim type:value pairs in Access Management. In Content Manager, no further mapping is necessary.

  • For all other users, you need to define forwarded claims in Access Management and also map those claims to user groups in Content Manager Explorer's Administration area.

    Mapping the forwarded claims in Content Manager rather than in Access Management provides the flexibility that is necessary to accommodate Content Manager's fine-grained authentication model.