Security and access management

Tridion Sites supports a number of options for securing access to the system. The Tridion Access Management application, or more simply Access Management, gives administrators a single, simplified interface for managing access for both end users and application APIs.

Unified single sign-on

By functioning as a federation gateway and managing client credentials, Access Management provides single sign-on (SSO​) for end users across the different applications that make up a Tridion Sites implementation.

User interface for managing system access

Access Management provides a centralized interface for configuring authentication. Administrators can use Access Management user interface to perform the following tasks:

  • Create and maintain connections to external identity providers.
  • Configure authentication for Tridion Sites applications.
  • Manage client credentials for applications, end users and service accounts.
Simplified configuration of external identity providers

Access Management provides a simplified implementation based on a single protocol, OpenID Connect, while still supporting the use of other protocols by external identity providers. The following Tridion Sites applications and services come pre-configured to interact with Access Management through the OpenID Connect:

  • The Tridion Sites Classic user interface, extensions and underlying Core Service API
  • The Tridion Sites Experience Space user interface and underlying Core Service REST API
  • The Add-ons feature, both the user interface and the API
  • The Access Management application itself, both the user interface and the API
  • Content Manager desktop clients (includes Content Porter, Template Builder, Visio Workflow Designer and the TcmUploadAssembly command line tool )

Implementors only need to configure one application on the external identity provider system. The different Tridion Sites applications and services are not impacted by external identity provider changes​.

Role-based authorization
Tridion Sites supports a role-based authorization model where defined roles or user groups in Tridion Sites can be mapped to groups managed in the external identity provider. The method of mapping roles and groups differs somewhat for the different applications, and not all are supported by Access Management at this time. At a high level, the various mechanisms for mapping are as follows:
Content Manager

Role-based user groups in Content Manager are mapped directly to groups in an external identity provider. The mapping mechanism is supported through Access Management's claim forwarding mechanism.

The exception to this usage of forwarded claims is the Administrator group in Content Manager. For this group, Access Management has a defined Administrator role, which you can map to claims with specific values that come from the external identity provider.

Add-ons

Access Management roles for accessing the Add-ons application are mapped to claims with specific values that come from the external identity provider.

Topology Manager
Topology Manager roles are mapped to Windows groups.
Content Delivery authentication through OAuth

Content Delivery provides a secure connection for Tridion Sites components through a separate OAuth authentication mechanism. If you wish to integrate third-party software components with Content Delivery, you must manually configure them for OAuth.