Running the SAML installation script for Content Manager

Run a PowerShell script on the Content Manager server to configure SAML for your Content Manager. In addition to this script, you can also run scripts to set up HTTPS, LDAP, or both.

Before you begin

You must be logged on as an administrator user to perform this task.

PowerShell must be installed on your target system.

If you set up SAML, SDL strongly recommends that you also set up HTTPS.

Procedure

  1. Access your Content Manager server.
  2. If you want to specify your installation parameters up front, rather than while the script runs, create a plain text file with a name and location of your choosing, and fill it with lines of the format PROPERTY=VALUE, where PROPERTY is a property in the table below, and VALUE is a value that corresponds to the description for that property:
    PropertyDescription
    TokenIssuerCertThumbprintSet to the thumbprint of the token issuer's certificate, a 40-character string, or to new to specify your own, self-signed certificate.
    TokenIssuerCertFriendlyNameOnly If you use a self-signed certificate, set to the Friendly Name of the token issuer's self-signed certificate as listed in the Server Certificates screen in IIS Manager.
    TokenIssuerCertPasswordOnly if you use a self-signed certificate, set to the password of the token issuer's self-signed certificate.
    CoreServiceCertThumbprintSet to the thumbprint of the Core Service certificate, a 40-character string, or to new to specify your own, self-signed certificate.
    CoreServiceCertFriendlyNameOnly if you use a self-signed certificate, set to the Friendly Name of the Core Service self-signed certificate as listed in the Server Certificates screen in IIS Manager.
    CoreServiceCertPasswordOnly if you use a self-signed certificate, set to the password of the Core Service self-signed certificate.
    CoreServiceTypeSet to the type of Core Service hosting.
    The CoreServiceType can have one of the following values:
    ValueShort versionDescription
    IISiThe Core Service is hosted in IIS.
    Windows ServicesThe Core Service is hosted as a Windows service.
    BothbBoth of the above are true.
    In addition, depending on your IdP, you need to specify additional properties, including:
    PropertyDescription
    TCM_NameThe internal name of the IdP, used in an SP-initiated scenario.
    SamlAdminUserA string of the form IDP:EMAIL, where IDP is the value of TCM_Name and EMAIL is valid email address. This creates a user with this string as an administrator in the database for initial group mapping.
    issuerA URI that identifies the IdP.
    SP_AudienceThis string is used to check the IdP on the server side. In an IdP-initiated scenario, this needs to be changed to return the same value as for the service provider.
    SP_AssertionConsumerServiceUrlThe return URL, which must be set to ~/WebUI/.
    NameThe identifier for the IdP node.
  3. Open Windows PowerShell from the Windows Start Menu.
  4. Navigate to %TRIDION_HOME%\bin\Configuration Scripts\.
  5. Enter one of the following:
    • If you created a file with property-value pairs, enter & .\SetupSAML.ps1 -pf FILE, where FILE is the full path and filename of the file you created.
    • If you did not create a file, enter & .\SetupSAML.ps1. The script will prompt you for values for the properties.
  6. Specify none, any or all of the following additional command line switches for the script:
    SwitchShort version of switchDefault value if omittedDescription
    -LogPath-l%Temp%\Setup_SAML_HHmmssMMddyyyy.log, where HHmmssMMddyyyy indicates the start time of the logThe full path to, and name of, to the log file
    -NonInteractive-niFalseIf set, the script acts as if PowerShell runs in non-interactive mode
    -ParamsFilePath-pf .\SetupSAML_params.txtThe full path to, and name of, to the file with parameter-value pairs
    -SkipIdpConfiguration-sidpFalseSkip the IdP configuration
    -SkipServiceRestart-srFalseDisables the restart of the services when the script has ended
    -WcfUser(none)(none)The name of a user to connect to the WCF service
    -WcfPassword(none)(none)The password of that user to connect to the WCF service