SDL Trisoft Tech Deck Technology, Web Services …downloadcentre.sdl.com/tridion/UserDay2012/LiveContent...SDL Trisoft Tech Deck Technology, Web Services and Q&A Dave De Meyer, Development

Presenter Name Presenter Title

Date

SDL Trisoft Tech Deck Technology Web Services and QampA

Dave De Meyer Development Manager

bull SDL Integrations Product Stack

bull Claims-based Security ndash Standards

ndash How it works

ndash Brands amp Backward Compatibility

bull Web Services ndash User Profile Provisioning

ndash ASMX

ndash SVC

bull What we also didhellip

Agenda

2

bull SDL Trisoft packages SDL Xopus for use in SDL Trisoft and SDL LiveContent ndash IIS virtual directory lsquoTrisoftXopusrsquo is merged into lsquoInfoShareAuthorrsquo which

serves the whole web client

bull SDL Trisoft repository connects to one SDL LiveContent for review and commenting

bull SDL Trisoft repository through OutputFormats can have multiple SDL LiveContents (downstream like PDF or CHM or HTML)

SDL Integrations Product Stack

3

SDL Trisoft connects with SDL WorldServer

bull TranslationBuilder services (automation of PushTranslations) ndash Can be used by anyone

bull TranslationOrganizer ndash Talks to WorldServer

SDL Integrations Product Stack - WorldServer

4

1 You need resources so off to the supermarket to buy some good beer eg

2 The policy of the supermarket is not to sell to minors hence the photo id required

3 Your token is

4 Your token was issued before by the state a trusted identity provider 5 After verification of your age claim

part of your token you are authorized to buy beer

Security - Real World Scenario

User

bull Credentials bull Credentials bull Credentials bull Credentials bull hellip bull Credentials

Current Software Paradigm

7

bull Issuer bull Service

Application

Many

Real life only fewhellip

Passport Driverrsquos License

Too Many

bull Issuer bull Service

Application

bull Issuer bull Service

Application

bull Issuer bull Service

Application

helliphellip

Trusted Subsystem

User

bull Credentials bull hellip bull Credentials

Centralized IT Paradigm

8

Security Service

bull Authenticate bull User Provisioning

TRUST

Centralized

bull Issuer bull Service

Application

bull Issuer bull Service

Application

bull Issuer bull Service

Application

Many

helliphellip

bull Identity Providers (IP) ndash Windows Active Directory

ndash Open LDAP

ndash Custom

bull Why are they not suitable ndash Mostly only identity providers This means that every application must handle

the authentication logic against them so all kind or proprietary implementations exist

ndash Proprietary and not cross platform

ndash Active Directory is the closest to what we are looking for but it is for the Windows Eco System only Additionally is uses a proprietary protocol (Kerberos) So not suitable

Current situation

9

bull It is a front end for one or many Identity Provides

bull ldquoTalksrdquo widely accepted protocols like

ndash WS Federation

ndash SAML-P

ndash WS Trust 13

bull ldquoDeliversrdquo security tokens in widely accepted formats like

ndash SAML11

ndash SAML20 (Relatively new)

Security Token Service (STS)

10

STS

Exchange Query

bull What is a claim

ndash An assertion A value for a specific claim type (First name Age Address hellip)

bull What is a token

ndash Exactly as our national identity card

ndash A set of claims

ndash Signed with a certificate that proves the issuerrsquos identity (STS)

ndash Validity period

IP

Active

Passive

Supported

Basic Flow Overview

11

Client

STS IP

1 Authenticate

2 Get Token

3 Submit Token

TRUST

bull Passive Profile ndash Client is a browser

ndash Browser is ldquostupidrdquo Just follows instructions

bull Active Profile ndash Client is a ldquoIn Process Applicationrdquo (exe)

ndash Client is ldquosmartrdquo Pre-rdquoConfiguredrdquo with instructions

ndash Web Services

Claims - Profiles

12

ClientUser

ClientUser

bull Browser ndash Web SSO based on Trisoft Users (InfoShareSTS)

ndash Logged on on LiveContent and Trisoft

bull Client Tools ndash Well actually you see no differencehellip

Claims ndash Demo

13

Wersquove tested with but any brand respecting the standard can be configured bull Microsoft Active Directory Federated Services v2 (ADFSv2)

ndash When you have a Windows domain

ndash Free extension ndash Replaces the 2011R2 introduced lsquodirectrsquo Windows Authentication ndash Simplified setup through PowerShell script

bull SDL Trisoft lsquoInfoShareSTSrsquo

ndash Externalizes Trisoft Authentication based on the Trisoft User Repository

ndash Backward compatible option but respecting the Claims setup and SSO ndash Solution where Trisoft stores passwords with limited password rules ndash Deprecated by nature as externalizing security will happen more and more

ndash Out of the box preconfigured

Claims - Brands amp Backward Compatibility

14

bull Delivery of InfoShareSTS out of the box for non-integrated Trisoft installations

bull New Parameters in the inputparametersxml file required for installation ndash Infosharestswebappname ndash servicecertificatesubjectname ndash basehostname ndash servicecertificatevalidationmode ndash issuercertificatethumbprint ndash issuercertificatevalidationmode ndash issueractorusername ndash issueractorpassword ndash issuerwstrustendpointurl ndash issuerwsfederationendpointurl ndash serviceusername ndash servicepassword

Claims ndash Trisoft InstallTool Parameters

15

http(s) SOAP

http(s) SOAP

http(s) SOAP

http(s)

Web App InfoShareWS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc

Web App InfoShareAuthor Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc

STS - STS Auth amp Trisoft Authz

Host oracleexe -or- sqlservrexe Identity NA

Host iexploreexe Identity DOMAINuser

Host PublicationManagerexe -or- xmetalexe Identity DOMAINuser

Trisoft Foundation

Trisoft API25 API20 API10

Tris

oft

Clie

nt T

ools

Tris

oft

Info

Sha

reW

eb

Tris

oft

Xop

us

Bro

wse

r

Mic

roso

ft I

IS

Host AD

Identity NA

Mic

roso

ft I

IS

Trisoft Foundation

Trisoft API25 for PubOutput Streaming

Web App InfoShareSTS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc

Trisoft API25

Mic

roso

ft I

IS

Browser

ADFSv2

bull Reduced Client Tools account creation complexity by a configuration file living in the lsquoInfoSharWSrsquo virtual directory ndash eg httpsInfoShareWSconnectionconfigurationxml

bull Only thing to provide is the web services location

Claims ndash Account Creation

17

Claims ndash Database Upgrade Tool - Screenshot

18

bull When activating external authentication you have to have at least one correctly configured FISHEXTERNALID field DBUT solves this problem

bull A Trisoft User has 3 kinds of metadata ndash Authentication user name and password

ndash Authorization user roles and access to user groups

ndash Application Data User language Favorites e-mail user name id

bull In Trisoft 2013 (100) authentication happens through a central3rd party Secure Token Service (STS) system

bull Once authenticated as an external user Trisoft will map it to a Trisoft user profile for authorization and application data

bull The Trisoft User Profile is required for ndash Granting it user roles and access to user groups

ndash Referencing in workflow and assignments

ndash Populating user lists based on Trisoft user roles

Central Auth and Trisoft Authz

19

bull ASMX based web services like httpInfoShareWSApplicationASMX ndash Since 2003

ndash First parameter in every function is always lsquoAuthenticationContextrsquo so the Trisoft way of authentication

bull Introducing Windows Communication Foundation (WCF) services like httpInfoShareWSWCFAPI25ApplicationSVC ndash Support for claims-based authentication

ndash Replaces ASMX Web Services so marking them as deprecated bull Deprecated here means supported as long as the cost of maintenance is reasonable

bull Goal is to step away from Trisoft Authentication (Trisoft UsernamePassword combinations)

Web Services ndash ASMX and SVC

20

bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior

ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)

bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations

ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException

bull First checks the input if unexpectedwrong it will throw immediately

bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort

Web Services - API25 ndash Some ground rules

Function name Description

SetMetadata Current function

SetMetadata2 New function to support multiple write access

SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value

bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )

bull Contextual information comes in through ndash For ASMX Web Services

bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users

bull Deprecated because of technology

bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution

ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust

OASIS standard using OASIS SAML tokens

bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object

bull Supports any Authentication type because it is an externalized service (STS)

Web Services - API25 ndash Who are you

bull First of all we provided all these new classes in ASMX and SVC flavor for now

bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings

bull holding the SDL LiveContent Reach and WorldServer location

ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone

bull Introducing versioned schema validation

ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs

Web Services - New in SDL Trisoft 2013 (100)

bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput

ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)

Web Services - New in SDL Trisoft 2013 (100)

bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work

bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft

ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)

bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can

assign publications or content objects you would want to get translated

ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services

Web Services - New in SDL Trisoft 2013 (100)

User Provisioning ndash Available since 2011 R2 (92)

bull Introducing the following API functions

User Provisioning - Functions

User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update

UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update

UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update

1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and

FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by

FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the

Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile

2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg

limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by

FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile

Beware that update could overwrite explicitly set values

User Provisioning - Algorithm for InOut

bull Multi Browser support ndash IE8 and IE9

ndash FF-latest

ndash Chrome-latest

bull Third Party Software ndash AntennaHouse XSL Formater 60

ndash SQLServer 2008 SP3

ndash SQLServer 2008R2 SP2

What we also did

bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support

automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)

What we also did

SDL Trisoft Authoring Bridge

Database

Server or Remote Machine

Application Server

Client

Access through Web Services

SDL Trisoft Foundation

Arbortext Editor XMetaL FrameMaker

FrameMaker Connector

Arbortext Editor Connector XMetal Connector

3rd Party Application

3rd Party Connector

bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions

bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)

What we also did

Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL