sdl trisoft tech deck technology, web services...
TRANSCRIPT
Presenter Name Presenter Title
Date
SDL Trisoft Tech Deck Technology Web Services and QampA
Dave De Meyer Development Manager
bull SDL Integrations Product Stack
bull Claims-based Security ndash Standards
ndash How it works
ndash Brands amp Backward Compatibility
bull Web Services ndash User Profile Provisioning
ndash ASMX
ndash SVC
bull What we also didhellip
Agenda
2
bull SDL Trisoft packages SDL Xopus for use in SDL Trisoft and SDL LiveContent ndash IIS virtual directory lsquoTrisoftXopusrsquo is merged into lsquoInfoShareAuthorrsquo which
serves the whole web client
bull SDL Trisoft repository connects to one SDL LiveContent for review and commenting
bull SDL Trisoft repository through OutputFormats can have multiple SDL LiveContents (downstream like PDF or CHM or HTML)
SDL Integrations Product Stack
3
SDL Trisoft connects with SDL WorldServer
bull TranslationBuilder services (automation of PushTranslations) ndash Can be used by anyone
bull TranslationOrganizer ndash Talks to WorldServer
SDL Integrations Product Stack - WorldServer
4
1 You need resources so off to the supermarket to buy some good beer eg
2 The policy of the supermarket is not to sell to minors hence the photo id required
3 Your token is
4 Your token was issued before by the state a trusted identity provider 5 After verification of your age claim
part of your token you are authorized to buy beer
Security - Real World Scenario
User
bull Credentials bull Credentials bull Credentials bull Credentials bull hellip bull Credentials
Current Software Paradigm
7
bull Issuer bull Service
Application
Many
Real life only fewhellip
Passport Driverrsquos License
Too Many
bull Issuer bull Service
Application
bull Issuer bull Service
Application
bull Issuer bull Service
Application
helliphellip
Trusted Subsystem
User
bull Credentials bull hellip bull Credentials
Centralized IT Paradigm
8
Security Service
bull Authenticate bull User Provisioning
TRUST
Centralized
bull Issuer bull Service
Application
bull Issuer bull Service
Application
bull Issuer bull Service
Application
Many
helliphellip
bull Identity Providers (IP) ndash Windows Active Directory
ndash Open LDAP
ndash Custom
bull Why are they not suitable ndash Mostly only identity providers This means that every application must handle
the authentication logic against them so all kind or proprietary implementations exist
ndash Proprietary and not cross platform
ndash Active Directory is the closest to what we are looking for but it is for the Windows Eco System only Additionally is uses a proprietary protocol (Kerberos) So not suitable
Current situation
9
bull It is a front end for one or many Identity Provides
bull ldquoTalksrdquo widely accepted protocols like
ndash WS Federation
ndash SAML-P
ndash WS Trust 13
bull ldquoDeliversrdquo security tokens in widely accepted formats like
ndash SAML11
ndash SAML20 (Relatively new)
Security Token Service (STS)
10
STS
Exchange Query
bull What is a claim
ndash An assertion A value for a specific claim type (First name Age Address hellip)
bull What is a token
ndash Exactly as our national identity card
ndash A set of claims
ndash Signed with a certificate that proves the issuerrsquos identity (STS)
ndash Validity period
IP
Active
Passive
Supported
Basic Flow Overview
11
Client
STS IP
1 Authenticate
2 Get Token
3 Submit Token
TRUST
bull Passive Profile ndash Client is a browser
ndash Browser is ldquostupidrdquo Just follows instructions
bull Active Profile ndash Client is a ldquoIn Process Applicationrdquo (exe)
ndash Client is ldquosmartrdquo Pre-rdquoConfiguredrdquo with instructions
ndash Web Services
Claims - Profiles
12
ClientUser
ClientUser
bull Browser ndash Web SSO based on Trisoft Users (InfoShareSTS)
ndash Logged on on LiveContent and Trisoft
bull Client Tools ndash Well actually you see no differencehellip
Claims ndash Demo
13
Wersquove tested with but any brand respecting the standard can be configured bull Microsoft Active Directory Federated Services v2 (ADFSv2)
ndash When you have a Windows domain
ndash Free extension ndash Replaces the 2011R2 introduced lsquodirectrsquo Windows Authentication ndash Simplified setup through PowerShell script
bull SDL Trisoft lsquoInfoShareSTSrsquo
ndash Externalizes Trisoft Authentication based on the Trisoft User Repository
ndash Backward compatible option but respecting the Claims setup and SSO ndash Solution where Trisoft stores passwords with limited password rules ndash Deprecated by nature as externalizing security will happen more and more
ndash Out of the box preconfigured
Claims - Brands amp Backward Compatibility
14
bull Delivery of InfoShareSTS out of the box for non-integrated Trisoft installations
bull New Parameters in the inputparametersxml file required for installation ndash Infosharestswebappname ndash servicecertificatesubjectname ndash basehostname ndash servicecertificatevalidationmode ndash issuercertificatethumbprint ndash issuercertificatevalidationmode ndash issueractorusername ndash issueractorpassword ndash issuerwstrustendpointurl ndash issuerwsfederationendpointurl ndash serviceusername ndash servicepassword
Claims ndash Trisoft InstallTool Parameters
15
http(s) SOAP
http(s) SOAP
http(s) SOAP
http(s)
Web App InfoShareWS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Web App InfoShareAuthor Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
STS - STS Auth amp Trisoft Authz
Host oracleexe -or- sqlservrexe Identity NA
Host iexploreexe Identity DOMAINuser
Host PublicationManagerexe -or- xmetalexe Identity DOMAINuser
Trisoft Foundation
Trisoft API25 API20 API10
Tris
oft
Clie
nt T
ools
Tris
oft
Info
Sha
reW
eb
Tris
oft
Xop
us
Bro
wse
r
Mic
roso
ft I
IS
Host AD
Identity NA
Mic
roso
ft I
IS
Trisoft Foundation
Trisoft API25 for PubOutput Streaming
Web App InfoShareSTS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Trisoft API25
Mic
roso
ft I
IS
Browser
ADFSv2
bull Reduced Client Tools account creation complexity by a configuration file living in the lsquoInfoSharWSrsquo virtual directory ndash eg httpsInfoShareWSconnectionconfigurationxml
bull Only thing to provide is the web services location
Claims ndash Account Creation
17
Claims ndash Database Upgrade Tool - Screenshot
18
bull When activating external authentication you have to have at least one correctly configured FISHEXTERNALID field DBUT solves this problem
bull A Trisoft User has 3 kinds of metadata ndash Authentication user name and password
ndash Authorization user roles and access to user groups
ndash Application Data User language Favorites e-mail user name id
bull In Trisoft 2013 (100) authentication happens through a central3rd party Secure Token Service (STS) system
bull Once authenticated as an external user Trisoft will map it to a Trisoft user profile for authorization and application data
bull The Trisoft User Profile is required for ndash Granting it user roles and access to user groups
ndash Referencing in workflow and assignments
ndash Populating user lists based on Trisoft user roles
Central Auth and Trisoft Authz
19
bull ASMX based web services like httpInfoShareWSApplicationASMX ndash Since 2003
ndash First parameter in every function is always lsquoAuthenticationContextrsquo so the Trisoft way of authentication
bull Introducing Windows Communication Foundation (WCF) services like httpInfoShareWSWCFAPI25ApplicationSVC ndash Support for claims-based authentication
ndash Replaces ASMX Web Services so marking them as deprecated bull Deprecated here means supported as long as the cost of maintenance is reasonable
bull Goal is to step away from Trisoft Authentication (Trisoft UsernamePassword combinations)
Web Services ndash ASMX and SVC
20
bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior
ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)
bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations
ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException
bull First checks the input if unexpectedwrong it will throw immediately
bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort
Web Services - API25 ndash Some ground rules
Function name Description
SetMetadata Current function
SetMetadata2 New function to support multiple write access
SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
bull SDL Integrations Product Stack
bull Claims-based Security ndash Standards
ndash How it works
ndash Brands amp Backward Compatibility
bull Web Services ndash User Profile Provisioning
ndash ASMX
ndash SVC
bull What we also didhellip
Agenda
2
bull SDL Trisoft packages SDL Xopus for use in SDL Trisoft and SDL LiveContent ndash IIS virtual directory lsquoTrisoftXopusrsquo is merged into lsquoInfoShareAuthorrsquo which
serves the whole web client
bull SDL Trisoft repository connects to one SDL LiveContent for review and commenting
bull SDL Trisoft repository through OutputFormats can have multiple SDL LiveContents (downstream like PDF or CHM or HTML)
SDL Integrations Product Stack
3
SDL Trisoft connects with SDL WorldServer
bull TranslationBuilder services (automation of PushTranslations) ndash Can be used by anyone
bull TranslationOrganizer ndash Talks to WorldServer
SDL Integrations Product Stack - WorldServer
4
1 You need resources so off to the supermarket to buy some good beer eg
2 The policy of the supermarket is not to sell to minors hence the photo id required
3 Your token is
4 Your token was issued before by the state a trusted identity provider 5 After verification of your age claim
part of your token you are authorized to buy beer
Security - Real World Scenario
User
bull Credentials bull Credentials bull Credentials bull Credentials bull hellip bull Credentials
Current Software Paradigm
7
bull Issuer bull Service
Application
Many
Real life only fewhellip
Passport Driverrsquos License
Too Many
bull Issuer bull Service
Application
bull Issuer bull Service
Application
bull Issuer bull Service
Application
helliphellip
Trusted Subsystem
User
bull Credentials bull hellip bull Credentials
Centralized IT Paradigm
8
Security Service
bull Authenticate bull User Provisioning
TRUST
Centralized
bull Issuer bull Service
Application
bull Issuer bull Service
Application
bull Issuer bull Service
Application
Many
helliphellip
bull Identity Providers (IP) ndash Windows Active Directory
ndash Open LDAP
ndash Custom
bull Why are they not suitable ndash Mostly only identity providers This means that every application must handle
the authentication logic against them so all kind or proprietary implementations exist
ndash Proprietary and not cross platform
ndash Active Directory is the closest to what we are looking for but it is for the Windows Eco System only Additionally is uses a proprietary protocol (Kerberos) So not suitable
Current situation
9
bull It is a front end for one or many Identity Provides
bull ldquoTalksrdquo widely accepted protocols like
ndash WS Federation
ndash SAML-P
ndash WS Trust 13
bull ldquoDeliversrdquo security tokens in widely accepted formats like
ndash SAML11
ndash SAML20 (Relatively new)
Security Token Service (STS)
10
STS
Exchange Query
bull What is a claim
ndash An assertion A value for a specific claim type (First name Age Address hellip)
bull What is a token
ndash Exactly as our national identity card
ndash A set of claims
ndash Signed with a certificate that proves the issuerrsquos identity (STS)
ndash Validity period
IP
Active
Passive
Supported
Basic Flow Overview
11
Client
STS IP
1 Authenticate
2 Get Token
3 Submit Token
TRUST
bull Passive Profile ndash Client is a browser
ndash Browser is ldquostupidrdquo Just follows instructions
bull Active Profile ndash Client is a ldquoIn Process Applicationrdquo (exe)
ndash Client is ldquosmartrdquo Pre-rdquoConfiguredrdquo with instructions
ndash Web Services
Claims - Profiles
12
ClientUser
ClientUser
bull Browser ndash Web SSO based on Trisoft Users (InfoShareSTS)
ndash Logged on on LiveContent and Trisoft
bull Client Tools ndash Well actually you see no differencehellip
Claims ndash Demo
13
Wersquove tested with but any brand respecting the standard can be configured bull Microsoft Active Directory Federated Services v2 (ADFSv2)
ndash When you have a Windows domain
ndash Free extension ndash Replaces the 2011R2 introduced lsquodirectrsquo Windows Authentication ndash Simplified setup through PowerShell script
bull SDL Trisoft lsquoInfoShareSTSrsquo
ndash Externalizes Trisoft Authentication based on the Trisoft User Repository
ndash Backward compatible option but respecting the Claims setup and SSO ndash Solution where Trisoft stores passwords with limited password rules ndash Deprecated by nature as externalizing security will happen more and more
ndash Out of the box preconfigured
Claims - Brands amp Backward Compatibility
14
bull Delivery of InfoShareSTS out of the box for non-integrated Trisoft installations
bull New Parameters in the inputparametersxml file required for installation ndash Infosharestswebappname ndash servicecertificatesubjectname ndash basehostname ndash servicecertificatevalidationmode ndash issuercertificatethumbprint ndash issuercertificatevalidationmode ndash issueractorusername ndash issueractorpassword ndash issuerwstrustendpointurl ndash issuerwsfederationendpointurl ndash serviceusername ndash servicepassword
Claims ndash Trisoft InstallTool Parameters
15
http(s) SOAP
http(s) SOAP
http(s) SOAP
http(s)
Web App InfoShareWS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Web App InfoShareAuthor Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
STS - STS Auth amp Trisoft Authz
Host oracleexe -or- sqlservrexe Identity NA
Host iexploreexe Identity DOMAINuser
Host PublicationManagerexe -or- xmetalexe Identity DOMAINuser
Trisoft Foundation
Trisoft API25 API20 API10
Tris
oft
Clie
nt T
ools
Tris
oft
Info
Sha
reW
eb
Tris
oft
Xop
us
Bro
wse
r
Mic
roso
ft I
IS
Host AD
Identity NA
Mic
roso
ft I
IS
Trisoft Foundation
Trisoft API25 for PubOutput Streaming
Web App InfoShareSTS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Trisoft API25
Mic
roso
ft I
IS
Browser
ADFSv2
bull Reduced Client Tools account creation complexity by a configuration file living in the lsquoInfoSharWSrsquo virtual directory ndash eg httpsInfoShareWSconnectionconfigurationxml
bull Only thing to provide is the web services location
Claims ndash Account Creation
17
Claims ndash Database Upgrade Tool - Screenshot
18
bull When activating external authentication you have to have at least one correctly configured FISHEXTERNALID field DBUT solves this problem
bull A Trisoft User has 3 kinds of metadata ndash Authentication user name and password
ndash Authorization user roles and access to user groups
ndash Application Data User language Favorites e-mail user name id
bull In Trisoft 2013 (100) authentication happens through a central3rd party Secure Token Service (STS) system
bull Once authenticated as an external user Trisoft will map it to a Trisoft user profile for authorization and application data
bull The Trisoft User Profile is required for ndash Granting it user roles and access to user groups
ndash Referencing in workflow and assignments
ndash Populating user lists based on Trisoft user roles
Central Auth and Trisoft Authz
19
bull ASMX based web services like httpInfoShareWSApplicationASMX ndash Since 2003
ndash First parameter in every function is always lsquoAuthenticationContextrsquo so the Trisoft way of authentication
bull Introducing Windows Communication Foundation (WCF) services like httpInfoShareWSWCFAPI25ApplicationSVC ndash Support for claims-based authentication
ndash Replaces ASMX Web Services so marking them as deprecated bull Deprecated here means supported as long as the cost of maintenance is reasonable
bull Goal is to step away from Trisoft Authentication (Trisoft UsernamePassword combinations)
Web Services ndash ASMX and SVC
20
bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior
ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)
bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations
ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException
bull First checks the input if unexpectedwrong it will throw immediately
bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort
Web Services - API25 ndash Some ground rules
Function name Description
SetMetadata Current function
SetMetadata2 New function to support multiple write access
SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
bull SDL Trisoft packages SDL Xopus for use in SDL Trisoft and SDL LiveContent ndash IIS virtual directory lsquoTrisoftXopusrsquo is merged into lsquoInfoShareAuthorrsquo which
serves the whole web client
bull SDL Trisoft repository connects to one SDL LiveContent for review and commenting
bull SDL Trisoft repository through OutputFormats can have multiple SDL LiveContents (downstream like PDF or CHM or HTML)
SDL Integrations Product Stack
3
SDL Trisoft connects with SDL WorldServer
bull TranslationBuilder services (automation of PushTranslations) ndash Can be used by anyone
bull TranslationOrganizer ndash Talks to WorldServer
SDL Integrations Product Stack - WorldServer
4
1 You need resources so off to the supermarket to buy some good beer eg
2 The policy of the supermarket is not to sell to minors hence the photo id required
3 Your token is
4 Your token was issued before by the state a trusted identity provider 5 After verification of your age claim
part of your token you are authorized to buy beer
Security - Real World Scenario
User
bull Credentials bull Credentials bull Credentials bull Credentials bull hellip bull Credentials
Current Software Paradigm
7
bull Issuer bull Service
Application
Many
Real life only fewhellip
Passport Driverrsquos License
Too Many
bull Issuer bull Service
Application
bull Issuer bull Service
Application
bull Issuer bull Service
Application
helliphellip
Trusted Subsystem
User
bull Credentials bull hellip bull Credentials
Centralized IT Paradigm
8
Security Service
bull Authenticate bull User Provisioning
TRUST
Centralized
bull Issuer bull Service
Application
bull Issuer bull Service
Application
bull Issuer bull Service
Application
Many
helliphellip
bull Identity Providers (IP) ndash Windows Active Directory
ndash Open LDAP
ndash Custom
bull Why are they not suitable ndash Mostly only identity providers This means that every application must handle
the authentication logic against them so all kind or proprietary implementations exist
ndash Proprietary and not cross platform
ndash Active Directory is the closest to what we are looking for but it is for the Windows Eco System only Additionally is uses a proprietary protocol (Kerberos) So not suitable
Current situation
9
bull It is a front end for one or many Identity Provides
bull ldquoTalksrdquo widely accepted protocols like
ndash WS Federation
ndash SAML-P
ndash WS Trust 13
bull ldquoDeliversrdquo security tokens in widely accepted formats like
ndash SAML11
ndash SAML20 (Relatively new)
Security Token Service (STS)
10
STS
Exchange Query
bull What is a claim
ndash An assertion A value for a specific claim type (First name Age Address hellip)
bull What is a token
ndash Exactly as our national identity card
ndash A set of claims
ndash Signed with a certificate that proves the issuerrsquos identity (STS)
ndash Validity period
IP
Active
Passive
Supported
Basic Flow Overview
11
Client
STS IP
1 Authenticate
2 Get Token
3 Submit Token
TRUST
bull Passive Profile ndash Client is a browser
ndash Browser is ldquostupidrdquo Just follows instructions
bull Active Profile ndash Client is a ldquoIn Process Applicationrdquo (exe)
ndash Client is ldquosmartrdquo Pre-rdquoConfiguredrdquo with instructions
ndash Web Services
Claims - Profiles
12
ClientUser
ClientUser
bull Browser ndash Web SSO based on Trisoft Users (InfoShareSTS)
ndash Logged on on LiveContent and Trisoft
bull Client Tools ndash Well actually you see no differencehellip
Claims ndash Demo
13
Wersquove tested with but any brand respecting the standard can be configured bull Microsoft Active Directory Federated Services v2 (ADFSv2)
ndash When you have a Windows domain
ndash Free extension ndash Replaces the 2011R2 introduced lsquodirectrsquo Windows Authentication ndash Simplified setup through PowerShell script
bull SDL Trisoft lsquoInfoShareSTSrsquo
ndash Externalizes Trisoft Authentication based on the Trisoft User Repository
ndash Backward compatible option but respecting the Claims setup and SSO ndash Solution where Trisoft stores passwords with limited password rules ndash Deprecated by nature as externalizing security will happen more and more
ndash Out of the box preconfigured
Claims - Brands amp Backward Compatibility
14
bull Delivery of InfoShareSTS out of the box for non-integrated Trisoft installations
bull New Parameters in the inputparametersxml file required for installation ndash Infosharestswebappname ndash servicecertificatesubjectname ndash basehostname ndash servicecertificatevalidationmode ndash issuercertificatethumbprint ndash issuercertificatevalidationmode ndash issueractorusername ndash issueractorpassword ndash issuerwstrustendpointurl ndash issuerwsfederationendpointurl ndash serviceusername ndash servicepassword
Claims ndash Trisoft InstallTool Parameters
15
http(s) SOAP
http(s) SOAP
http(s) SOAP
http(s)
Web App InfoShareWS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Web App InfoShareAuthor Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
STS - STS Auth amp Trisoft Authz
Host oracleexe -or- sqlservrexe Identity NA
Host iexploreexe Identity DOMAINuser
Host PublicationManagerexe -or- xmetalexe Identity DOMAINuser
Trisoft Foundation
Trisoft API25 API20 API10
Tris
oft
Clie
nt T
ools
Tris
oft
Info
Sha
reW
eb
Tris
oft
Xop
us
Bro
wse
r
Mic
roso
ft I
IS
Host AD
Identity NA
Mic
roso
ft I
IS
Trisoft Foundation
Trisoft API25 for PubOutput Streaming
Web App InfoShareSTS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Trisoft API25
Mic
roso
ft I
IS
Browser
ADFSv2
bull Reduced Client Tools account creation complexity by a configuration file living in the lsquoInfoSharWSrsquo virtual directory ndash eg httpsInfoShareWSconnectionconfigurationxml
bull Only thing to provide is the web services location
Claims ndash Account Creation
17
Claims ndash Database Upgrade Tool - Screenshot
18
bull When activating external authentication you have to have at least one correctly configured FISHEXTERNALID field DBUT solves this problem
bull A Trisoft User has 3 kinds of metadata ndash Authentication user name and password
ndash Authorization user roles and access to user groups
ndash Application Data User language Favorites e-mail user name id
bull In Trisoft 2013 (100) authentication happens through a central3rd party Secure Token Service (STS) system
bull Once authenticated as an external user Trisoft will map it to a Trisoft user profile for authorization and application data
bull The Trisoft User Profile is required for ndash Granting it user roles and access to user groups
ndash Referencing in workflow and assignments
ndash Populating user lists based on Trisoft user roles
Central Auth and Trisoft Authz
19
bull ASMX based web services like httpInfoShareWSApplicationASMX ndash Since 2003
ndash First parameter in every function is always lsquoAuthenticationContextrsquo so the Trisoft way of authentication
bull Introducing Windows Communication Foundation (WCF) services like httpInfoShareWSWCFAPI25ApplicationSVC ndash Support for claims-based authentication
ndash Replaces ASMX Web Services so marking them as deprecated bull Deprecated here means supported as long as the cost of maintenance is reasonable
bull Goal is to step away from Trisoft Authentication (Trisoft UsernamePassword combinations)
Web Services ndash ASMX and SVC
20
bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior
ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)
bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations
ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException
bull First checks the input if unexpectedwrong it will throw immediately
bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort
Web Services - API25 ndash Some ground rules
Function name Description
SetMetadata Current function
SetMetadata2 New function to support multiple write access
SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
SDL Trisoft connects with SDL WorldServer
bull TranslationBuilder services (automation of PushTranslations) ndash Can be used by anyone
bull TranslationOrganizer ndash Talks to WorldServer
SDL Integrations Product Stack - WorldServer
4
1 You need resources so off to the supermarket to buy some good beer eg
2 The policy of the supermarket is not to sell to minors hence the photo id required
3 Your token is
4 Your token was issued before by the state a trusted identity provider 5 After verification of your age claim
part of your token you are authorized to buy beer
Security - Real World Scenario
User
bull Credentials bull Credentials bull Credentials bull Credentials bull hellip bull Credentials
Current Software Paradigm
7
bull Issuer bull Service
Application
Many
Real life only fewhellip
Passport Driverrsquos License
Too Many
bull Issuer bull Service
Application
bull Issuer bull Service
Application
bull Issuer bull Service
Application
helliphellip
Trusted Subsystem
User
bull Credentials bull hellip bull Credentials
Centralized IT Paradigm
8
Security Service
bull Authenticate bull User Provisioning
TRUST
Centralized
bull Issuer bull Service
Application
bull Issuer bull Service
Application
bull Issuer bull Service
Application
Many
helliphellip
bull Identity Providers (IP) ndash Windows Active Directory
ndash Open LDAP
ndash Custom
bull Why are they not suitable ndash Mostly only identity providers This means that every application must handle
the authentication logic against them so all kind or proprietary implementations exist
ndash Proprietary and not cross platform
ndash Active Directory is the closest to what we are looking for but it is for the Windows Eco System only Additionally is uses a proprietary protocol (Kerberos) So not suitable
Current situation
9
bull It is a front end for one or many Identity Provides
bull ldquoTalksrdquo widely accepted protocols like
ndash WS Federation
ndash SAML-P
ndash WS Trust 13
bull ldquoDeliversrdquo security tokens in widely accepted formats like
ndash SAML11
ndash SAML20 (Relatively new)
Security Token Service (STS)
10
STS
Exchange Query
bull What is a claim
ndash An assertion A value for a specific claim type (First name Age Address hellip)
bull What is a token
ndash Exactly as our national identity card
ndash A set of claims
ndash Signed with a certificate that proves the issuerrsquos identity (STS)
ndash Validity period
IP
Active
Passive
Supported
Basic Flow Overview
11
Client
STS IP
1 Authenticate
2 Get Token
3 Submit Token
TRUST
bull Passive Profile ndash Client is a browser
ndash Browser is ldquostupidrdquo Just follows instructions
bull Active Profile ndash Client is a ldquoIn Process Applicationrdquo (exe)
ndash Client is ldquosmartrdquo Pre-rdquoConfiguredrdquo with instructions
ndash Web Services
Claims - Profiles
12
ClientUser
ClientUser
bull Browser ndash Web SSO based on Trisoft Users (InfoShareSTS)
ndash Logged on on LiveContent and Trisoft
bull Client Tools ndash Well actually you see no differencehellip
Claims ndash Demo
13
Wersquove tested with but any brand respecting the standard can be configured bull Microsoft Active Directory Federated Services v2 (ADFSv2)
ndash When you have a Windows domain
ndash Free extension ndash Replaces the 2011R2 introduced lsquodirectrsquo Windows Authentication ndash Simplified setup through PowerShell script
bull SDL Trisoft lsquoInfoShareSTSrsquo
ndash Externalizes Trisoft Authentication based on the Trisoft User Repository
ndash Backward compatible option but respecting the Claims setup and SSO ndash Solution where Trisoft stores passwords with limited password rules ndash Deprecated by nature as externalizing security will happen more and more
ndash Out of the box preconfigured
Claims - Brands amp Backward Compatibility
14
bull Delivery of InfoShareSTS out of the box for non-integrated Trisoft installations
bull New Parameters in the inputparametersxml file required for installation ndash Infosharestswebappname ndash servicecertificatesubjectname ndash basehostname ndash servicecertificatevalidationmode ndash issuercertificatethumbprint ndash issuercertificatevalidationmode ndash issueractorusername ndash issueractorpassword ndash issuerwstrustendpointurl ndash issuerwsfederationendpointurl ndash serviceusername ndash servicepassword
Claims ndash Trisoft InstallTool Parameters
15
http(s) SOAP
http(s) SOAP
http(s) SOAP
http(s)
Web App InfoShareWS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Web App InfoShareAuthor Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
STS - STS Auth amp Trisoft Authz
Host oracleexe -or- sqlservrexe Identity NA
Host iexploreexe Identity DOMAINuser
Host PublicationManagerexe -or- xmetalexe Identity DOMAINuser
Trisoft Foundation
Trisoft API25 API20 API10
Tris
oft
Clie
nt T
ools
Tris
oft
Info
Sha
reW
eb
Tris
oft
Xop
us
Bro
wse
r
Mic
roso
ft I
IS
Host AD
Identity NA
Mic
roso
ft I
IS
Trisoft Foundation
Trisoft API25 for PubOutput Streaming
Web App InfoShareSTS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Trisoft API25
Mic
roso
ft I
IS
Browser
ADFSv2
bull Reduced Client Tools account creation complexity by a configuration file living in the lsquoInfoSharWSrsquo virtual directory ndash eg httpsInfoShareWSconnectionconfigurationxml
bull Only thing to provide is the web services location
Claims ndash Account Creation
17
Claims ndash Database Upgrade Tool - Screenshot
18
bull When activating external authentication you have to have at least one correctly configured FISHEXTERNALID field DBUT solves this problem
bull A Trisoft User has 3 kinds of metadata ndash Authentication user name and password
ndash Authorization user roles and access to user groups
ndash Application Data User language Favorites e-mail user name id
bull In Trisoft 2013 (100) authentication happens through a central3rd party Secure Token Service (STS) system
bull Once authenticated as an external user Trisoft will map it to a Trisoft user profile for authorization and application data
bull The Trisoft User Profile is required for ndash Granting it user roles and access to user groups
ndash Referencing in workflow and assignments
ndash Populating user lists based on Trisoft user roles
Central Auth and Trisoft Authz
19
bull ASMX based web services like httpInfoShareWSApplicationASMX ndash Since 2003
ndash First parameter in every function is always lsquoAuthenticationContextrsquo so the Trisoft way of authentication
bull Introducing Windows Communication Foundation (WCF) services like httpInfoShareWSWCFAPI25ApplicationSVC ndash Support for claims-based authentication
ndash Replaces ASMX Web Services so marking them as deprecated bull Deprecated here means supported as long as the cost of maintenance is reasonable
bull Goal is to step away from Trisoft Authentication (Trisoft UsernamePassword combinations)
Web Services ndash ASMX and SVC
20
bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior
ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)
bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations
ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException
bull First checks the input if unexpectedwrong it will throw immediately
bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort
Web Services - API25 ndash Some ground rules
Function name Description
SetMetadata Current function
SetMetadata2 New function to support multiple write access
SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
1 You need resources so off to the supermarket to buy some good beer eg
2 The policy of the supermarket is not to sell to minors hence the photo id required
3 Your token is
4 Your token was issued before by the state a trusted identity provider 5 After verification of your age claim
part of your token you are authorized to buy beer
Security - Real World Scenario
User
bull Credentials bull Credentials bull Credentials bull Credentials bull hellip bull Credentials
Current Software Paradigm
7
bull Issuer bull Service
Application
Many
Real life only fewhellip
Passport Driverrsquos License
Too Many
bull Issuer bull Service
Application
bull Issuer bull Service
Application
bull Issuer bull Service
Application
helliphellip
Trusted Subsystem
User
bull Credentials bull hellip bull Credentials
Centralized IT Paradigm
8
Security Service
bull Authenticate bull User Provisioning
TRUST
Centralized
bull Issuer bull Service
Application
bull Issuer bull Service
Application
bull Issuer bull Service
Application
Many
helliphellip
bull Identity Providers (IP) ndash Windows Active Directory
ndash Open LDAP
ndash Custom
bull Why are they not suitable ndash Mostly only identity providers This means that every application must handle
the authentication logic against them so all kind or proprietary implementations exist
ndash Proprietary and not cross platform
ndash Active Directory is the closest to what we are looking for but it is for the Windows Eco System only Additionally is uses a proprietary protocol (Kerberos) So not suitable
Current situation
9
bull It is a front end for one or many Identity Provides
bull ldquoTalksrdquo widely accepted protocols like
ndash WS Federation
ndash SAML-P
ndash WS Trust 13
bull ldquoDeliversrdquo security tokens in widely accepted formats like
ndash SAML11
ndash SAML20 (Relatively new)
Security Token Service (STS)
10
STS
Exchange Query
bull What is a claim
ndash An assertion A value for a specific claim type (First name Age Address hellip)
bull What is a token
ndash Exactly as our national identity card
ndash A set of claims
ndash Signed with a certificate that proves the issuerrsquos identity (STS)
ndash Validity period
IP
Active
Passive
Supported
Basic Flow Overview
11
Client
STS IP
1 Authenticate
2 Get Token
3 Submit Token
TRUST
bull Passive Profile ndash Client is a browser
ndash Browser is ldquostupidrdquo Just follows instructions
bull Active Profile ndash Client is a ldquoIn Process Applicationrdquo (exe)
ndash Client is ldquosmartrdquo Pre-rdquoConfiguredrdquo with instructions
ndash Web Services
Claims - Profiles
12
ClientUser
ClientUser
bull Browser ndash Web SSO based on Trisoft Users (InfoShareSTS)
ndash Logged on on LiveContent and Trisoft
bull Client Tools ndash Well actually you see no differencehellip
Claims ndash Demo
13
Wersquove tested with but any brand respecting the standard can be configured bull Microsoft Active Directory Federated Services v2 (ADFSv2)
ndash When you have a Windows domain
ndash Free extension ndash Replaces the 2011R2 introduced lsquodirectrsquo Windows Authentication ndash Simplified setup through PowerShell script
bull SDL Trisoft lsquoInfoShareSTSrsquo
ndash Externalizes Trisoft Authentication based on the Trisoft User Repository
ndash Backward compatible option but respecting the Claims setup and SSO ndash Solution where Trisoft stores passwords with limited password rules ndash Deprecated by nature as externalizing security will happen more and more
ndash Out of the box preconfigured
Claims - Brands amp Backward Compatibility
14
bull Delivery of InfoShareSTS out of the box for non-integrated Trisoft installations
bull New Parameters in the inputparametersxml file required for installation ndash Infosharestswebappname ndash servicecertificatesubjectname ndash basehostname ndash servicecertificatevalidationmode ndash issuercertificatethumbprint ndash issuercertificatevalidationmode ndash issueractorusername ndash issueractorpassword ndash issuerwstrustendpointurl ndash issuerwsfederationendpointurl ndash serviceusername ndash servicepassword
Claims ndash Trisoft InstallTool Parameters
15
http(s) SOAP
http(s) SOAP
http(s) SOAP
http(s)
Web App InfoShareWS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Web App InfoShareAuthor Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
STS - STS Auth amp Trisoft Authz
Host oracleexe -or- sqlservrexe Identity NA
Host iexploreexe Identity DOMAINuser
Host PublicationManagerexe -or- xmetalexe Identity DOMAINuser
Trisoft Foundation
Trisoft API25 API20 API10
Tris
oft
Clie
nt T
ools
Tris
oft
Info
Sha
reW
eb
Tris
oft
Xop
us
Bro
wse
r
Mic
roso
ft I
IS
Host AD
Identity NA
Mic
roso
ft I
IS
Trisoft Foundation
Trisoft API25 for PubOutput Streaming
Web App InfoShareSTS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Trisoft API25
Mic
roso
ft I
IS
Browser
ADFSv2
bull Reduced Client Tools account creation complexity by a configuration file living in the lsquoInfoSharWSrsquo virtual directory ndash eg httpsInfoShareWSconnectionconfigurationxml
bull Only thing to provide is the web services location
Claims ndash Account Creation
17
Claims ndash Database Upgrade Tool - Screenshot
18
bull When activating external authentication you have to have at least one correctly configured FISHEXTERNALID field DBUT solves this problem
bull A Trisoft User has 3 kinds of metadata ndash Authentication user name and password
ndash Authorization user roles and access to user groups
ndash Application Data User language Favorites e-mail user name id
bull In Trisoft 2013 (100) authentication happens through a central3rd party Secure Token Service (STS) system
bull Once authenticated as an external user Trisoft will map it to a Trisoft user profile for authorization and application data
bull The Trisoft User Profile is required for ndash Granting it user roles and access to user groups
ndash Referencing in workflow and assignments
ndash Populating user lists based on Trisoft user roles
Central Auth and Trisoft Authz
19
bull ASMX based web services like httpInfoShareWSApplicationASMX ndash Since 2003
ndash First parameter in every function is always lsquoAuthenticationContextrsquo so the Trisoft way of authentication
bull Introducing Windows Communication Foundation (WCF) services like httpInfoShareWSWCFAPI25ApplicationSVC ndash Support for claims-based authentication
ndash Replaces ASMX Web Services so marking them as deprecated bull Deprecated here means supported as long as the cost of maintenance is reasonable
bull Goal is to step away from Trisoft Authentication (Trisoft UsernamePassword combinations)
Web Services ndash ASMX and SVC
20
bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior
ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)
bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations
ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException
bull First checks the input if unexpectedwrong it will throw immediately
bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort
Web Services - API25 ndash Some ground rules
Function name Description
SetMetadata Current function
SetMetadata2 New function to support multiple write access
SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
User
bull Credentials bull Credentials bull Credentials bull Credentials bull hellip bull Credentials
Current Software Paradigm
7
bull Issuer bull Service
Application
Many
Real life only fewhellip
Passport Driverrsquos License
Too Many
bull Issuer bull Service
Application
bull Issuer bull Service
Application
bull Issuer bull Service
Application
helliphellip
Trusted Subsystem
User
bull Credentials bull hellip bull Credentials
Centralized IT Paradigm
8
Security Service
bull Authenticate bull User Provisioning
TRUST
Centralized
bull Issuer bull Service
Application
bull Issuer bull Service
Application
bull Issuer bull Service
Application
Many
helliphellip
bull Identity Providers (IP) ndash Windows Active Directory
ndash Open LDAP
ndash Custom
bull Why are they not suitable ndash Mostly only identity providers This means that every application must handle
the authentication logic against them so all kind or proprietary implementations exist
ndash Proprietary and not cross platform
ndash Active Directory is the closest to what we are looking for but it is for the Windows Eco System only Additionally is uses a proprietary protocol (Kerberos) So not suitable
Current situation
9
bull It is a front end for one or many Identity Provides
bull ldquoTalksrdquo widely accepted protocols like
ndash WS Federation
ndash SAML-P
ndash WS Trust 13
bull ldquoDeliversrdquo security tokens in widely accepted formats like
ndash SAML11
ndash SAML20 (Relatively new)
Security Token Service (STS)
10
STS
Exchange Query
bull What is a claim
ndash An assertion A value for a specific claim type (First name Age Address hellip)
bull What is a token
ndash Exactly as our national identity card
ndash A set of claims
ndash Signed with a certificate that proves the issuerrsquos identity (STS)
ndash Validity period
IP
Active
Passive
Supported
Basic Flow Overview
11
Client
STS IP
1 Authenticate
2 Get Token
3 Submit Token
TRUST
bull Passive Profile ndash Client is a browser
ndash Browser is ldquostupidrdquo Just follows instructions
bull Active Profile ndash Client is a ldquoIn Process Applicationrdquo (exe)
ndash Client is ldquosmartrdquo Pre-rdquoConfiguredrdquo with instructions
ndash Web Services
Claims - Profiles
12
ClientUser
ClientUser
bull Browser ndash Web SSO based on Trisoft Users (InfoShareSTS)
ndash Logged on on LiveContent and Trisoft
bull Client Tools ndash Well actually you see no differencehellip
Claims ndash Demo
13
Wersquove tested with but any brand respecting the standard can be configured bull Microsoft Active Directory Federated Services v2 (ADFSv2)
ndash When you have a Windows domain
ndash Free extension ndash Replaces the 2011R2 introduced lsquodirectrsquo Windows Authentication ndash Simplified setup through PowerShell script
bull SDL Trisoft lsquoInfoShareSTSrsquo
ndash Externalizes Trisoft Authentication based on the Trisoft User Repository
ndash Backward compatible option but respecting the Claims setup and SSO ndash Solution where Trisoft stores passwords with limited password rules ndash Deprecated by nature as externalizing security will happen more and more
ndash Out of the box preconfigured
Claims - Brands amp Backward Compatibility
14
bull Delivery of InfoShareSTS out of the box for non-integrated Trisoft installations
bull New Parameters in the inputparametersxml file required for installation ndash Infosharestswebappname ndash servicecertificatesubjectname ndash basehostname ndash servicecertificatevalidationmode ndash issuercertificatethumbprint ndash issuercertificatevalidationmode ndash issueractorusername ndash issueractorpassword ndash issuerwstrustendpointurl ndash issuerwsfederationendpointurl ndash serviceusername ndash servicepassword
Claims ndash Trisoft InstallTool Parameters
15
http(s) SOAP
http(s) SOAP
http(s) SOAP
http(s)
Web App InfoShareWS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Web App InfoShareAuthor Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
STS - STS Auth amp Trisoft Authz
Host oracleexe -or- sqlservrexe Identity NA
Host iexploreexe Identity DOMAINuser
Host PublicationManagerexe -or- xmetalexe Identity DOMAINuser
Trisoft Foundation
Trisoft API25 API20 API10
Tris
oft
Clie
nt T
ools
Tris
oft
Info
Sha
reW
eb
Tris
oft
Xop
us
Bro
wse
r
Mic
roso
ft I
IS
Host AD
Identity NA
Mic
roso
ft I
IS
Trisoft Foundation
Trisoft API25 for PubOutput Streaming
Web App InfoShareSTS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Trisoft API25
Mic
roso
ft I
IS
Browser
ADFSv2
bull Reduced Client Tools account creation complexity by a configuration file living in the lsquoInfoSharWSrsquo virtual directory ndash eg httpsInfoShareWSconnectionconfigurationxml
bull Only thing to provide is the web services location
Claims ndash Account Creation
17
Claims ndash Database Upgrade Tool - Screenshot
18
bull When activating external authentication you have to have at least one correctly configured FISHEXTERNALID field DBUT solves this problem
bull A Trisoft User has 3 kinds of metadata ndash Authentication user name and password
ndash Authorization user roles and access to user groups
ndash Application Data User language Favorites e-mail user name id
bull In Trisoft 2013 (100) authentication happens through a central3rd party Secure Token Service (STS) system
bull Once authenticated as an external user Trisoft will map it to a Trisoft user profile for authorization and application data
bull The Trisoft User Profile is required for ndash Granting it user roles and access to user groups
ndash Referencing in workflow and assignments
ndash Populating user lists based on Trisoft user roles
Central Auth and Trisoft Authz
19
bull ASMX based web services like httpInfoShareWSApplicationASMX ndash Since 2003
ndash First parameter in every function is always lsquoAuthenticationContextrsquo so the Trisoft way of authentication
bull Introducing Windows Communication Foundation (WCF) services like httpInfoShareWSWCFAPI25ApplicationSVC ndash Support for claims-based authentication
ndash Replaces ASMX Web Services so marking them as deprecated bull Deprecated here means supported as long as the cost of maintenance is reasonable
bull Goal is to step away from Trisoft Authentication (Trisoft UsernamePassword combinations)
Web Services ndash ASMX and SVC
20
bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior
ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)
bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations
ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException
bull First checks the input if unexpectedwrong it will throw immediately
bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort
Web Services - API25 ndash Some ground rules
Function name Description
SetMetadata Current function
SetMetadata2 New function to support multiple write access
SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
User
bull Credentials bull hellip bull Credentials
Centralized IT Paradigm
8
Security Service
bull Authenticate bull User Provisioning
TRUST
Centralized
bull Issuer bull Service
Application
bull Issuer bull Service
Application
bull Issuer bull Service
Application
Many
helliphellip
bull Identity Providers (IP) ndash Windows Active Directory
ndash Open LDAP
ndash Custom
bull Why are they not suitable ndash Mostly only identity providers This means that every application must handle
the authentication logic against them so all kind or proprietary implementations exist
ndash Proprietary and not cross platform
ndash Active Directory is the closest to what we are looking for but it is for the Windows Eco System only Additionally is uses a proprietary protocol (Kerberos) So not suitable
Current situation
9
bull It is a front end for one or many Identity Provides
bull ldquoTalksrdquo widely accepted protocols like
ndash WS Federation
ndash SAML-P
ndash WS Trust 13
bull ldquoDeliversrdquo security tokens in widely accepted formats like
ndash SAML11
ndash SAML20 (Relatively new)
Security Token Service (STS)
10
STS
Exchange Query
bull What is a claim
ndash An assertion A value for a specific claim type (First name Age Address hellip)
bull What is a token
ndash Exactly as our national identity card
ndash A set of claims
ndash Signed with a certificate that proves the issuerrsquos identity (STS)
ndash Validity period
IP
Active
Passive
Supported
Basic Flow Overview
11
Client
STS IP
1 Authenticate
2 Get Token
3 Submit Token
TRUST
bull Passive Profile ndash Client is a browser
ndash Browser is ldquostupidrdquo Just follows instructions
bull Active Profile ndash Client is a ldquoIn Process Applicationrdquo (exe)
ndash Client is ldquosmartrdquo Pre-rdquoConfiguredrdquo with instructions
ndash Web Services
Claims - Profiles
12
ClientUser
ClientUser
bull Browser ndash Web SSO based on Trisoft Users (InfoShareSTS)
ndash Logged on on LiveContent and Trisoft
bull Client Tools ndash Well actually you see no differencehellip
Claims ndash Demo
13
Wersquove tested with but any brand respecting the standard can be configured bull Microsoft Active Directory Federated Services v2 (ADFSv2)
ndash When you have a Windows domain
ndash Free extension ndash Replaces the 2011R2 introduced lsquodirectrsquo Windows Authentication ndash Simplified setup through PowerShell script
bull SDL Trisoft lsquoInfoShareSTSrsquo
ndash Externalizes Trisoft Authentication based on the Trisoft User Repository
ndash Backward compatible option but respecting the Claims setup and SSO ndash Solution where Trisoft stores passwords with limited password rules ndash Deprecated by nature as externalizing security will happen more and more
ndash Out of the box preconfigured
Claims - Brands amp Backward Compatibility
14
bull Delivery of InfoShareSTS out of the box for non-integrated Trisoft installations
bull New Parameters in the inputparametersxml file required for installation ndash Infosharestswebappname ndash servicecertificatesubjectname ndash basehostname ndash servicecertificatevalidationmode ndash issuercertificatethumbprint ndash issuercertificatevalidationmode ndash issueractorusername ndash issueractorpassword ndash issuerwstrustendpointurl ndash issuerwsfederationendpointurl ndash serviceusername ndash servicepassword
Claims ndash Trisoft InstallTool Parameters
15
http(s) SOAP
http(s) SOAP
http(s) SOAP
http(s)
Web App InfoShareWS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Web App InfoShareAuthor Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
STS - STS Auth amp Trisoft Authz
Host oracleexe -or- sqlservrexe Identity NA
Host iexploreexe Identity DOMAINuser
Host PublicationManagerexe -or- xmetalexe Identity DOMAINuser
Trisoft Foundation
Trisoft API25 API20 API10
Tris
oft
Clie
nt T
ools
Tris
oft
Info
Sha
reW
eb
Tris
oft
Xop
us
Bro
wse
r
Mic
roso
ft I
IS
Host AD
Identity NA
Mic
roso
ft I
IS
Trisoft Foundation
Trisoft API25 for PubOutput Streaming
Web App InfoShareSTS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Trisoft API25
Mic
roso
ft I
IS
Browser
ADFSv2
bull Reduced Client Tools account creation complexity by a configuration file living in the lsquoInfoSharWSrsquo virtual directory ndash eg httpsInfoShareWSconnectionconfigurationxml
bull Only thing to provide is the web services location
Claims ndash Account Creation
17
Claims ndash Database Upgrade Tool - Screenshot
18
bull When activating external authentication you have to have at least one correctly configured FISHEXTERNALID field DBUT solves this problem
bull A Trisoft User has 3 kinds of metadata ndash Authentication user name and password
ndash Authorization user roles and access to user groups
ndash Application Data User language Favorites e-mail user name id
bull In Trisoft 2013 (100) authentication happens through a central3rd party Secure Token Service (STS) system
bull Once authenticated as an external user Trisoft will map it to a Trisoft user profile for authorization and application data
bull The Trisoft User Profile is required for ndash Granting it user roles and access to user groups
ndash Referencing in workflow and assignments
ndash Populating user lists based on Trisoft user roles
Central Auth and Trisoft Authz
19
bull ASMX based web services like httpInfoShareWSApplicationASMX ndash Since 2003
ndash First parameter in every function is always lsquoAuthenticationContextrsquo so the Trisoft way of authentication
bull Introducing Windows Communication Foundation (WCF) services like httpInfoShareWSWCFAPI25ApplicationSVC ndash Support for claims-based authentication
ndash Replaces ASMX Web Services so marking them as deprecated bull Deprecated here means supported as long as the cost of maintenance is reasonable
bull Goal is to step away from Trisoft Authentication (Trisoft UsernamePassword combinations)
Web Services ndash ASMX and SVC
20
bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior
ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)
bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations
ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException
bull First checks the input if unexpectedwrong it will throw immediately
bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort
Web Services - API25 ndash Some ground rules
Function name Description
SetMetadata Current function
SetMetadata2 New function to support multiple write access
SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
bull Identity Providers (IP) ndash Windows Active Directory
ndash Open LDAP
ndash Custom
bull Why are they not suitable ndash Mostly only identity providers This means that every application must handle
the authentication logic against them so all kind or proprietary implementations exist
ndash Proprietary and not cross platform
ndash Active Directory is the closest to what we are looking for but it is for the Windows Eco System only Additionally is uses a proprietary protocol (Kerberos) So not suitable
Current situation
9
bull It is a front end for one or many Identity Provides
bull ldquoTalksrdquo widely accepted protocols like
ndash WS Federation
ndash SAML-P
ndash WS Trust 13
bull ldquoDeliversrdquo security tokens in widely accepted formats like
ndash SAML11
ndash SAML20 (Relatively new)
Security Token Service (STS)
10
STS
Exchange Query
bull What is a claim
ndash An assertion A value for a specific claim type (First name Age Address hellip)
bull What is a token
ndash Exactly as our national identity card
ndash A set of claims
ndash Signed with a certificate that proves the issuerrsquos identity (STS)
ndash Validity period
IP
Active
Passive
Supported
Basic Flow Overview
11
Client
STS IP
1 Authenticate
2 Get Token
3 Submit Token
TRUST
bull Passive Profile ndash Client is a browser
ndash Browser is ldquostupidrdquo Just follows instructions
bull Active Profile ndash Client is a ldquoIn Process Applicationrdquo (exe)
ndash Client is ldquosmartrdquo Pre-rdquoConfiguredrdquo with instructions
ndash Web Services
Claims - Profiles
12
ClientUser
ClientUser
bull Browser ndash Web SSO based on Trisoft Users (InfoShareSTS)
ndash Logged on on LiveContent and Trisoft
bull Client Tools ndash Well actually you see no differencehellip
Claims ndash Demo
13
Wersquove tested with but any brand respecting the standard can be configured bull Microsoft Active Directory Federated Services v2 (ADFSv2)
ndash When you have a Windows domain
ndash Free extension ndash Replaces the 2011R2 introduced lsquodirectrsquo Windows Authentication ndash Simplified setup through PowerShell script
bull SDL Trisoft lsquoInfoShareSTSrsquo
ndash Externalizes Trisoft Authentication based on the Trisoft User Repository
ndash Backward compatible option but respecting the Claims setup and SSO ndash Solution where Trisoft stores passwords with limited password rules ndash Deprecated by nature as externalizing security will happen more and more
ndash Out of the box preconfigured
Claims - Brands amp Backward Compatibility
14
bull Delivery of InfoShareSTS out of the box for non-integrated Trisoft installations
bull New Parameters in the inputparametersxml file required for installation ndash Infosharestswebappname ndash servicecertificatesubjectname ndash basehostname ndash servicecertificatevalidationmode ndash issuercertificatethumbprint ndash issuercertificatevalidationmode ndash issueractorusername ndash issueractorpassword ndash issuerwstrustendpointurl ndash issuerwsfederationendpointurl ndash serviceusername ndash servicepassword
Claims ndash Trisoft InstallTool Parameters
15
http(s) SOAP
http(s) SOAP
http(s) SOAP
http(s)
Web App InfoShareWS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Web App InfoShareAuthor Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
STS - STS Auth amp Trisoft Authz
Host oracleexe -or- sqlservrexe Identity NA
Host iexploreexe Identity DOMAINuser
Host PublicationManagerexe -or- xmetalexe Identity DOMAINuser
Trisoft Foundation
Trisoft API25 API20 API10
Tris
oft
Clie
nt T
ools
Tris
oft
Info
Sha
reW
eb
Tris
oft
Xop
us
Bro
wse
r
Mic
roso
ft I
IS
Host AD
Identity NA
Mic
roso
ft I
IS
Trisoft Foundation
Trisoft API25 for PubOutput Streaming
Web App InfoShareSTS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Trisoft API25
Mic
roso
ft I
IS
Browser
ADFSv2
bull Reduced Client Tools account creation complexity by a configuration file living in the lsquoInfoSharWSrsquo virtual directory ndash eg httpsInfoShareWSconnectionconfigurationxml
bull Only thing to provide is the web services location
Claims ndash Account Creation
17
Claims ndash Database Upgrade Tool - Screenshot
18
bull When activating external authentication you have to have at least one correctly configured FISHEXTERNALID field DBUT solves this problem
bull A Trisoft User has 3 kinds of metadata ndash Authentication user name and password
ndash Authorization user roles and access to user groups
ndash Application Data User language Favorites e-mail user name id
bull In Trisoft 2013 (100) authentication happens through a central3rd party Secure Token Service (STS) system
bull Once authenticated as an external user Trisoft will map it to a Trisoft user profile for authorization and application data
bull The Trisoft User Profile is required for ndash Granting it user roles and access to user groups
ndash Referencing in workflow and assignments
ndash Populating user lists based on Trisoft user roles
Central Auth and Trisoft Authz
19
bull ASMX based web services like httpInfoShareWSApplicationASMX ndash Since 2003
ndash First parameter in every function is always lsquoAuthenticationContextrsquo so the Trisoft way of authentication
bull Introducing Windows Communication Foundation (WCF) services like httpInfoShareWSWCFAPI25ApplicationSVC ndash Support for claims-based authentication
ndash Replaces ASMX Web Services so marking them as deprecated bull Deprecated here means supported as long as the cost of maintenance is reasonable
bull Goal is to step away from Trisoft Authentication (Trisoft UsernamePassword combinations)
Web Services ndash ASMX and SVC
20
bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior
ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)
bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations
ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException
bull First checks the input if unexpectedwrong it will throw immediately
bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort
Web Services - API25 ndash Some ground rules
Function name Description
SetMetadata Current function
SetMetadata2 New function to support multiple write access
SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
bull It is a front end for one or many Identity Provides
bull ldquoTalksrdquo widely accepted protocols like
ndash WS Federation
ndash SAML-P
ndash WS Trust 13
bull ldquoDeliversrdquo security tokens in widely accepted formats like
ndash SAML11
ndash SAML20 (Relatively new)
Security Token Service (STS)
10
STS
Exchange Query
bull What is a claim
ndash An assertion A value for a specific claim type (First name Age Address hellip)
bull What is a token
ndash Exactly as our national identity card
ndash A set of claims
ndash Signed with a certificate that proves the issuerrsquos identity (STS)
ndash Validity period
IP
Active
Passive
Supported
Basic Flow Overview
11
Client
STS IP
1 Authenticate
2 Get Token
3 Submit Token
TRUST
bull Passive Profile ndash Client is a browser
ndash Browser is ldquostupidrdquo Just follows instructions
bull Active Profile ndash Client is a ldquoIn Process Applicationrdquo (exe)
ndash Client is ldquosmartrdquo Pre-rdquoConfiguredrdquo with instructions
ndash Web Services
Claims - Profiles
12
ClientUser
ClientUser
bull Browser ndash Web SSO based on Trisoft Users (InfoShareSTS)
ndash Logged on on LiveContent and Trisoft
bull Client Tools ndash Well actually you see no differencehellip
Claims ndash Demo
13
Wersquove tested with but any brand respecting the standard can be configured bull Microsoft Active Directory Federated Services v2 (ADFSv2)
ndash When you have a Windows domain
ndash Free extension ndash Replaces the 2011R2 introduced lsquodirectrsquo Windows Authentication ndash Simplified setup through PowerShell script
bull SDL Trisoft lsquoInfoShareSTSrsquo
ndash Externalizes Trisoft Authentication based on the Trisoft User Repository
ndash Backward compatible option but respecting the Claims setup and SSO ndash Solution where Trisoft stores passwords with limited password rules ndash Deprecated by nature as externalizing security will happen more and more
ndash Out of the box preconfigured
Claims - Brands amp Backward Compatibility
14
bull Delivery of InfoShareSTS out of the box for non-integrated Trisoft installations
bull New Parameters in the inputparametersxml file required for installation ndash Infosharestswebappname ndash servicecertificatesubjectname ndash basehostname ndash servicecertificatevalidationmode ndash issuercertificatethumbprint ndash issuercertificatevalidationmode ndash issueractorusername ndash issueractorpassword ndash issuerwstrustendpointurl ndash issuerwsfederationendpointurl ndash serviceusername ndash servicepassword
Claims ndash Trisoft InstallTool Parameters
15
http(s) SOAP
http(s) SOAP
http(s) SOAP
http(s)
Web App InfoShareWS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Web App InfoShareAuthor Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
STS - STS Auth amp Trisoft Authz
Host oracleexe -or- sqlservrexe Identity NA
Host iexploreexe Identity DOMAINuser
Host PublicationManagerexe -or- xmetalexe Identity DOMAINuser
Trisoft Foundation
Trisoft API25 API20 API10
Tris
oft
Clie
nt T
ools
Tris
oft
Info
Sha
reW
eb
Tris
oft
Xop
us
Bro
wse
r
Mic
roso
ft I
IS
Host AD
Identity NA
Mic
roso
ft I
IS
Trisoft Foundation
Trisoft API25 for PubOutput Streaming
Web App InfoShareSTS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Trisoft API25
Mic
roso
ft I
IS
Browser
ADFSv2
bull Reduced Client Tools account creation complexity by a configuration file living in the lsquoInfoSharWSrsquo virtual directory ndash eg httpsInfoShareWSconnectionconfigurationxml
bull Only thing to provide is the web services location
Claims ndash Account Creation
17
Claims ndash Database Upgrade Tool - Screenshot
18
bull When activating external authentication you have to have at least one correctly configured FISHEXTERNALID field DBUT solves this problem
bull A Trisoft User has 3 kinds of metadata ndash Authentication user name and password
ndash Authorization user roles and access to user groups
ndash Application Data User language Favorites e-mail user name id
bull In Trisoft 2013 (100) authentication happens through a central3rd party Secure Token Service (STS) system
bull Once authenticated as an external user Trisoft will map it to a Trisoft user profile for authorization and application data
bull The Trisoft User Profile is required for ndash Granting it user roles and access to user groups
ndash Referencing in workflow and assignments
ndash Populating user lists based on Trisoft user roles
Central Auth and Trisoft Authz
19
bull ASMX based web services like httpInfoShareWSApplicationASMX ndash Since 2003
ndash First parameter in every function is always lsquoAuthenticationContextrsquo so the Trisoft way of authentication
bull Introducing Windows Communication Foundation (WCF) services like httpInfoShareWSWCFAPI25ApplicationSVC ndash Support for claims-based authentication
ndash Replaces ASMX Web Services so marking them as deprecated bull Deprecated here means supported as long as the cost of maintenance is reasonable
bull Goal is to step away from Trisoft Authentication (Trisoft UsernamePassword combinations)
Web Services ndash ASMX and SVC
20
bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior
ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)
bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations
ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException
bull First checks the input if unexpectedwrong it will throw immediately
bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort
Web Services - API25 ndash Some ground rules
Function name Description
SetMetadata Current function
SetMetadata2 New function to support multiple write access
SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
Basic Flow Overview
11
Client
STS IP
1 Authenticate
2 Get Token
3 Submit Token
TRUST
bull Passive Profile ndash Client is a browser
ndash Browser is ldquostupidrdquo Just follows instructions
bull Active Profile ndash Client is a ldquoIn Process Applicationrdquo (exe)
ndash Client is ldquosmartrdquo Pre-rdquoConfiguredrdquo with instructions
ndash Web Services
Claims - Profiles
12
ClientUser
ClientUser
bull Browser ndash Web SSO based on Trisoft Users (InfoShareSTS)
ndash Logged on on LiveContent and Trisoft
bull Client Tools ndash Well actually you see no differencehellip
Claims ndash Demo
13
Wersquove tested with but any brand respecting the standard can be configured bull Microsoft Active Directory Federated Services v2 (ADFSv2)
ndash When you have a Windows domain
ndash Free extension ndash Replaces the 2011R2 introduced lsquodirectrsquo Windows Authentication ndash Simplified setup through PowerShell script
bull SDL Trisoft lsquoInfoShareSTSrsquo
ndash Externalizes Trisoft Authentication based on the Trisoft User Repository
ndash Backward compatible option but respecting the Claims setup and SSO ndash Solution where Trisoft stores passwords with limited password rules ndash Deprecated by nature as externalizing security will happen more and more
ndash Out of the box preconfigured
Claims - Brands amp Backward Compatibility
14
bull Delivery of InfoShareSTS out of the box for non-integrated Trisoft installations
bull New Parameters in the inputparametersxml file required for installation ndash Infosharestswebappname ndash servicecertificatesubjectname ndash basehostname ndash servicecertificatevalidationmode ndash issuercertificatethumbprint ndash issuercertificatevalidationmode ndash issueractorusername ndash issueractorpassword ndash issuerwstrustendpointurl ndash issuerwsfederationendpointurl ndash serviceusername ndash servicepassword
Claims ndash Trisoft InstallTool Parameters
15
http(s) SOAP
http(s) SOAP
http(s) SOAP
http(s)
Web App InfoShareWS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Web App InfoShareAuthor Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
STS - STS Auth amp Trisoft Authz
Host oracleexe -or- sqlservrexe Identity NA
Host iexploreexe Identity DOMAINuser
Host PublicationManagerexe -or- xmetalexe Identity DOMAINuser
Trisoft Foundation
Trisoft API25 API20 API10
Tris
oft
Clie
nt T
ools
Tris
oft
Info
Sha
reW
eb
Tris
oft
Xop
us
Bro
wse
r
Mic
roso
ft I
IS
Host AD
Identity NA
Mic
roso
ft I
IS
Trisoft Foundation
Trisoft API25 for PubOutput Streaming
Web App InfoShareSTS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Trisoft API25
Mic
roso
ft I
IS
Browser
ADFSv2
bull Reduced Client Tools account creation complexity by a configuration file living in the lsquoInfoSharWSrsquo virtual directory ndash eg httpsInfoShareWSconnectionconfigurationxml
bull Only thing to provide is the web services location
Claims ndash Account Creation
17
Claims ndash Database Upgrade Tool - Screenshot
18
bull When activating external authentication you have to have at least one correctly configured FISHEXTERNALID field DBUT solves this problem
bull A Trisoft User has 3 kinds of metadata ndash Authentication user name and password
ndash Authorization user roles and access to user groups
ndash Application Data User language Favorites e-mail user name id
bull In Trisoft 2013 (100) authentication happens through a central3rd party Secure Token Service (STS) system
bull Once authenticated as an external user Trisoft will map it to a Trisoft user profile for authorization and application data
bull The Trisoft User Profile is required for ndash Granting it user roles and access to user groups
ndash Referencing in workflow and assignments
ndash Populating user lists based on Trisoft user roles
Central Auth and Trisoft Authz
19
bull ASMX based web services like httpInfoShareWSApplicationASMX ndash Since 2003
ndash First parameter in every function is always lsquoAuthenticationContextrsquo so the Trisoft way of authentication
bull Introducing Windows Communication Foundation (WCF) services like httpInfoShareWSWCFAPI25ApplicationSVC ndash Support for claims-based authentication
ndash Replaces ASMX Web Services so marking them as deprecated bull Deprecated here means supported as long as the cost of maintenance is reasonable
bull Goal is to step away from Trisoft Authentication (Trisoft UsernamePassword combinations)
Web Services ndash ASMX and SVC
20
bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior
ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)
bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations
ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException
bull First checks the input if unexpectedwrong it will throw immediately
bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort
Web Services - API25 ndash Some ground rules
Function name Description
SetMetadata Current function
SetMetadata2 New function to support multiple write access
SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
bull Passive Profile ndash Client is a browser
ndash Browser is ldquostupidrdquo Just follows instructions
bull Active Profile ndash Client is a ldquoIn Process Applicationrdquo (exe)
ndash Client is ldquosmartrdquo Pre-rdquoConfiguredrdquo with instructions
ndash Web Services
Claims - Profiles
12
ClientUser
ClientUser
bull Browser ndash Web SSO based on Trisoft Users (InfoShareSTS)
ndash Logged on on LiveContent and Trisoft
bull Client Tools ndash Well actually you see no differencehellip
Claims ndash Demo
13
Wersquove tested with but any brand respecting the standard can be configured bull Microsoft Active Directory Federated Services v2 (ADFSv2)
ndash When you have a Windows domain
ndash Free extension ndash Replaces the 2011R2 introduced lsquodirectrsquo Windows Authentication ndash Simplified setup through PowerShell script
bull SDL Trisoft lsquoInfoShareSTSrsquo
ndash Externalizes Trisoft Authentication based on the Trisoft User Repository
ndash Backward compatible option but respecting the Claims setup and SSO ndash Solution where Trisoft stores passwords with limited password rules ndash Deprecated by nature as externalizing security will happen more and more
ndash Out of the box preconfigured
Claims - Brands amp Backward Compatibility
14
bull Delivery of InfoShareSTS out of the box for non-integrated Trisoft installations
bull New Parameters in the inputparametersxml file required for installation ndash Infosharestswebappname ndash servicecertificatesubjectname ndash basehostname ndash servicecertificatevalidationmode ndash issuercertificatethumbprint ndash issuercertificatevalidationmode ndash issueractorusername ndash issueractorpassword ndash issuerwstrustendpointurl ndash issuerwsfederationendpointurl ndash serviceusername ndash servicepassword
Claims ndash Trisoft InstallTool Parameters
15
http(s) SOAP
http(s) SOAP
http(s) SOAP
http(s)
Web App InfoShareWS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Web App InfoShareAuthor Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
STS - STS Auth amp Trisoft Authz
Host oracleexe -or- sqlservrexe Identity NA
Host iexploreexe Identity DOMAINuser
Host PublicationManagerexe -or- xmetalexe Identity DOMAINuser
Trisoft Foundation
Trisoft API25 API20 API10
Tris
oft
Clie
nt T
ools
Tris
oft
Info
Sha
reW
eb
Tris
oft
Xop
us
Bro
wse
r
Mic
roso
ft I
IS
Host AD
Identity NA
Mic
roso
ft I
IS
Trisoft Foundation
Trisoft API25 for PubOutput Streaming
Web App InfoShareSTS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Trisoft API25
Mic
roso
ft I
IS
Browser
ADFSv2
bull Reduced Client Tools account creation complexity by a configuration file living in the lsquoInfoSharWSrsquo virtual directory ndash eg httpsInfoShareWSconnectionconfigurationxml
bull Only thing to provide is the web services location
Claims ndash Account Creation
17
Claims ndash Database Upgrade Tool - Screenshot
18
bull When activating external authentication you have to have at least one correctly configured FISHEXTERNALID field DBUT solves this problem
bull A Trisoft User has 3 kinds of metadata ndash Authentication user name and password
ndash Authorization user roles and access to user groups
ndash Application Data User language Favorites e-mail user name id
bull In Trisoft 2013 (100) authentication happens through a central3rd party Secure Token Service (STS) system
bull Once authenticated as an external user Trisoft will map it to a Trisoft user profile for authorization and application data
bull The Trisoft User Profile is required for ndash Granting it user roles and access to user groups
ndash Referencing in workflow and assignments
ndash Populating user lists based on Trisoft user roles
Central Auth and Trisoft Authz
19
bull ASMX based web services like httpInfoShareWSApplicationASMX ndash Since 2003
ndash First parameter in every function is always lsquoAuthenticationContextrsquo so the Trisoft way of authentication
bull Introducing Windows Communication Foundation (WCF) services like httpInfoShareWSWCFAPI25ApplicationSVC ndash Support for claims-based authentication
ndash Replaces ASMX Web Services so marking them as deprecated bull Deprecated here means supported as long as the cost of maintenance is reasonable
bull Goal is to step away from Trisoft Authentication (Trisoft UsernamePassword combinations)
Web Services ndash ASMX and SVC
20
bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior
ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)
bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations
ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException
bull First checks the input if unexpectedwrong it will throw immediately
bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort
Web Services - API25 ndash Some ground rules
Function name Description
SetMetadata Current function
SetMetadata2 New function to support multiple write access
SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
bull Browser ndash Web SSO based on Trisoft Users (InfoShareSTS)
ndash Logged on on LiveContent and Trisoft
bull Client Tools ndash Well actually you see no differencehellip
Claims ndash Demo
13
Wersquove tested with but any brand respecting the standard can be configured bull Microsoft Active Directory Federated Services v2 (ADFSv2)
ndash When you have a Windows domain
ndash Free extension ndash Replaces the 2011R2 introduced lsquodirectrsquo Windows Authentication ndash Simplified setup through PowerShell script
bull SDL Trisoft lsquoInfoShareSTSrsquo
ndash Externalizes Trisoft Authentication based on the Trisoft User Repository
ndash Backward compatible option but respecting the Claims setup and SSO ndash Solution where Trisoft stores passwords with limited password rules ndash Deprecated by nature as externalizing security will happen more and more
ndash Out of the box preconfigured
Claims - Brands amp Backward Compatibility
14
bull Delivery of InfoShareSTS out of the box for non-integrated Trisoft installations
bull New Parameters in the inputparametersxml file required for installation ndash Infosharestswebappname ndash servicecertificatesubjectname ndash basehostname ndash servicecertificatevalidationmode ndash issuercertificatethumbprint ndash issuercertificatevalidationmode ndash issueractorusername ndash issueractorpassword ndash issuerwstrustendpointurl ndash issuerwsfederationendpointurl ndash serviceusername ndash servicepassword
Claims ndash Trisoft InstallTool Parameters
15
http(s) SOAP
http(s) SOAP
http(s) SOAP
http(s)
Web App InfoShareWS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Web App InfoShareAuthor Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
STS - STS Auth amp Trisoft Authz
Host oracleexe -or- sqlservrexe Identity NA
Host iexploreexe Identity DOMAINuser
Host PublicationManagerexe -or- xmetalexe Identity DOMAINuser
Trisoft Foundation
Trisoft API25 API20 API10
Tris
oft
Clie
nt T
ools
Tris
oft
Info
Sha
reW
eb
Tris
oft
Xop
us
Bro
wse
r
Mic
roso
ft I
IS
Host AD
Identity NA
Mic
roso
ft I
IS
Trisoft Foundation
Trisoft API25 for PubOutput Streaming
Web App InfoShareSTS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Trisoft API25
Mic
roso
ft I
IS
Browser
ADFSv2
bull Reduced Client Tools account creation complexity by a configuration file living in the lsquoInfoSharWSrsquo virtual directory ndash eg httpsInfoShareWSconnectionconfigurationxml
bull Only thing to provide is the web services location
Claims ndash Account Creation
17
Claims ndash Database Upgrade Tool - Screenshot
18
bull When activating external authentication you have to have at least one correctly configured FISHEXTERNALID field DBUT solves this problem
bull A Trisoft User has 3 kinds of metadata ndash Authentication user name and password
ndash Authorization user roles and access to user groups
ndash Application Data User language Favorites e-mail user name id
bull In Trisoft 2013 (100) authentication happens through a central3rd party Secure Token Service (STS) system
bull Once authenticated as an external user Trisoft will map it to a Trisoft user profile for authorization and application data
bull The Trisoft User Profile is required for ndash Granting it user roles and access to user groups
ndash Referencing in workflow and assignments
ndash Populating user lists based on Trisoft user roles
Central Auth and Trisoft Authz
19
bull ASMX based web services like httpInfoShareWSApplicationASMX ndash Since 2003
ndash First parameter in every function is always lsquoAuthenticationContextrsquo so the Trisoft way of authentication
bull Introducing Windows Communication Foundation (WCF) services like httpInfoShareWSWCFAPI25ApplicationSVC ndash Support for claims-based authentication
ndash Replaces ASMX Web Services so marking them as deprecated bull Deprecated here means supported as long as the cost of maintenance is reasonable
bull Goal is to step away from Trisoft Authentication (Trisoft UsernamePassword combinations)
Web Services ndash ASMX and SVC
20
bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior
ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)
bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations
ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException
bull First checks the input if unexpectedwrong it will throw immediately
bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort
Web Services - API25 ndash Some ground rules
Function name Description
SetMetadata Current function
SetMetadata2 New function to support multiple write access
SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
Wersquove tested with but any brand respecting the standard can be configured bull Microsoft Active Directory Federated Services v2 (ADFSv2)
ndash When you have a Windows domain
ndash Free extension ndash Replaces the 2011R2 introduced lsquodirectrsquo Windows Authentication ndash Simplified setup through PowerShell script
bull SDL Trisoft lsquoInfoShareSTSrsquo
ndash Externalizes Trisoft Authentication based on the Trisoft User Repository
ndash Backward compatible option but respecting the Claims setup and SSO ndash Solution where Trisoft stores passwords with limited password rules ndash Deprecated by nature as externalizing security will happen more and more
ndash Out of the box preconfigured
Claims - Brands amp Backward Compatibility
14
bull Delivery of InfoShareSTS out of the box for non-integrated Trisoft installations
bull New Parameters in the inputparametersxml file required for installation ndash Infosharestswebappname ndash servicecertificatesubjectname ndash basehostname ndash servicecertificatevalidationmode ndash issuercertificatethumbprint ndash issuercertificatevalidationmode ndash issueractorusername ndash issueractorpassword ndash issuerwstrustendpointurl ndash issuerwsfederationendpointurl ndash serviceusername ndash servicepassword
Claims ndash Trisoft InstallTool Parameters
15
http(s) SOAP
http(s) SOAP
http(s) SOAP
http(s)
Web App InfoShareWS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Web App InfoShareAuthor Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
STS - STS Auth amp Trisoft Authz
Host oracleexe -or- sqlservrexe Identity NA
Host iexploreexe Identity DOMAINuser
Host PublicationManagerexe -or- xmetalexe Identity DOMAINuser
Trisoft Foundation
Trisoft API25 API20 API10
Tris
oft
Clie
nt T
ools
Tris
oft
Info
Sha
reW
eb
Tris
oft
Xop
us
Bro
wse
r
Mic
roso
ft I
IS
Host AD
Identity NA
Mic
roso
ft I
IS
Trisoft Foundation
Trisoft API25 for PubOutput Streaming
Web App InfoShareSTS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Trisoft API25
Mic
roso
ft I
IS
Browser
ADFSv2
bull Reduced Client Tools account creation complexity by a configuration file living in the lsquoInfoSharWSrsquo virtual directory ndash eg httpsInfoShareWSconnectionconfigurationxml
bull Only thing to provide is the web services location
Claims ndash Account Creation
17
Claims ndash Database Upgrade Tool - Screenshot
18
bull When activating external authentication you have to have at least one correctly configured FISHEXTERNALID field DBUT solves this problem
bull A Trisoft User has 3 kinds of metadata ndash Authentication user name and password
ndash Authorization user roles and access to user groups
ndash Application Data User language Favorites e-mail user name id
bull In Trisoft 2013 (100) authentication happens through a central3rd party Secure Token Service (STS) system
bull Once authenticated as an external user Trisoft will map it to a Trisoft user profile for authorization and application data
bull The Trisoft User Profile is required for ndash Granting it user roles and access to user groups
ndash Referencing in workflow and assignments
ndash Populating user lists based on Trisoft user roles
Central Auth and Trisoft Authz
19
bull ASMX based web services like httpInfoShareWSApplicationASMX ndash Since 2003
ndash First parameter in every function is always lsquoAuthenticationContextrsquo so the Trisoft way of authentication
bull Introducing Windows Communication Foundation (WCF) services like httpInfoShareWSWCFAPI25ApplicationSVC ndash Support for claims-based authentication
ndash Replaces ASMX Web Services so marking them as deprecated bull Deprecated here means supported as long as the cost of maintenance is reasonable
bull Goal is to step away from Trisoft Authentication (Trisoft UsernamePassword combinations)
Web Services ndash ASMX and SVC
20
bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior
ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)
bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations
ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException
bull First checks the input if unexpectedwrong it will throw immediately
bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort
Web Services - API25 ndash Some ground rules
Function name Description
SetMetadata Current function
SetMetadata2 New function to support multiple write access
SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
bull Delivery of InfoShareSTS out of the box for non-integrated Trisoft installations
bull New Parameters in the inputparametersxml file required for installation ndash Infosharestswebappname ndash servicecertificatesubjectname ndash basehostname ndash servicecertificatevalidationmode ndash issuercertificatethumbprint ndash issuercertificatevalidationmode ndash issueractorusername ndash issueractorpassword ndash issuerwstrustendpointurl ndash issuerwsfederationendpointurl ndash serviceusername ndash servicepassword
Claims ndash Trisoft InstallTool Parameters
15
http(s) SOAP
http(s) SOAP
http(s) SOAP
http(s)
Web App InfoShareWS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Web App InfoShareAuthor Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
STS - STS Auth amp Trisoft Authz
Host oracleexe -or- sqlservrexe Identity NA
Host iexploreexe Identity DOMAINuser
Host PublicationManagerexe -or- xmetalexe Identity DOMAINuser
Trisoft Foundation
Trisoft API25 API20 API10
Tris
oft
Clie
nt T
ools
Tris
oft
Info
Sha
reW
eb
Tris
oft
Xop
us
Bro
wse
r
Mic
roso
ft I
IS
Host AD
Identity NA
Mic
roso
ft I
IS
Trisoft Foundation
Trisoft API25 for PubOutput Streaming
Web App InfoShareSTS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Trisoft API25
Mic
roso
ft I
IS
Browser
ADFSv2
bull Reduced Client Tools account creation complexity by a configuration file living in the lsquoInfoSharWSrsquo virtual directory ndash eg httpsInfoShareWSconnectionconfigurationxml
bull Only thing to provide is the web services location
Claims ndash Account Creation
17
Claims ndash Database Upgrade Tool - Screenshot
18
bull When activating external authentication you have to have at least one correctly configured FISHEXTERNALID field DBUT solves this problem
bull A Trisoft User has 3 kinds of metadata ndash Authentication user name and password
ndash Authorization user roles and access to user groups
ndash Application Data User language Favorites e-mail user name id
bull In Trisoft 2013 (100) authentication happens through a central3rd party Secure Token Service (STS) system
bull Once authenticated as an external user Trisoft will map it to a Trisoft user profile for authorization and application data
bull The Trisoft User Profile is required for ndash Granting it user roles and access to user groups
ndash Referencing in workflow and assignments
ndash Populating user lists based on Trisoft user roles
Central Auth and Trisoft Authz
19
bull ASMX based web services like httpInfoShareWSApplicationASMX ndash Since 2003
ndash First parameter in every function is always lsquoAuthenticationContextrsquo so the Trisoft way of authentication
bull Introducing Windows Communication Foundation (WCF) services like httpInfoShareWSWCFAPI25ApplicationSVC ndash Support for claims-based authentication
ndash Replaces ASMX Web Services so marking them as deprecated bull Deprecated here means supported as long as the cost of maintenance is reasonable
bull Goal is to step away from Trisoft Authentication (Trisoft UsernamePassword combinations)
Web Services ndash ASMX and SVC
20
bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior
ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)
bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations
ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException
bull First checks the input if unexpectedwrong it will throw immediately
bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort
Web Services - API25 ndash Some ground rules
Function name Description
SetMetadata Current function
SetMetadata2 New function to support multiple write access
SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
http(s) SOAP
http(s) SOAP
http(s) SOAP
http(s)
Web App InfoShareWS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Web App InfoShareAuthor Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
STS - STS Auth amp Trisoft Authz
Host oracleexe -or- sqlservrexe Identity NA
Host iexploreexe Identity DOMAINuser
Host PublicationManagerexe -or- xmetalexe Identity DOMAINuser
Trisoft Foundation
Trisoft API25 API20 API10
Tris
oft
Clie
nt T
ools
Tris
oft
Info
Sha
reW
eb
Tris
oft
Xop
us
Bro
wse
r
Mic
roso
ft I
IS
Host AD
Identity NA
Mic
roso
ft I
IS
Trisoft Foundation
Trisoft API25 for PubOutput Streaming
Web App InfoShareSTS Host IIS AppPool (dllhostexe) Identity DOMAINInfoShareSvc
Trisoft API25
Mic
roso
ft I
IS
Browser
ADFSv2
bull Reduced Client Tools account creation complexity by a configuration file living in the lsquoInfoSharWSrsquo virtual directory ndash eg httpsInfoShareWSconnectionconfigurationxml
bull Only thing to provide is the web services location
Claims ndash Account Creation
17
Claims ndash Database Upgrade Tool - Screenshot
18
bull When activating external authentication you have to have at least one correctly configured FISHEXTERNALID field DBUT solves this problem
bull A Trisoft User has 3 kinds of metadata ndash Authentication user name and password
ndash Authorization user roles and access to user groups
ndash Application Data User language Favorites e-mail user name id
bull In Trisoft 2013 (100) authentication happens through a central3rd party Secure Token Service (STS) system
bull Once authenticated as an external user Trisoft will map it to a Trisoft user profile for authorization and application data
bull The Trisoft User Profile is required for ndash Granting it user roles and access to user groups
ndash Referencing in workflow and assignments
ndash Populating user lists based on Trisoft user roles
Central Auth and Trisoft Authz
19
bull ASMX based web services like httpInfoShareWSApplicationASMX ndash Since 2003
ndash First parameter in every function is always lsquoAuthenticationContextrsquo so the Trisoft way of authentication
bull Introducing Windows Communication Foundation (WCF) services like httpInfoShareWSWCFAPI25ApplicationSVC ndash Support for claims-based authentication
ndash Replaces ASMX Web Services so marking them as deprecated bull Deprecated here means supported as long as the cost of maintenance is reasonable
bull Goal is to step away from Trisoft Authentication (Trisoft UsernamePassword combinations)
Web Services ndash ASMX and SVC
20
bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior
ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)
bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations
ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException
bull First checks the input if unexpectedwrong it will throw immediately
bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort
Web Services - API25 ndash Some ground rules
Function name Description
SetMetadata Current function
SetMetadata2 New function to support multiple write access
SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
bull Reduced Client Tools account creation complexity by a configuration file living in the lsquoInfoSharWSrsquo virtual directory ndash eg httpsInfoShareWSconnectionconfigurationxml
bull Only thing to provide is the web services location
Claims ndash Account Creation
17
Claims ndash Database Upgrade Tool - Screenshot
18
bull When activating external authentication you have to have at least one correctly configured FISHEXTERNALID field DBUT solves this problem
bull A Trisoft User has 3 kinds of metadata ndash Authentication user name and password
ndash Authorization user roles and access to user groups
ndash Application Data User language Favorites e-mail user name id
bull In Trisoft 2013 (100) authentication happens through a central3rd party Secure Token Service (STS) system
bull Once authenticated as an external user Trisoft will map it to a Trisoft user profile for authorization and application data
bull The Trisoft User Profile is required for ndash Granting it user roles and access to user groups
ndash Referencing in workflow and assignments
ndash Populating user lists based on Trisoft user roles
Central Auth and Trisoft Authz
19
bull ASMX based web services like httpInfoShareWSApplicationASMX ndash Since 2003
ndash First parameter in every function is always lsquoAuthenticationContextrsquo so the Trisoft way of authentication
bull Introducing Windows Communication Foundation (WCF) services like httpInfoShareWSWCFAPI25ApplicationSVC ndash Support for claims-based authentication
ndash Replaces ASMX Web Services so marking them as deprecated bull Deprecated here means supported as long as the cost of maintenance is reasonable
bull Goal is to step away from Trisoft Authentication (Trisoft UsernamePassword combinations)
Web Services ndash ASMX and SVC
20
bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior
ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)
bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations
ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException
bull First checks the input if unexpectedwrong it will throw immediately
bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort
Web Services - API25 ndash Some ground rules
Function name Description
SetMetadata Current function
SetMetadata2 New function to support multiple write access
SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
Claims ndash Database Upgrade Tool - Screenshot
18
bull When activating external authentication you have to have at least one correctly configured FISHEXTERNALID field DBUT solves this problem
bull A Trisoft User has 3 kinds of metadata ndash Authentication user name and password
ndash Authorization user roles and access to user groups
ndash Application Data User language Favorites e-mail user name id
bull In Trisoft 2013 (100) authentication happens through a central3rd party Secure Token Service (STS) system
bull Once authenticated as an external user Trisoft will map it to a Trisoft user profile for authorization and application data
bull The Trisoft User Profile is required for ndash Granting it user roles and access to user groups
ndash Referencing in workflow and assignments
ndash Populating user lists based on Trisoft user roles
Central Auth and Trisoft Authz
19
bull ASMX based web services like httpInfoShareWSApplicationASMX ndash Since 2003
ndash First parameter in every function is always lsquoAuthenticationContextrsquo so the Trisoft way of authentication
bull Introducing Windows Communication Foundation (WCF) services like httpInfoShareWSWCFAPI25ApplicationSVC ndash Support for claims-based authentication
ndash Replaces ASMX Web Services so marking them as deprecated bull Deprecated here means supported as long as the cost of maintenance is reasonable
bull Goal is to step away from Trisoft Authentication (Trisoft UsernamePassword combinations)
Web Services ndash ASMX and SVC
20
bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior
ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)
bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations
ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException
bull First checks the input if unexpectedwrong it will throw immediately
bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort
Web Services - API25 ndash Some ground rules
Function name Description
SetMetadata Current function
SetMetadata2 New function to support multiple write access
SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
bull A Trisoft User has 3 kinds of metadata ndash Authentication user name and password
ndash Authorization user roles and access to user groups
ndash Application Data User language Favorites e-mail user name id
bull In Trisoft 2013 (100) authentication happens through a central3rd party Secure Token Service (STS) system
bull Once authenticated as an external user Trisoft will map it to a Trisoft user profile for authorization and application data
bull The Trisoft User Profile is required for ndash Granting it user roles and access to user groups
ndash Referencing in workflow and assignments
ndash Populating user lists based on Trisoft user roles
Central Auth and Trisoft Authz
19
bull ASMX based web services like httpInfoShareWSApplicationASMX ndash Since 2003
ndash First parameter in every function is always lsquoAuthenticationContextrsquo so the Trisoft way of authentication
bull Introducing Windows Communication Foundation (WCF) services like httpInfoShareWSWCFAPI25ApplicationSVC ndash Support for claims-based authentication
ndash Replaces ASMX Web Services so marking them as deprecated bull Deprecated here means supported as long as the cost of maintenance is reasonable
bull Goal is to step away from Trisoft Authentication (Trisoft UsernamePassword combinations)
Web Services ndash ASMX and SVC
20
bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior
ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)
bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations
ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException
bull First checks the input if unexpectedwrong it will throw immediately
bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort
Web Services - API25 ndash Some ground rules
Function name Description
SetMetadata Current function
SetMetadata2 New function to support multiple write access
SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
bull ASMX based web services like httpInfoShareWSApplicationASMX ndash Since 2003
ndash First parameter in every function is always lsquoAuthenticationContextrsquo so the Trisoft way of authentication
bull Introducing Windows Communication Foundation (WCF) services like httpInfoShareWSWCFAPI25ApplicationSVC ndash Support for claims-based authentication
ndash Replaces ASMX Web Services so marking them as deprecated bull Deprecated here means supported as long as the cost of maintenance is reasonable
bull Goal is to step away from Trisoft Authentication (Trisoft UsernamePassword combinations)
Web Services ndash ASMX and SVC
20
bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior
ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)
bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations
ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException
bull First checks the input if unexpectedwrong it will throw immediately
bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort
Web Services - API25 ndash Some ground rules
Function name Description
SetMetadata Current function
SetMetadata2 New function to support multiple write access
SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
bull All API calls labelled 25 are 100 NET full stack they are visible in web services like DocumentObj25 OutputFormat25 ndash API 25 means a certain set of behavior
ndash Technology wise mapping of ASMX SVC NET and COM+ interfaces is one-on-one besides technical limitations (eg Function overloading parameter types)
bull Exceptions ndash Internally uses the TrisoftException or per assembly derived variations
ndash Throws InfoShareExceptions wrapped in the lsquoInfoShareWSrsquo to SoapException
bull First checks the input if unexpectedwrong it will throw immediately
bull Results are never sorted unless explicitly indicated through a sequence field The client should always sort
Web Services - API25 ndash Some ground rules
Function name Description
SetMetadata Current function
SetMetadata2 New function to support multiple write access
SetMetadata3 New function to support multiple write access and an extra parameter ldquorequiredCurrentMetadataldquo to force the current metadata to match an expected value
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
bull Incoming user contextual information will be decrypted into a UserContext object which in turn will always be validated for correctness in the database (rights disabled roles )
bull Contextual information comes in through ndash For ASMX Web Services
bull Every class constructor requires an AuthenticationContext so only works for lsquoTrisoft Internalrsquo users
bull Deprecated because of technology
bull Stopped support for lsquodirectrsquo WindowsLDAP Authentication in favor of an STS solution
ndash For SVC Web Services bull No AuthenticationContext parameter as it is on-the-wire as part of the WS-Trust
OASIS standard using OASIS SAML tokens
bull The Claims are read by the Microsoft Windows Identity Foundation (WIF) library and transformed into a ClaimsThreadPincipal object
bull Supports any Authentication type because it is an externalized service (STS)
Web Services - API25 ndash Who are you
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
bull First of all we provided all these new classes in ASMX and SVC flavor for now
bull Settings25 allowing access to Set and Get ndash Settings gt Default Settings
bull holding the SDL LiveContent Reach and WorldServer location
ndash All Settings Configuration Xmls like OnDocStore Status Definitions Initial Statuses Status Transitions Inbox Definitions bull Note that lsquoXml Tagsrsquo is gone
bull Introducing versioned schema validation
ndash Function GetPossibleTargetStatuses helps in filling allowed lsquonext valuesrsquo fo workflow dialogs
Web Services - New in SDL Trisoft 2013 (100)
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
bull ListOfValues25 allowing access to manage the allowedpermitted values of a select List of Value (LOV) ndash Usefull for automated integrationsinput
ndash Note adding the List of Value itself (eg lsquoImageTypersquo) still requires the setup utilities This API class allows you to add values (eg lsquoDiagramrsquo and lsquoGraphicrsquo into lsquoImageTypersquo)
Web Services - New in SDL Trisoft 2013 (100)
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
bull The following API functions allow our new lsquoTranslationOrganizerrsquo service to work
bull TranslationTemplate25 ndash Allows management of cached translation template in Trisoft
ndash A lsquoconfigurationrsquo identifier to tell the Translation Management System which setup to use (eg WorldServer workflow cost code)
bull TranslationJob25 ndash Allows typical CRUD of the new TranslationJob containers where you can
assign publications or content objects you would want to get translated
ndash TranslationJob object drives the lsquoTranslationBuilderrsquo and lsquoTranslationOrganizerrsquo Windows services
Web Services - New in SDL Trisoft 2013 (100)
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
User Provisioning ndash Available since 2011 R2 (92)
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
bull Introducing the following API functions
User Provisioning - Functions
User25 ChangePassword Create Delete Find GetMetaData(ByIshUserRef) GetMyMetaData IsInRole RetrieveMetaData(ByIshUserRefs) Update
UserGroup25 Create Delete Find GetMetaData RetrieveMetaData Update
UserRole25 Create Delete Find GetMetaData RetrieveMetaData Update
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
1 Delete or Disable Trisoft User Profiles 1 List all Trisoft user profiles that have FISHUSERTYPE set to External and
FISHUSERDISABLED set to No 2 For every user in the trisoft-user-list find the external user profile by
FISHEXTERNALID 1 If none exists delete the Trisoft user profile if not referenced otherwise disable the
Trisoft user profile 2 If one or more exists check if disabled possibly disable the Trisoft user profile
2 Create or Update Trisoft User Profileshellip 1 List all external users required to have a matching profile in Trisoft (eg
limited by LDAP rolehellip) 2 For every user in the external-user-list find the Trisoft User Profile by
FISHEXTERNALID 1 If multiple hits throw exception as multiple profile hits will never grant a login 2 If none exists create the user profile with required roles and user groups 3 If one exists enable skip or possibly update the user profile
Beware that update could overwrite explicitly set values
User Provisioning - Algorithm for InOut
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
bull Multi Browser support ndash IE8 and IE9
ndash FF-latest
ndash Chrome-latest
bull Third Party Software ndash AntennaHouse XSL Formater 60
ndash SQLServer 2008 SP3
ndash SQLServer 2008R2 SP2
What we also did
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
bull AuthoringBridge SDK ndash Note only AuthoringBridge so no Publication Manager nor does it support
automation It will allow more stable and faster integrations with the various versions and flavors of Xml Editors (current list XM5560 AE5354 FM910)
What we also did
SDL Trisoft Authoring Bridge
Database
Server or Remote Machine
Application Server
Client
Access through Web Services
SDL Trisoft Foundation
Arbortext Editor XMetaL FrameMaker
FrameMaker Connector
Arbortext Editor Connector XMetal Connector
3rd Party Application
3rd Party Connector
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
bull Batch MetadataWorkflow operations in the client tools ndash Simply automation of manual actions
bull Client Tools Preview component changed from the outdated IE7-based to the GeckoFX engine (renderer of FireFox)
What we also did
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-
Copyright copy 2008-2012 SDL plc All rights reserved All company names brand names trademarks service marks images and logos are the property of their respective owners This presentation and its content are SDL confidential unless otherwise specified and may not be copied used or distributed except as authorised by SDL
- SDL Trisoft Tech DeckTechnology Web Services and QampA
- Agenda
- SDL Integrations Product Stack
- SDL Integrations Product Stack - WorldServer
- Security - Real World Scenario
- Current Software Paradigm
- Centralized IT Paradigm
- Current situation
- Security Token Service (STS)
- Basic Flow Overview
- Claims - Profiles
- Claims ndash Demo
- Claims - Brands amp Backward Compatibility
- Claims ndash Trisoft InstallTool Parameters
- STS - STS Auth amp Trisoft Authz
- Claims ndash Account Creation
- Claims ndash Database Upgrade Tool - Screenshot
- Central Auth and Trisoft Authz
- Web Services ndash ASMX and SVC
- Web Services - API25 ndash Some ground rules
- Web Services - API25 ndash Who are you
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- Web Services - New in SDL Trisoft 2013 (100)
- User Provisioning ndash Available since 2011 R2 (92)
- User Provisioning - Functions
- User Provisioning - Algorithm for InOut
- What we also did
- What we also did
- What we also did
- Slide Number 32
-