Adding the relying party entries for webUI and WCF Services for commercial STS

After the Content Manager installation you have to create the Relying Party Trust for the website and the WCF services on the STS Server if you are not using ISHSTS. This is required to allow logins to Content Manager.

About this task

These post-installation steps have to be done when you are using a commercial STS such as ADFS (ADFS is used as example here). If you are using ISHSTS as STS, do not follow these steps.

Doing this manually can be error prone, therefore SDL provides you a PowerShell script that creates the Relying Party Trust and does the configuration. To execute the script do the following:

Procedure

  1. The ADFS server needs the service certificate that is used by the Content Manager WCF Services.
    This is the same value as the certificate whose thumbprint is used in the inputparameters parameter servicecertificatethumbprint. With the typical Content Manager setup, this WCF Service certificate is the same as the IIS Website Certificate for SSL.
    1. Open Internet Information Services (IIS) ManagerServername.
    2. Double-click Server Certificates in the right pane.
    3. Right-click on the certificate of the IIS website that is going to be used for Content Manager then click View.
    4. Click on the Details tab then click Copy to File and export the certificate to the file system (only export the public key) e.g. SDL.ISH.cer.
  2. Copy the PowerShell scripts which are created in the directory \InfoShare\App\Setup\STS\ADFS\Scripts\ scripts to a temporary directory on the ADFS server e.g. C:\SDL.ISH. Copy also the certificate C:\SDL.ISH from the previous step.
  3. Login into the ADFS Server and open a administrative PowerShell command line; right-click on the PowerShell shortcut and choose Run as administrator.
  4. Set the PowerShell execution policy to Unrestricted.
    • To check if PowerShell's execution policy is already set to unrestricted, execute the command:
      Get-ExecutionPolicy
    • If the output of this command shows something other than Unrestricted, execute the command:
      Set-ExecutionPolicy Unrestricted
  5. Change the working directory of the command prompt by executing the command:
    cd c:\SDL.ISH
  6. Before running the script, load the ADFS PowerShell module by issuing the command:
    Import-Module ADFS
  7. Execute the command:
    .\SDL.ISH-ADFSv3.0-RP-Install.ps1 "C:\SDL.ISH\SDL.ISH.cer"
    Now if you open AD FS Management you should see two new Relying Party entries with the base URLs you use for the Content Manager instance.

Removing the relying party entries for webUI and WCF Services

If you want to remove the Relying Party entries, for instance because Content Manager is moved to another server or the URL has changed, follow the steps below.

Procedure

  1. Check if the Uninstall script for the Relying Party entries is on the ADFS server. If not, copy it from the Content Manager application server directory \InfoShare\App\Setup\STS\ADFS\Scripts\ .
  2. Login into the ADFS Server and open a administrative PowerShell command line; right-click on the PowerShell shortcut and choose Run as administrator.
  3. Before running the script, load the ADFS PowerShell module by issuing the command:
    Import-Module ADFS
  4. Execute the command:
    .\SDL.ISH-ADFSv3.0-RP-UnInstall.ps1
    Now if you open AD FS Management you should see that the two Relying Party entries are removed.