Configuring single sign-on
SDL Tridion enables you to integrate Content Manager with single sign-on (SSO) servers such as CA SiteMinder and IBM Tivoli Access Manager (TAM).
Integration with these servers ensures that Content Manager users no longer need to log in separately.
If you configure single sign-on integration, you cannot configure LDAP integration, and vice versa.
Configuring your system for single sign-on consists of the following steps:
- Set up IIS for anonymous access only
-
If you run Windows 2008, do the following:
- Click the Server Manager button in the taskbar and in the Server Manager window that opens, select .
- From the IIS tree, open the node representing this machine, and select Sites, then select the SDL Tridion 2011 Web site.
Double-click the Authentication icon on the right and change the settings that appear as follows:
- Select the Anonymous Authentication row and click Enable in the Actions area on the right.
- Select each of the other rows in turn and for each row, click Disable in the Actions area on the right. (If necessary, you could choose to keep Digest Authentication and Forms Authentication enabled.)
- Close Server Manager.
Alternatively, if you run Windows 2003, do the following:
- Access .
- From the IIS tree, open the node representing this machine, and select Web Sites, then select the SDL Tridion 2011 Web site.
Right-click SDL Tridion 2011 and choose Properties from the context menu. In the Properties dialog that opens, access the Directory Security tab, and in the Authentication and access control area, click Edit. In the Authentication Methods dialog that opens, configure the security settings of the site as follows:
- Select Enable anonymous access
- Clear Basic authentication
- Clear Integrated Windows authentication
- Click OK to commit these changes, and in the Properties dialog that reappears, OK to return to IIS Manager.
- Close IIS Manager.
- Edit web.config in web\
-
Configure an HTTP module that can handle single sign-on requests. Next, open the web.config located in the Web site root location, that is, the web\ subfolder of the Content Manager root location (defaults to c:\Program Files\Tridion or c:\Program Files (x86)\Tridion). The file contains comments indicating what to do to configure the site for single sign-on integration. The changes to make are as follows:
In the system.web/httpModules section, uncomment the following line:
<add name="SsoAgentHttpModule" type="Tridion.Security.Web.SsoAgentHttpModule, Tridion.Security, Version=6.1.0.XX, Culture=neutral, PublicKeyToken=ddfc895746e5ee6b" />Only if you use IIS 7.0 or IIS 7.5, in the system.webServer/modules section, uncomment the following line:
<add name="SsoAgentHttpModule" type="Tridion.Security.Web.SsoAgentHttpModule, Tridion.Security, Version=6.1.0.XX, Culture=neutral, PublicKeyToken=ddfc895746e5ee6b" />(In both cases,
XXwill be the same 2-digit number.)- Save and close Web.config.
- Edit web.config in webservices\
-
Next, open the web.config located in the webservices\ subfolder of the Content Manager root location. The file contains comments indicating what to do to configure the Core Service for single sign-on integration.
The changes to make in this file are as follows:
- In the
<system.serviceModel>section, confirm the presence of aserviceHostingEnvironmentelement with anaspNetCompatibilityEnabledattribute set totrue. - In the
system.serviceModel/bindings/basicHttpBindingsection, find the twobindingsections, one with itsnameattribute set toCoreService_basicHttpBindingand another one with itsnameattribute set toStreamDownload_basicHttpBinding. In each section, set theclientCredentialTypeattribute of thetransportelement to the valueNonerather than the default valueWindows. - Save and close this web.config file.
- In the
- Edit web.config in WebUI\WebRoot
-
Next, access the web.config file located in the WebUI\WebRoot subfolder of the Content Manager root location (defaults to c:\Program Files\Tridion or c:\Program Files (x86)\Tridion). The changes to make are as follows:
- Uncomment the following
<appSettings>key and specify the base addresshostnameandportnumberto enable WCF to work properly:<add key="Tridion.WCF.RedirectTo" value="hostname:portnumber"/> - Place comment delimiters around the
<authorization>section:<!-- <authorization> <deny users="?"/> </authorization> --> - In the
system.serviceModel/bindings/webHttpBindingsection, find thebindingsection with itsnameattribute set toTridion.Web.UI.ContentManager.WebServices.WebHttpBindingConfigand set theclientCredentialTypeattribute of thetransportelement to the valueNonerather than the default valueWindows. In the
system.serviceModel/behaviors/serviceBehaviorssection, find thebehaviorsection with itsnameattribute set toTridion.Web.UI.ContentManager.WebServices.DeveloperBehavior. In this section, find a commented-out section namedserviceAuthorizationand remove the comment delimiters:<serviceAuthorization principalPermissionMode="Custom"> <authorizationPolicies> <add policyType="Tridion.Web.ServiceModel.HttpIdentityPolicy, Tridion.Web.ServiceModel"/> <add policyType="Tridion.Web.ServiceModel.HttpPrincipalPolicy, Tridion.Web.ServiceModel"/> </authorizationPolicies> </serviceAuthorization>
- Uncomment the following
- Edit web.config in WebUI\Editors\CME\Themes
-
Next, access the web.config file located in the WebUI\Editors\CME\Themes subfolder of the Content Manager root location (defaults to c:\Program Files\Tridion or c:\Program Files (x86)\Tridion). In this file, place comment delimiters around the
<authorization>section:<!-- <authorization> <deny users="?"/> </authorization> --> - Set up your single sign-on server
-
- First, ensure that the location /webservices/CoreService2011.svc (or /webservices/CoreService.svc, if you are using SDL Tridion 2011-compatible endpoints), relative to the Content Manager Explorer root URL, and all of its subdirectories has been put behind a Basic Authentication junction in your SSO proxy.
Your single sign-on server (such as SiteMinder or Tivoli) must exclude some locations from authentication in order for SDL Tridion to work properly. Refer to the documentation of your single sign-on server to learn how to exclude these locations (relative to the Content Manager Explorer root URL):
- /TemplateBuilder
- /webservices/CoreService2011.svc/mex (or /webservices/CoreService.svc/mex)
- /webservices/CoreService2011.svc/streamUpload_basicHttp (or /webservices/CoreService.svc/streamUpload_basicHttp)
In addition, your single sign-on server should also be configured as follows:
- The server should not use cookies
- The server should allow
GETandPOSTHTTP methods - The server should allow the following WebDAV HTTP methods:
OPTIONS,HEAD,DELETE,TRACE,PROPFIND,PROPPATCH,COPY,MOVE,LOCK,UNLOCK.
- Edit Single Sign On screen in MMC Snap-in
- This step is explained in Single Sign On.