Documentation Center

Enabling Access Management on an existing Content Manager 9.5 or later

Complete this task if you have an existing instance of the Content Manager server version 9.5 or later, which is configured to use some authentication method other than Access Management, and you want to migrate to Access Management now.

Before you begin

Before you can enable Access Management for Content Manager, you must first ensure all the following tasks have been completed:

  • The Content Manager is version 9.5 or later.
  • The Access Management service and database are installed, and you have set up at least one identity provider (IdP).
  • If using the Add-ons feature, that service and database are installed.
  • If the Add-ons service is already secured with Access Management, you need to also update the Add-ons client configuration for Content Manager by updating the addonsettings.json file.
  • If you have existing security set up with an LDAP-based or SAML-based identity provider (IdP), you have on hand the configuration details.
For instructions on how to complete these prerequisite tasks, refer to the related topics.

About this task

Complete these steps to enable Access Management for an instance of Content Manager (version 9.5 or later) that is currently configured for some other form of authentication, such as Windows (the default), SAML or LDAP.

Procedure

  1. If you are migrating existing security settings for LDAP or SAML, do the following in Access Management to prepare an IdP for the migration:
    1. Configure an IdP of type LDAP or SAML and use the same settings as are used for the existing Content Manager configuration. In particular, make sure to correctly set the following fields:
      • Key is the name of IdP as it was in the Content Manager configuration.
      • Separator is the same as it was used in the Content Manager configuration.
      • Username claim is the claim used in LDAP or SAML configuration.
      • Full name claim is the claim used in LDAP or SAML configuration.
    1. Configure the Content Management access settings, including both Administrator and User roles.
    2. If you have existing mapped user groups in your Content Manager, configure Forwarded claims for each group.
  2. On the Content Manager server, go to the following folder:.

    %TRIDION_HOME%\bin\Configuration Scripts\

  3. Run the following Powershell script to enable Access Management:
    SetupAccessManagement.ps1 -Authority ACCESS_MANAGEMENT_URL

    Where ACCESS_MANAGEMENT_URL is the full path of the installed Access Management.

    SetupAccessManagement.ps1 -Authority http://localhost:85/access-management
  4. When prompted, select Yes to migrate existing user group mappings to the Access Management format.

Results

On successfully completing this task, the following Content Manager clients are secured with Access Management:
  • Tridion Sites Classic user interface, extensions and underlying WCF Core Service
  • Tridion Sites Experience Space user interface and underlying Core Service.REST
  • Content Manager desktop clients (includes Content Porter, Template Builder, Visio Workflow Designer and the TcmUploadAssembly command line tool )