Documentation Center

Security and access management

Tridion Docs includes features that ensure secure access to the system.

Access Management

Tridion Access Management (or simplyAccess Management) provides implementors with a simplified approach to identity management and gives administrators a central location for ongoing management of access to applications. You can use the Tridion Docs Identity Provider or implement your choice of external IdP to authenticate users through Access Management.

The following diagram illustrates how Access Management acts as a federation gateway between a multitude of external identity providers and Tridion Docs applications:

Access Management uses OpenID Connect, a simple authentication layer based on OAuth 2.0 protocol, which enables clients to verify the identity of end-users in an interoperable and REST-like manner. Applications are not impacted when there are changes to an external identity provider. ​

The key functional features of Access Management are as follows:

Unified single sign-on

By functioning as a federation gateway and managing client credentials, Access Management provides single sign-on (SSO​) for end users across the different applications that make up a Tridion Docs implementation.

User interface for managing system access

Access Management provides a centralized interface for configuring authentication. Administrators can use Access Management user interface to perform the following tasks:

  • Create and maintain connections to external identity providers.
  • Configure authentication for Tridion Docs applications.
  • Manage client credentials for applications, end users and service accounts.
Simplified configuration of external identity providers

Access Management provides a simplified implementation based on a single protocol, OpenID Connect, while still supporting the use of other protocols by external identity providers. The following Tridion Docs applications and services come pre-configured to interact with Access Management through the OpenID Connect:

  • The Tridion Docs browser-based user interfaces: Review Space, Draft Space and Organize Space.
  • The Tridion Docs desktop clients: Publication Manager, Condition Manager, Content Importer and the external editor connected through Authoring Bridge.
  • The ISHRemote module
  • The Access Management application itself, both the user interface and the API
  • The Add-ons API

Implementors only need to configure one application on the external identity provider system. The different Tridion Docs applications and services are not impacted by external identity provider changes​.

Tridion Identity Provider

Tridion Docs provides the Tridion Docs Identity Provider as a sample identity provider that OpenID Connect protocol and makes it easy to get started with Access Management.

The Tridion Docs Identity Provider is automatically registered and configured in Access Management during the installation of Content Manager, and it can be used immediately after installation to authenticate users.

Tridion Docs Identity Provider supports for the OpenID Connect protocol.

Web services authentication through Security Token Service

Public WCF .SVC web services API does not use Access Management for authentication and instead use the deprecated Security Token Service which relies on the the WS-Trust protocol using security tokens in the SAML 1.1 format.

Content Delivery authentication through OAuth

Content Delivery provides a secure connection for Tridion Docs components through a separate OAuth authentication mechanism. If you wish to integrate third-party software components with Content Delivery, you must manually configure them for OAuth.