SDL Tridion Sites 9.0 Integration with SAML 2.0 Azure Active Directory

This is my first blog of the year and also for SDL Tridion Sites 9.0, I would like to blog about my learning one of the great new feature SAML 2.0 support on SDL Tridion Sites 9.0.

Previously, Content Manager supported Single Sign-On (SSO) solutions that are now outdated and not Cloud-ready for the browser-based user interfaces (Content Manager Explorer and Experience Manager). Now, In the SDL Tridion Sites 9.0 product offers support for SAML 2.0, supporting both an Identity Provider-initiated (IdP-initiated) and a Service Provider-initiated (SP-initiated) scenario. User provisioning and group mapping are also supported.

saml-architecture

SSO – SAML 2.0 Support

  • Use corporate accounts to log in
  • Support for login flows
    • Identity Provider (IDP) initiated
    • Service Provider (SP) Initiated
  • User provisioning with Group mappings
  • SDL Tridion Sites session / SAML token expiration and renewal

Prerequisites

  • SDL Tridion Sites should be in HTTPS setup
  • Azure Active Directory
    • Azure Directory ID
    • Setup AD Users and Groups (note the group object id which needs to be mapped with CME Group identity provider later in this setup)
  • App Registrations
    • Display Name: SDL Tridion Sites 9.0
    • Application Type: Web app / API
    • App ID
    • Reply URL must be https://vagrant-2016/WebUI/ (always with/in the end)
    • In the application registration Manifest, make sure groupMembershipClaims set to All.

AzureAD: “real” Idp-initiated scenario is only available for Premium subscriptions

Steps to set up and activate SAML 2.0 in SDL Tridion Sites 9.0

  1. Open PowerShell Window As Administrator
  2. Go to [Tridion-Home]\bin\Configuration Scripts
  3. In order to enable SAML setup, It’s mandatory to keep SDL Web application to be in https
    1. Run this command to enable https on SDL Web .\ SetupHTTPS.ps1

setup-https

  1. Copy SetupAzureIDP_params_sample.txt file from [Tridion-Home]\bin\Configuration Scripts\Samples\ to [Tridion-Home]\bin\Configuration Scripts\ folder and rename to SetupAzureIDP_params.txt and necessary to be modified as highlighted values in the image

Fields to modify in the AzureAD params sample:
Where SP_Audience is the Application ID
All Other IDs are Directory ID

azure_sample_config

Azure App Registration ID:
SP_Audience=spn:fdaced12-cbc1-44e9-97bb-8b3c014047c2

azure_application_id_01

azure_application_id_02

azure_application_id_03

Azure Active Directory ID:

issuer=https://sts.windows.net/03a22a20-af8f-48bf-8d95-ca3838745cbd/
Name=https://sts.windows.net/03a22a20-af8f-48bf-8d95-ca3838745cbd/
SingleSignOnServiceUrl=https://login.microsoftonline.com/03a22a20-af8f-48bf-8d95-ca3838745cbd/saml2/
SingleLogoutServiceUrl=https://login.microsoftonline.com/03a22a20-af8f-48bf-8d95-ca3838745cbd/saml2

Azure Active Directory ID – To find it in the Azure Active Directory -> Properties

azure_direcotry_id

  1. Run .\SetupSAML.ps1

setup-azure

  1. Access CME and Authenticate with SamlAdminUser=azure:avmgan@hotmail.com from Azure AD login page
  2. Access to CME Administrator -> User Management -> Groups and Create new Group called “External Authors” and then specify the Group Visibility of the publications
  3. In the External Authors Group Members tab – Add the azure Identity provider
  4. Note the Azure Group Object ID which needs to be mapped with CME Group identity provider
  5. Once the successful configuration of Azure Identity provider Group Mapping configuration and then It will automatically sync the Azure group Users to SDL Tridion Sites.

azure-group-object-id

cms-group-mapping01

cms-group-mapping02

Thanks to Anton Minko for a good demo.

It was a really good happy learning knowledge and sharing.

I hope it helps if you have any questions, please direct your questions to Tridion StackExchange