Documentation Center

Configuring Content Manager applications in Access Management

Before you can use Access Management for Content Manager security, you need to configure an identity provider (IdP) with the necessary application settings, including claims for users and role-based groups. In addition, ensure that the URLs are correctly defined for the individual user interfaces.

Before you begin

Configuration of the IdP includes information you should have on hand before beginning the process in Access Management, including the following:
  • IdP configuration details
  • Claim types you want to forward, unaltered, to Tridion Sites application where you intend to map the claim types and specific values to various user groups
  • Specific claim types and values that you want to use as the basis for giving access to the Content Manager .
  • Specific claim types and value s that you want to use as the basis for assigning the Administrator role

If you do not yet have this information, refer to the related topic on planning access.

Procedure

  1. From the slide-out navigation, select Access Management.
    The Identity providers tab shows a list of existing IdPs.
  2. Select the IdP and open it for editing.
  3. In the General settings section, add or modify the IdP information, as needed.
    For assistance on what these fields mean, refer to the related topic for the type of protocol you are using. To confirm the correct values, check with the administrator for the IdP.
  4. Optional: In the Forwarded claims section, define claim types that you want to be forwarded from the external identity provider (IdP) to Access Management.
    1. Click Add forwarded claim.
    2. In the field that appears, enter the name of the claim type as defined in the external IdP.
    3. Repeat steps a and b as often as needed to add more claims.
    These forwarded claims are typically used to define group-level permissions for users who are not Administrators. With forwarded claims, you map user groups in Content Manager Explorer to a specific forwarded claim type and value. This mapping is done in a separate task within the Content Manager Explorer's Administration > User Management area.

    In this example, two claims are going to be forwarded from the IdP to Content Manager:

  5. In the Access settings section, define access for a user group that you want to have Administrator rights in Content Manager Explorer.

    Administrator access is typically granted only to users who have a specific claim and value in their token when they log in to Content Manager Explorer. In Access Management, this takes the form of a type:value pair.

    1. To define the required type:value pairs, do the following:
      1. Select Add claim. Fields appear in which you can define the first type:value pair.
      2. In the Type field, enter the name of the claim in the external IdP that will be used to determine if a user should have Administrator-level access. For example, you might use a claim type called "groups" to define access based on the group or role to which the user belongs.
      3. In the Value field, enter the value that the claim must have in order for Access Management to give the user access. The format of the value depends on the IdP.
    2. In the list of Applications, select the various user interfaces, as needed for the Administrator:
      • Select Tridion Sites Classic (UI only) to give access to the following browser-based user interfaces:
        • Content Manager Explorer
        • Experience Manager
        • Other browser-based Content Manager clients, such as Translation Manager
      • Select Tridion Sites Experience Space to give access to the new user interface.
      • Select Tridion Sites Desktop Clients to give access to the following Window-based interfaces:
        • Content Porter
        • Template Builder
        • Visio Workflow Designer
        • TcmUploadAssembly.exe (command line tool)
    3. In the list of Services and roles under the Tridion Sites Content Manager API group, select Administrator.

    In this example, a user will have the Administrator role only if the token from the IdP includes the given_name claim with this specific value:

    But perhaps you need more than one user to have the Administrator role. In the following example, any user belonging to a specific IdP group will be given the Administrator role:

    In both examples, the user will be able to log in to a Content Manager user interface (Classic or Experience Space) and will be part of the System Administrators group. Note that the Administrator role from Access Management is pre-mapped to the System Administrator user group in the Content Manager Explorer. No additional mapping is needed.

  6. Now, define access for all other users who should not have Administrator-level access. The steps are similar to what you just did for administrators.
    1. Again in the Access settings section, define access in one of the following ways:
      • To give access to all users regardless of their role (through claims), select the option to Make selected settings global. A "Global" claim type is added automatically.
      • To define access for a specific user group that you want to have a specific role and rights, use the Add claim option to add new claim type:value pairs. The process is the same as you followed in the preceding step to define Administrator claims.
    2. In the list of Applications, select the various Content Manager user interfaces, as needed for the user.
      • Select Tridion Sites Classic (UI only) to give access to the following browser-based user interfaces:
        • Content Manager Explorer
        • Experience Manager
        • Other browser-based Content Manager clients, such as Translation Manager
      • Select Tridion Sites Experience Space to give access to the new user interface.
      • Select Tridion Sites Desktop Clients to give access to the following Window-based interfaces:
        • Content Porter
        • Template Builder
        • Visio Workflow Designer
        • TcmUploadAssembly.exe (command line tool)
    3. In the list of Services and roles under the Tridion Sites Content Manager API group, select User.

    In this example, any authenticated user will have access to both Content Manager applications:

    Since the User role is generic, you typically will want to also include forwarded claims, and map user groups in Content Manager Explorer to a specific forwarded claim type and value. This mapping is done in a separate task within the Content Manager Explorer's Administration > User Management area.

  7. Select Save.
    Access Management returns you to the list of identity providers.
  8. To define redirect URLs for browser-based applications, go to the Applications tab and do the following:
    1. Expand the row for the application, and then select Edit.
    2. Update the Redirect URL to match the URL of your installed application.
    1. Click Save.
    2. Repeat these steps for each browser-based application, as needed.

What to do next

Additional tasks are required to fully set up Content Manager for authentication through Access Management. Refer to the related topics for details on defining group mappings in Content Manager Explorer's Administration > User Management area. If authentication was previously configured as a direct connection to a SAML or LDAP identity provider, you need to migrate group mappings in Content Manager Explorer.