Configuring the secured Add-on service in Content Manager

If you have secured your Add-on service, you must ensure that Content Manager can connect to it. To do so, modify the addonsSettings.json configuration file.

Procedure

  1. On the Content Manager server, go to the config\ subfolder of %TRIDION_HOME% and open addonsSettings.json for editing.
  2. Within the addonsSettings section, at the end of the section, ensure the presence of a subsection called openIdConnectParameters.
  3. Within this openIdConnectParameters subsection, set the following properties:
    PropertyMandatory or optionalDescription of value
    AddressmandatoryThe address of your identity provider
    ClientIdmandatoryA client ID that identifies the client to the identity provider
    ClientSecretmandatoryThe client secret that authenticates the client identified by ClientId
    clientCredentialStyleoptionalIf omitted, the client posts the client ID and secret as part of the request body. To post the client ID and secret using HTTP basic authentication instead, set this property to the value AuthorizationHeader.
    a custom parameteras defined by implementerAdd custom parameters to add to your request as required by your identity provider for the purpose of obtaining an access token. For example, if your IdP is Azure, a further parameter called resource is needed.
  4. Save and close AddonsSettings.json.
  5. Consider limiting access to the file AddonsSettings.json to selected users: read access should be limited to users who run services with Add-ons, while read-write access should be limited to administrators.
  6. To prevent sensitive data, such as the client secret, from being seen by people with access to the file, or from being sent to the Add-on service in cleartext, go to the tools\ subfolder and run the following command:
    Tridion.AddonService.ConfigProtector.exe protect -f ..\config\AddonsSettings.json
    The command encrypts and updates data in the file and puts the keys in the config\key\ subfolder of %TRIDION_HOME%. You can always decrypt the data later by running the same command, but using unprotect instead of protect as the verb.
  7. Ensure that you restrict file system access to the config\key\ subfolder of %TRIDION_HOME% to users who run services with Add-ons only.
  8. Restart all Tridion servcies, and IIS, to apply your changes.