Configuring single sign-on

SDL Tridion enables you to integrate Content Manager with single sign-on (SSO) servers such as CA SiteMinder and IBM Tivoli Access Manager (TAM).

Integration with these servers ensures that Content Manager users no longer need to log in separately.

If you configure single sign-on integration, you cannot configure LDAP integration, and vice versa.

Configuring your system for single sign-on consists of the following steps:

Set up IIS for anonymous access only

If you run Windows 2008, do the following:

  • Click the Server Manager button in the taskbar and in the Server Manager window that opens, select Roles > Web Server (IIS) > Internet Information Services (IIS) Manager.
  • From the IIS tree, open the node representing this machine, and select Sites, then select the SDL Tridion 2011 Web site.
  • Double-click the Authentication icon on the right and change the settings that appear as follows:

    • Select the Anonymous Authentication row and click Enable in the Actions area on the right.
    • Select each of the other rows in turn and for each row, click Disable in the Actions area on the right. (If necessary, you could choose to keep Digest Authentication and Forms Authentication enabled.)
  • Close Server Manager.

Alternatively, if you run Windows 2003, do the following:

  • Access Settings > Control Panel > Administrative Tools > Internet Information Services (IIS) Manager.
  • From the IIS tree, open the node representing this machine, and select Web Sites, then select the SDL Tridion 2011 Web site.
  • Right-click SDL Tridion 2011 and choose Properties from the context menu. In the Properties dialog that opens, access the Directory Security tab, and in the Authentication and access control area, click Edit. In the Authentication Methods dialog that opens, configure the security settings of the site as follows:

    • Select Enable anonymous access
    • Clear Basic authentication
    • Clear Integrated Windows authentication
  • Click OK to commit these changes, and in the Properties dialog that reappears, OK to return to IIS Manager.
  • Close IIS Manager.
Edit web.config in web\

Configure an HTTP module that can handle single sign-on requests. Next, open the web.config located in the Web site root location, that is, the web\ subfolder of the Content Manager root location (defaults to c:\Program Files\Tridion or c:\Program Files (x86)\Tridion). The file contains comments indicating what to do to configure the site for single sign-on integration. The changes to make are as follows:

  • In the system.web/httpModules section, uncomment the following line:

    <add name="SsoAgentHttpModule" type="Tridion.Security.Web.SsoAgentHttpModule, 
    Tridion.Security, Version=6.1.0.XX, Culture=neutral, PublicKeyToken=ddfc895746e5ee6b" />
  • Only if you use IIS 7.0 or IIS 7.5, in the system.webServer/modules section, uncomment the following line:

    <add name="SsoAgentHttpModule" type="Tridion.Security.Web.SsoAgentHttpModule,  
    Tridion.Security, Version=6.1.0.XX, Culture=neutral, PublicKeyToken=ddfc895746e5ee6b" />

    (In both cases, XX will be the same 2-digit number.)

  • Save and close Web.config.
Edit web.config in webservices\

Next, open the web.config located in the webservices\ subfolder of the Content Manager root location. The file contains comments indicating what to do to configure the Core Service for single sign-on integration.

The changes to make in this file are as follows:

  • In the <system.serviceModel> section, confirm the presence of a serviceHostingEnvironment element with an aspNetCompatibilityEnabled attribute set to true.
  • In the system.serviceModel/bindings/basicHttpBinding section, find the two binding sections, one with its name attribute set to CoreService_basicHttpBinding and another one with its name attribute set to StreamDownload_basicHttpBinding. In each section, set the clientCredentialType attribute of the transport element to the value None rather than the default value Windows.
  • Save and close this web.config file.
Edit web.config in WebUI\WebRoot

Next, access the web.config file located in the WebUI\WebRoot subfolder of the Content Manager root location (defaults to c:\Program Files\Tridion or c:\Program Files (x86)\Tridion). The changes to make are as follows:

  • Uncomment the following <appSettings> key and specify the base address hostname and portnumber to enable WCF to work properly:
    <add key="Tridion.WCF.RedirectTo" value="hostname:portnumber"/>
  • Place comment delimiters around the <authorization> section:
    <!--
    <authorization>
      <deny users="?"/>
    </authorization>
    -->
  • In the system.serviceModel/bindings/webHttpBinding section, find the binding section with its name attribute set to Tridion.Web.UI.ContentManager.WebServices.WebHttpBindingConfig and set the clientCredentialType attribute of the transport element to the value None rather than the default value Windows.
  • In the system.serviceModel/behaviors/serviceBehaviors section, find the behavior section with its name attribute set to Tridion.Web.UI.ContentManager.WebServices.DeveloperBehavior. In this section, find a commented-out section named serviceAuthorization and remove the comment delimiters:

    <serviceAuthorization principalPermissionMode="Custom">
      <authorizationPolicies>
        <add policyType="Tridion.Web.ServiceModel.HttpIdentityPolicy, Tridion.Web.ServiceModel"/>
        <add policyType="Tridion.Web.ServiceModel.HttpPrincipalPolicy, Tridion.Web.ServiceModel"/>
      </authorizationPolicies>
    </serviceAuthorization>
Edit web.config in WebUI\Editors\CME\Themes

Next, access the web.config file located in the WebUI\Editors\CME\Themes subfolder of the Content Manager root location (defaults to c:\Program Files\Tridion or c:\Program Files (x86)\Tridion). In this file, place comment delimiters around the <authorization> section:

<!--
<authorization>
  <deny users="?"/>
</authorization>
-->
Set up your single sign-on server
  • First, ensure that the location /webservices/CoreService2011.svc (or /webservices/CoreService.svc, if you are using SDL Tridion 2011-compatible endpoints), relative to the Content Manager Explorer root URL, and all of its subdirectories has been put behind a Basic Authentication junction in your SSO proxy.
  • Your single sign-on server (such as SiteMinder or Tivoli) must exclude some locations from authentication in order for SDL Tridion to work properly. Refer to the documentation of your single sign-on server to learn how to exclude these locations (relative to the Content Manager Explorer root URL):

    • /TemplateBuilder
    • /webservices/CoreService2011.svc/mex (or /webservices/CoreService.svc/mex)
    • /webservices/CoreService2011.svc/streamUpload_basicHttp (or /webservices/CoreService.svc/streamUpload_basicHttp)
  • In addition, your single sign-on server should also be configured as follows:

    • The server should not use cookies
    • The server should allow GET and POST HTTP methods
    • The server should allow the following WebDAV HTTP methods: OPTIONS, HEAD, DELETE, TRACE, PROPFIND, PROPPATCH, COPY, MOVE, LOCK, UNLOCK.
Edit Single Sign On screen in MMC Snap-in
This step is explained in Single Sign On.