Skip to main content

Single Sign-On SDL Web 8.5 CME and ADFS

In order to use SDL Web 8.5 and ADFS, we first have to enable SSO (Single Sign-On) on the SDL Web side.

The setup I have is:
  • SDL Web 8.5 installed in AWS (but it is the on-premise version of SDL Web)
  • Active Directory outside of AWS
  • ADFS outside of AWS, but somewhere close to AD
  • HTTPS access to SDL Web CME website
For this setup to work, we need to enable/configure a few things:
  • enable HTTPS access to the CME
  • enable/configure SSO on the CME
  • ADFS SAML Authenticator

Enable HTTPS

In PowerShell, run the script SetupHTTPS.ps1 from folder [SDLWebHome]\bin\Configuration Scripts. A very detailed explanation of this process is available at https://docs.sdl.com/LiveContent/content/en-US/SDL%20Web-v5/GUID-D694CEFB-AE01-415E-B919-5867C08E0A18.

A prerequisite of enabling HTTPS is obtaining and installing a SSL Certificate. This is beyond the scope of this blog post, but the PowerShell script above expects the 40 character certificate thumbprint as a parameter.

After running the PowerShell script, verify in IIS that the SDL CME website has a binding for port 443 (HTTPS) and that the SSL Certificate is configured for that binding.



Enable SSO

In PowerShell, run the script SetupSSO.ps1 from folder [SDLWebHome]\bin\Configuration Scripts. A very detailed explanation of this process is available at https://docs.sdl.com/LiveContent/content/en-US/SDL%20Web-v1/GUID-32378192-5366-4805-85AF-C578F988993B.

The parameter UserNameHeader is an important one, because it defines the name of the request header that the HTTP Module SsoAgentHttpModule is reading in order to impersonate the CME user. This SsoAgentHttpModule is a module that comes out of the box with SDL Web and it is configured and enabled by the PowerShell script.

ADFS SAML Authenticator

This is a custom piece of software that bridges the ADFS server with the SDL SsoAgentHttpModule.

The authenticator performs the following tasks:
  • request a SAML token to the ADFS server
  • intercept POST back with SAML token from ADFS server
  • decrypt token
  • extract user name from token
  • put user name in a request header
The SsoAgentHttpModule can now use the user name from the request header in order to impersonate the CME user.

The ADFS SAML Authenticator is described in more detail in this blog post.



Comments

Popular posts from this blog

Running sp_updatestats on AWS RDS database

Part of the maintenance tasks that I perform on a MSSQL Content Manager database is to run stored procedure sp_updatestats . exec sp_updatestats However, that is not supported on an AWS RDS instance. The error message below indicates that only the sa  account can perform this: Msg 15247 , Level 16 , State 1 , Procedure sp_updatestats, Line 15 [Batch Start Line 0 ] User does not have permission to perform this action. Instead there are several posts that suggest using UPDATE STATISTICS instead: https://dba.stackexchange.com/questions/145982/sp-updatestats-vs-update-statistics I stumbled upon the following post from 2008 (!!!), https://social.msdn.microsoft.com/Forums/sqlserver/en-US/186e3db0-fe37-4c31-b017-8e7c24d19697/spupdatestats-fails-to-run-with-permission-error-under-dbopriveleged-user , which describes a way to wrap the call to sp_updatestats and execute it under a different user: create procedure dbo.sp_updstats with execute as 'dbo' as...

I Have Gone Dark

Maybe it's the Holidays, but my mood has gone pretty dark. That is, regarding the look and feel of my computer and Tridion CME, of course. What I did was to dim the lights on the operating system, so I installed Placebo themes for Windows 7 . I went for the Ashtray look -- great name :) My VM looks now like this: But, once you change the theme on Windows, you should 'match' the theme of your applications. Some skin easily, some not. The Office suite has an in-built scheme, which can be set to Black , but it doesn't actually dim the ribbon tool bars -- it looks quite weird. Yahoo Messenger is skinnable, but you can't change the big white panels where you actually 'chat'. Skype is not skinnable at all. For Chrome, there are plenty of grey themes. Now i'm using Pro Grey . But then I got into changing the theme of websites. While very few offer skinnable interfaces (as GMail does), I had to find a way to darken the websites... Enter Stylish -- a pl...

REL Standard Tag Library

The RSTL is a library of REL tags providing standard functionality such as iterating collections, conditionals, imports, assignments, XML XSLT transformations, formatting dates, etc. RSTL distributable is available on my Google Code page under  REL Standard Tag Library . Always use the latest JAR . This post describes each RSTL tag in the library explaining its functionality, attributes and providing examples. For understanding the way expressions are evaluated, please read my post about the  Expression Language used by REL Standard Tag Library . <c:choose> / <c:when> / <c:otherwise> Syntax:     <c:choose>         <c:when test="expr1">             Do something         </c:when>         <c:when test="expr2">             Do something else         </c:when...