Optimizing LDAP authentication

The Core Service enables you to optimize authentication of users accessing the Content Manager through an SDL Tridion Sites user interface (Content Manager Explorer or Experience Manager). If you are using LDAP, the retrieved authentication information, embedded in SAML tokens, is passed to the Core Service.

The Core Service Client Assembly is the built-in .NET client for interacting with the Core Service. The Core Service Client Assembly includes code for issuing security tokens (Secure Token Issuer). When a user provides credentials in an SDL Tridion Sites user interface, the Core Service Client Assembly presents the information to the Secure Token Issuer to perform authentication and retrieve additional information such as group membership. If successfully authenticated, the Secure Token Issuer creates a security token (SAML) containing authenticated user information and uses the token as an entry pass to call the Core Service. The Core Service verifies the token, trusting whoever is using it, and allows the client application to execute a call without any additional authentication checks.

To implement this optimized LDAP authentication, on the Content Manager system you need to generate the following certificates:

CertificateDescription
Token Issuer private.pfxGenerates SAML tokens.
Token Issuer public.cerVerifies the Secure Token Issuer.
Core Service private.pfxDecrypts tokens and all communication.
Core Service public.cerEncrypts tokens and all communication.

You then need to configure certificates in:

  • the user interface web.config file.
  • the Core Service configuration file (web.config or TcmServiceHost.exe.config, depending on whether you are running the Core Service is IIS or as a Windows service.