Optimizing LDAP authentication
The Core Service enables you to optimize authentication of users accessing the Content Manager through an SDL Web user interface (Content Manager Explorer or Experience Manager). If you are using LDAP, the retrieved authentication information, embedded in SAML tokens, is passed to the Core Service.
The Core Service Client Assembly is the built-in .NET client for interacting with the Core Service. The Core Service Client Assembly includes code for issuing security tokens (Secure Token Issuer). When a user provides credentials in an SDL Web user interface, the Core Service Client Assembly presents the information to the Secure Token Issuer to perform authentication and retrieve additional information such as group membership. If successfully authenticated, the Secure Token Issuer creates a security token (SAML) containing authenticated user information and uses the token as an entry pass to call the Core Service. The Core Service verifies the token, trusting whoever is using it, and allows the client application to execute a call without any additional authentication checks.
To implement this optimized LDAP authentication, on the Content Manager system you need to generate the following certificates:
| Certificate | Description |
|---|---|
| Token Issuer private.pfx | Generates SAML tokens. |
| Token Issuer public.cer | Verifies the Secure Token Issuer. |
| Core Service private.pfx | Decrypts tokens and all communication. |
| Core Service public.cer | Encrypts tokens and all communication. |
You then need to configure certificates in:
- the user interface
web.configfile. - the Core Service configuration file (
web.configorTcmServiceHost.exe.config, depending on whether you are running the Core Service is IIS or as a Windows service.