Tridion · Content Delivery · Elastic · Sites 9.5

Tridion Sites – Search Functionality

In Tridion Sites 9.5 release introduced this new feature Tridion Sites Search Content is searchable out of the box, Because the published content is also indexed, it is immediately searchable through GraphQL queries.

Content Delivery now has a built-in search feature using Elasticsearch technology.

In Tridion Sites 9.6 release introduced an additional feature for the sites search to support Semantic search enables you to enhance your websites with a faceted search interface that improves the findability of your content. With the help of an external taxonomy provider, Tridion Sites enhances the Elasticsearch search index and introduces a new concept index. The Content Service makes the information in the taxonomy available for implementation to use the Public Content API to write GraphQL queries.

  • present the taxonomy based faceted search and auto suggestions on a webpage, allowing visitors to filter their search queries
  • apply selected facets search to search queries in order to filter the search results

Why Tridion Sites Search

  • Customers currently have to implement their own solution (SI4T or custom Deployer extension)
  • Optimized for Tridion Sites data model
  • Makes use of existing Elasticsearch infrastructure (XO and Tridion Docs Search)
  • Exposed through existing IQ Query Service (OpenAPI) and now Content Service (GraphQL)

Architecture

Sites Search feature functionality entails:

  • A new prerequisite: an instance of the Elasticsearch product, either on-premises or in the Cloud
  • A new microservice called IQ Indexing Service to index all content published to Content Delivery
  • A new configuration file search.properties for the Content Service or Session-enabled Content Service, in which you configure the Elasticsearch functionality. You can enable or disable search feature in application.properties.
  • New resources for the Content Deployer for Elasticsearch integration, including a client configuration file cd_client_conf.xml, in which to configure the connection to Elasticsearch. In case if you intended to use the add-on to configure your deployer pipelines then add-on package configuration to configure the connection to Elasticsearch

In Content Manager:

Select to mark Content for search indexing

  • Publish and search only relevant content
  • New publishable and searchable field configurations for schemas

Search language

  • Content Search index language based on publication
  • Component and page locale comes from owning publication
  • Locale specific content is indexed independently

In Elasticsearch Service:

  • Download and install the .zip package

Download the .zip archive for Elasticsearch v7.10.0 from: https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.10.0-windows-x86_64.zip

Unzip it with your favourite unzip tool. This will create a folder called elasticsearch-7.10.0, which we will refer to as %ES_HOME%. In a terminal window, cd to the %ES_HOME% directory, for instance:

cd c:\elasticsearch-7.10.0\bin

.\elasticsearch-service.bat install
.\elasticsearch-plugin install ingest-attachment
.\elasticsearch-plugin install analysis-icu

#After successful elastic search installation, To set the heap sizes, edit jvm.options in the config/ subdirectory or Elasticsearch. The following shows configuration for the minimum recommended values
-Xms512m
-Xmx512m

#Update elasticsearch.yml file for elasticsearch access to remote system and restart the service after the configuration chagnes.
network.host: 0.0.0.0 #Not recommended to enable this for prod setup.
discovery.seed_hosts: ["localhost","127.0.0.1", "[::1]"]

#Elastic search index creation for Sites Search and Docs Search
cd \Content Delivery\roles\iq\elasticsearch
.\installElasticsearchIndexes.ps1 -es-host "localhost" -es-port 9200 -es-scheme "http"

In Content Service:

  • Preconfigured Content Service, By default search feature is enabled
  • Configurable using profile to enable or disable search feature
  • Uses Data pipeline (requires existing Sites content to be republished)
#Content Service
application.properties

# broken: default profile to enable broker results
# search: enables search
spring.profiles.active={springprofilesactive:broker,search}
  • Embedded search provider to reduce inter-service calls
  • Configurable Elasticsearch endpoint
# Content Service
search.properties

es.host=${eshost:localhost}
es.port=${esport:9200}
es.scheme=${esschema:http}
es.username=${esusername:}
es.password=${espassword:}

In Deployer Service:

  • New Deployer pipeline steps
  • Configurable binary indexing type support
<Pipeline Id="Tridion-Process-Deploy" Action="Deploy" Verb="Process">
	<Steps>
		<Step Id="TridionSearchIndexDeployStep">
			<BinaryIndexing extensions="${binaryextension:-pdf,doc,docx,xls,xlsx,ppt,pptx,odt}"/>
			<Transaction
					failPipelineTransactionOnFatalIndexingError="${failtransactiononfatalindexingerror:-true}"/>
			<RetryPoint PipelineId="Tridion-Process-Deploy" StepId="TridionSearchIndexDeployStep"/>
		</Step>
	</Steps>
</Pipeline>
<Pipeline Id="Tridion-Process-Undeploy" Action="Undeploy" Verb="Process">
	<Steps>
		<Step Id="TridionSearchIndexUnDeployStep">
			<Transaction
					failPipelineTransactionOnFatalIndexingError="${failtransactiononfatalindexingerror:-true}"/>
			<RetryPoint PipelineId="Tridion-Process-Undeploy" StepId="TridionSearchIndexUnDeployStep"/>
		</Step>
	</Steps>
</Pipeline>

The Content Deployer for Elasticsearch integration needs client configuration file cd_client_conf.xml, in which to configure the connection to Elasticsearch. In case if you intended to use the add-on to configure your deployer pipelines then add-on package configuration to configure the connection to Elasticsearch.

For Tridion Sites without xo feature: Add-on package (deployer + search feature pipelines steps)

\Content Delivery\roles\deployer\add-ons\udp-deployer-web-extension-assembly-11.5.0-1118-search.zip
\Content Delivery\roles\deployer\add-ons\udp-deployer-web-extension-assembly-11.x.0-xxxx-search-config.json

For Tridion DX setup for Sites and Docs: Add-on package (deployer + ish + search feature pipelines steps)

\Content Delivery\roles\deployer\add-ons\udp-deployer-dx-extension-assembly-11.x.0-xxx-search.zip
\Content Delivery\roles\deployer\add-ons\udp-deployer-dx-extension-assembly-11.x.0-xxxx-search-config.json

For Tridion Sites with XO enabled: Add-on package (deployer + xo + search feature pipelines steps)

\Content Delivery\roles\xo\add-on\xo-deployer-cx-extension-assembly-11.x.0-xxxx-core.zip
\Content Delivery\roles\xo\add-on\xo-deployer-extension-assembly-11.x.0-xxxx-core-config.json

In IQ Index Service:

For Tridion sites search, IQ Index service is only mandatory, while installing the service needs to pass the elastic search instance configurations

.\installService.ps1 --auto-register '-Des.host = es.tridiondemo.com','-Des.port = 9200','-Des.scheme = http','-Des.ingest.host = es.tridiondemo.com','-Des.ingest.port = 9200','-Des.in
gest.scheme = http'

In case if you have any questions or queries please raise them in Tridion StackExchange.

Advertisement
Access Management · Sites 9.5 · Tridion

Installing the Tridion Access Management service for Windows Authentication Idp provider in Tridion Sites 9.5

In my previous blog post, I have explained how to Install the Access Management service on a Windows machine by scripted installation for Azure Idp provider. This post will explain step by step how to Install the Access Management service for the Windows Authentication Idp provider.

Note: If you intend to use a Windows identity provider (IdP), then installation in IIS is required

Access Management preqequisites

The Access management can run on both Windows or Linux, and it requires .NET Core Runtime, but in this post, we will set up a windows IDP provider so only windows required.

  • Any Database version that is supported by Content Manager and Content Delivery
  • Any Microsoft Windows server operating system that is supported for Content Manager server or Content Delivery server
  •  .NET Core and ASP.NET Core host bundles version 3.1 for Microsoft Windows: https://www.microsoft.com/net/download/windows

For more detailed Access Management service installation, please refer to the SDL Documentation portal

Installing the Access Management in MSSQL database

  1. Open a PowerShell prompt as Administrator and then navigate to the folder DatabaseMSSQL in the Installation media folder of  SDL Tridion Sites 9.5
  2. Run the following PowerShell command and then follow the instructions to create the Access Management database & '.Install Access Management database.ps1'

Installing the Access Management service as an IIS website

We can install the Acces Management in a Content Manager server environment, or a completely separate server running Windows.

  1. Download and Install the NET Core and ASP.NET Core host bundles version 3.1
  2. Access to SDL Tridion Sites 9.5 installation media and go to the following folder: Access Management
  3. Copy the entire folder to the machine where you want to install the Access Management service in IIS.
    For example D:\Access Management
  4. and then Go to D:\Access Management\bin and open appsettings.json file and edit to update to configure the location of the Access Management database.
  5. For MSSQL in the database, a section set the Type and ConnectionString value as per your environment setup
    For example:   “URLs”: “http://*:84&#8221;
  6. By default, the Access Management runs on port 80. if you want to change to run on a different port then go to the URLs section in the appsettings.json and update to change the default port number.
    For example
  7. Generate signed certificate either issued from a certificate authority (CA) or self-signed and copy .pfx certificate to Access ManagementbinCertificates.
    Example to generate self singed certificate: TridionAccessManagement.pfx
    $installAccessManagementServiceScriptRoot = "D:Access Management"
    $certPassword = "tridion"
    
    cd $installAccessManagementServiceScriptRoot
    
    New-Item -Path “.binCertificates” -ItemType Directory | Out-Null
    
    $cert = New-SelfSignedCertificate -certstorelocation Cert:LocalMachineMy -dnsname $env:COMPUTERNAME
    
    $pwd = ConvertTo-SecureString -String $certPassword -Force -AsPlainText
    
    $AccessManagementCertificate = $installAccessManagementServiceScriptRoot + "binCertificatesTridionAccessManagement.pfx"
    
    $path = 'Cert:LocalMachineMy' + $cert.thumbprint 
    
    Export-PfxCertificate -cert $path -FilePath $AccessManagementCertificate -ChainOption BuildChain -NoProperties -Password $pwd    
  • Configure certificate in the appsettings.json, as follows:
  "Certificates": {
    "Signing": {
      "Path": "Certificates/TridionAccessManagement.pfx",
      "Password": "xxxxx"
    }
  • Open IIS Manager and add a new IIS website
    Example:
    Site name: AccessManagement
    Physical path:D:\AccessManagement\bin
    Port: 84
  • Enable Windows Authentication for the website
  • Go to [Access Management-Installation-Home]\bin folder and ensure it has full access to the Key folder to the Local System account and to restrict access to the Key folder for all other users.
  • Go to http://localhost:84/ to verify Access Management UI and then add your windows IDP provider using Access Management UI, also possible to automate creating the IDP providers using Access Management Rest APIs.

    Sample Windows IDP provider configuration

Configuring the Add-ons application in Access Management:
Allowed redirect URLs: (Update the default values to match with your add-on service URL)
http://localhost:83/addon/ui/signin-oidc

Configuring the Content Manager Classic and Experience Space application in Access Management:

Allowed redirect URLs
http://localhost/webui/signin-oidc (update to remove the default port and don’t keep port 80 in the URL)

Allowed redirect URLs
http://localhost/ui/signin-oidc (update to remove the default port and don’t keep port 80 in the URL)

Configure Access Management on the Content Manager side (Access Management link on the left side slide-out navigation menu)

In the SDL Tridion Sites 9.5 Installer last step there an option to enable access management integration to provide the URL of the Access Management service URL, if you enable then this menu automatically enabled.
Or in case if you looking to install the SDL Tridion Sites by scripted to install silently then it is required to pass ACCESS_MANAGEMENT_URL=http://localhost:84/access-management/

Note:

  • If you planned to use the Access Management service then ensure before installing the CM/DXD and Add-On service and Access Management should be installed first and then Add-on service and note down the service URLs and secrete credentials, In order to use the classic UI//new UI and add-on services UIs to access using OIDC.

I hope it helps if you have any questions regarding this please post your question in Tridion StackExchange.

Access Management · Sites 9.5 · Tridion

TXS event presentation – SDL Tridion Access Management Installation Automation using Powershell

RWS (SDL) Tridion Expert Summit 2020 (TXS) has been held online on Dec 9th and 10th and well organized, I also had an opportunity to present and lightning talk at the event,  about SDL Tridion Access Management IDP configurations and walkthrough APIs for automation and followed by Demo.

In my previous blog post, I have explained step by step how to Install and configure the Access Management manually. This post will explain to automate the installation of using the Access Management API to interact with Access Management programmatically rather than through the Access Management user interface.

Access Management API

  • Use the Access Management API if you want to interact with Access Management programmatically rather than through the Access Management user interface.
  • Access Management Provide the API definition in the OpenAPI JSON format
  • For reference documentation on the Access Management Swagger API, go  http://localhost:84/access-management/api/api-docs

Access Management API’s for Automation

  • AddOn Service clientid and client secret creation
    • Method POST: /access-management/api/v1/ServiceAccounts/2
    • Method POST: /access-management/api/v1/ServiceAccounts/2/generateClientSecret
  • RedirectUrls Update for Both Classic UI and Experience Space
    • Method PUT: /access-management/api/v1/Applications/3
    • Method PUT: /access-management/api/v1/Applications/2
  • Identity Provider creation
    • Method POST: /access-management/api/v1/IdentityProviders
  • Token based authentication
    • Method POST: /access-management/connect/token

Pre-requisites

  • SDL Tridion 9.5 Installer
  • Any Database version that is supported by Content Manager and Content Delivery
  • Any Microsoft Windows server operating system that is supported for Content Manager server or Content Delivery server
  • .NET Core and ASP.NET Core host bundles version 3.1 
  • .PFX  signed certificate either issued from a certificate authority (CA) or self-signed (for self-signed certification creation PowerShell script refer to the previous manual installation article)
  • Download the script https://github.com/avmgan/AccessManagementInstallationScript

Instructions

Edit the file “Install-Options.ps1” and modify it to fit your needs. At a minimum, you need to specify a valid Access Management database and credentials.

Run the AccessManagement-Service-Install.ps1 script (as Administrator) to launch the Access Management installation process to install and configure.

EXAMPLE1:
.\AccessManagement-Service-Install.ps1 -TCMInstallerPath D:\_Install\TridionSites95 -InstallationDir “D:\TXS2020-DEMO\Access Management” -CertThumbprint “4af0b42497e5988df2235b65ede11742e503fecd”

.EXAMPLE2:
.\AccessManagement-Service-Install.ps1 -TCMInstallerPath D:\_Install\TridionSites95 -InstallationDir “D:\TXS2020-DEMO\Access Management” -CertThumbprint “4af0b42497e5988df2235b65ede11742e503fecd” -SkipDBCreation

One Script to deploy Access Management in one go, no more manual configuration

This will create the following

  • Database
  • Export PFX Certificate
  • Install service and generate Client Id and client secrets and configure Idp provider

Note:

  • If there is no Idp defined yet, we don’t need a bearer token yet (you can anonymously access Tridion Access Management).
  • Tridion Access Management gets secured only after the first IDP has been created.

I hope it helps.

Access Management · Sites 9.5 · Tridion

Installation of Access Management in SDL Tridion Sites 9.5

In SDL Tridion Sites 9.5 release introduced this new feature Access Management based on .NET Core Rest API and UI to manage Access Management application to provides a single, simplified interface for managing access to Tridion applications by end-users and by the APIs for other applications. Access Management simplifies the implementation of SSO by using a single authentication protocol while still supporting the use of various protocols by individual applications and services.

Using Access Management to perform the following tasks

  • Create and maintain connections to external identity providers.
  • Configure authentication for Tridion Sites applications.
  • Manage client credentials for applications, end-users, and service accounts.

Access Management Benefits

  • Unified single sign-on.
  • User interface for managing system access.
  • Simplified configuration of external identity providers.
  • Tridion service is not impacted by external identity provider changes
  • Adding protocols means only adding it to SDL Tridion Access Management

Access Management Architecture

Access Management supported Identity provider types

  • SAML 2.0
  • Open ID Connect
  • Windows Authentication (run the Access Management service as an IIS website, not windows service)
  • LDAP

Access Management preqequisites

Access Management prerequisites

The Access management can run on both Windows or Linux, and it requires .NET Core Runtime.

  • Any Database version that is supported by Content Manager and Content Delivery
  • Any Microsoft Windows server operating system that is supported for Content Manager server or Content Delivery server
  •  .NET Core and ASP.NET Core host bundles version 3.1 for Microsoft Windows: https://www.microsoft.com/net/download/windows

For more detailed Access Management service installation details, please refer to the SDL Documentation portal

Installing the Access Management in MSSQL database

  1. Open a PowerShell prompt as Administrator and then navigate to the folder Database\MSSQL\ in the Installation media folder of  SDL Tridion Sites 9.5
  2. Run the following PowerShell command and then follow the instructions to create the Access Management database & '.\Install Access Management database.ps1'

Installing the Access Management service on a Windows machine

We can install the Acces Management in a Content Manager server environment, or a completely separate server running Windows or Linux.

  1. Download and Install the NET Core and ASP.NET Core host bundles version 3.1
  2. Access to SDL Tridion Sites 9.5 installation media and go to the following folder: Access Management\
  3. Copy the entire folder to the machine where you want to install the Access Management service.
    For example D:\Access Management
  4. and then Go to D:\Access Management\bin\ and open appsettings.json file and edit to update to configure the location of the Access Management database.
  5. For MSSQL in the database, a section set the Type and ConnectionString value as per your environment setup
    For example:  
    "Database":  {
                     "Type":  "MSSQL",
                     "ConnectionString":  "Server=localhost;Database=Tridion_AccessManagement;User Id=AccessManagementUser;Password=xxx",
                     "TransactionTimeOut":  60
                 }
  • By default, the Access Management runs on port 80. if you want to change to run on a different port then go to the URLs section in the appsettings.json and update to change the default port number.
    For example
  "URLs": "http://*:84"
  1. Generate signed certificate either issued from a certificate authority (CA) or self-signed and copy .pfx certificate to Access Management\bin\Certificates.
    Example to generate self singed certificate: TridionAccessManagement.pfx
    $installAccessManagementServiceScriptRoot = "D:\Access Management"
    $certPassword = "tridion"
    
    cd $installAccessManagementServiceScriptRoot
    
    New-Item -Path “.\bin\Certificates” -ItemType Directory | Out-Null
    
    $cert = New-SelfSignedCertificate -certstorelocation Cert:\LocalMachine\My -dnsname $env:COMPUTERNAME
    
    $pwd = ConvertTo-SecureString -String $certPassword -Force -AsPlainText
    
    $AccessManagementCertificate = $installAccessManagementServiceScriptRoot + "\bin\Certificates\TridionAccessManagement.pfx"
    
    $path = 'Cert:\LocalMachine\My\' + $cert.thumbprint 
    
    Export-PfxCertificate -cert $path -FilePath $AccessManagementCertificate -ChainOption BuildChain -NoProperties -Password $pwd    
  1. Configure certificate in the appsettings.json, as follows:
  "Certificates": {
    "Signing": {
      "Path": "Certificates/TridionAccessManagement.pfx",
      "Password": "xxxxx"
    }
  1. Open a PowerShell console as an administrator and navigate to the D:\Access Management\ folder you copied, run the following command: & .\installService.ps1
  2. Go to [Access Management-Installation-Home]\bin folder and ensure it has full access to the Key\ folder to the Local System account and to restrict access to the Key\ folder for all other users.
  3. Go to http://localhost:84/ to verify Access Management UI and then add your IDP providers using Access Management UI, also possible to automate creating the IDP providers using Access Management Rest APIs.

Configuring the Add-ons application in Access Management:
Allowed redirect URLs: (Update the default values to match with your add-on service URL)
http://localhost:83/addon/ui/signin-oidc

Configuring the Content Manager Classic and Experience Space application in Access Management:

Allowed redirect URLs
http://localhost/webui/signin-oidc (update to remove the default port and don’t keep port 80 in the URL)

Allowed redirect URLs
http://localhost/ui/signin-oidc (update to remove the default port and don’t keep port 80 in the URL)

Configure Access Management on the Content Manager side (Access Management link on the left side slide-out navigation menu)

In the SDL Tridion Sites 9.5 Installer last step there an option to enable access management integration to provide the URL of the Access Management service URL, if you enable then this menu automatically enabled.
Or in case if you looking to install the SDL Tridion Sites by scripted to install silently then it is required to pass ACCESS_MANAGEMENT_URL=http://localhost:84/access-management/

Note:

  • If you planned to use the Access Management service then ensure before installing the CM/DXD and Add-On service and Access Management should be installed first and then Add-on service and note down the service URLs and secrete credentials, In order to use the classic UI//new UI and add-on services UIs to access using OIDC.

I hope it helps if you have any questions regarding this please post your question in Tridion StackExchange.

Tridion Docs

SSO/ADFS setup for SDL Tridion Docs 14SP2

The previous article explained how to integration AD windows athentication, In this article explains how to integrate SDL Tridion Docs can be enabled to authenticate uses through the customer’s ADFS system rather than default Infoshare Security Token Service (STS).

Tridion Docs SSO Prerequisites

The following protocol requirements for a Security Token Service are based on active or passive profile categories.

  • Passive profile protocol
    • WS Federation
  • Active profile protocol
    • WS Trust 1.3
    • Part of WS Trust 1.4. Only the part that specifies the ActAs element is required to support identity delegation.
  • Security tokens – Only supported SAML 1.1 format XML


For ADFS Prerequisites:

  • ADFS 3.0
  • WindowsMixed endpoint to be active (disabled in ADFS by default)

Step 1: Configure ADFS Server
  1. The ADFS server needs the service certificate that is used by the Content Manager WCF Services. With the typical Content Manager setup, this WCF Service certificate is the same as the IIS Website Certificate for SSL.
    1. Login into the Tridion Docs Content Manager server and then open Internet Information Services (IIS) Manager.
    2. Double-click Server Certificates in the right pane.
    3. Right-click on the certificate of the IIS website that is going to be used for Content Manager then click View.
    4. Click on the Details tab then click Copy to File and export the certificate to the file system (only export the public key) e.g. ISHWS.cer.
  2. Copy the PowerShell scripts which are created in the Content Manager server directory \InfoShare\App\Setup\STS\ADFS\Scripts\ scripts to a temporary directory on the ADFS server e.g. C:\SDL.ISH. Copy also the certificate file ISHWS.cer from the previous step.
  3. Login into the ADFS Server and open a Powershell with admin Rights and execute the following code to execute the command to add the relying parties to ADFS
    cd c:\SDL.ISH
    Set-ExecutionPolicy Unrestricted
    Import-Module ADFS
    .\SDL.ISH-ADFSv3.0-RP-Install.ps1 "C:\SDL.ISH\ISHWS.cer"
  4. Now, if you open ADFS Management you should see two new Relying Party entries with the base URLs you use for the Content Manager instance.

Step 2: Configure the Content Manager to switch internal accounts to ADFS accounts

On Content Manager, set the following:
User type to “External”
External ID to ADFS login username

 

Note: External ID based on your claim it can be username or emailaddress based on your ADFS claim configuration.

Obtain ADFS parameters

STS WS Federation Endpoint
Example: https://adfs.example.com/adfs/ls/

STS WS Trust Endpoint
Example: https://adfs.example.com/adfs/services/trust/13/windowsmixed

STS Mex Endpoint
Example: https://adfs.example.com/adfs/services/trust/mex

STS Certificate Thumbprint
Example: 2a71cf03b0536814f1bbf11a7881dfa1becd49c0

STS Certificate Issuer
Example: “CN=ADFS Signing – adfs.xxxx.com”

Step3: Run this below script with obtained ADFS parameters to switchover to ADFS windows authentication on Content Manager

#Issuer name
$issuerName="Example ADFS (20160101)"
#WS Federation endpoint
$wsFederationUri="https://adfs.example.com/adfs/ls/"
#WS Trust endpoint
$wsTrustUri="https://adfs.example.com/adfs/services/trust/13/windowsmixed"
#WS Trust metadata exchange endpoint
$wsTrustMexUri="https://adfs.example.com/adfs/services/trust/mex"
#The authentication type
$bindingType="windowsmixed"
#Token signing thumbprint
$tokenSigningCertificateThumbprint="2509fb22f7671aea2d0a28ae80516f390de0ca21"

$deploymentName="InfoShare"
# Set WS Federation integration
Set-ISHIntegrationSTSWSFederation -ISHDeployment $deploymentName -Endpoint $wsFederationUri
# Set WS Trust integration
Set-ISHIntegrationSTSWSTrust -ISHDeployment $deploymentName -Endpoint $wsTrustUri -MexEndpoint $wsTrustMexUri -BindingType $bindingType
# Set Token signing certificate
Set-ISHIntegrationSTSCertificate -ISHDeployment $deploymentName -Issuer $issuerName -Thumbprint $tokenSigningCertificateThumbprint

Go to this location and delete C:\InfoShare\Web\InfoShareSTS\App_Data\IdentityServerConfiguration-2.2.sdf file and make IIS AppPool restart to regenerate it.

Note: Take the back up of the Infoshare whole folder before running the above script, just in case if required to backout if required

For rollback to Default Infoshare STS authentication integration if required ensure folllowing existing informations to be noted either from inputparameters.xml or in the backed up infoshare folder Web.configs of ISHCM, ISHSTS and ISHWS

  • WS Federation endpoint
  • WS Trust endpoint
  • WS Trust binding type
  • WS Trust Metadata Exchange endpoint
  • Token signing certificate thumbprint

References

SDL Documentation
PS Documentation

Tridion Docs

SDL Tridion Docs 14SP2 – Windows Authentication setup

SDL Tridion Docs – The default system that manages user identity for Tridion Docs is ISHSTS (Infoshare Security Token Service), In the Post-installation SDL Tridion Docs can be enabled to authenticate uses through the customer’s STS system or Windows Authentication rather than Infoshare STS, In this post will explain the steps to integrate the SDL Tridion Docs with Windows Authentication, In the next article will explain about the SSO/ADFS setup for SDL Tridion Docs.

Tridion Docs Prerequisites

  • SDL Tridion Docs System should be connected to Windows Active Directory
  • IIS Windows Authentication feature should be enabled

Step1: Configure application server for Lightweight Windows Authentication

  1. RDP to SDL Tridion Docs Installed system
  2. Take a whole Infoshare folder backup and also take the database backup
  3. Locate the PowerShell script SDL.ISH-ISHSTS-Configure for Windows Authentication.ps1 in the folder \InfoShare\App\Setup\STS\ISHSTS\Scripts
  4. Open PowerShell with elevated administrator privileges. Run As Administrator. If the PowerShell session is not running with administrator privileges, the script will launch a new session, and administrator privileges will be requested to the user.
  5. This task requires a PowerShell session with Execution Policy set to Unrestricted.
    • If it is not set, you need to set it permanently by executing the following:
      Set-ExecutionPolicy Unrestricted
  6. Navigate to the script folder \InfoShare\App\Setup\STS\ISHSTS\Scripts
    a. cd \InfoShare\App\Setup\STS\ISHSTS\Scripts
  7. Execute script SDL.ISH-ISHSTS-Configure for Windows Authentication.ps1
    • .\SDL.ISH-ISHSTS-Configure for Windows Authentication.ps1
cd \InfoShare\App\Setup\STS\ISHSTS\Scripts
& '.\SDL.ISH-ISHSTS-Configure for Windows Authentication.ps1'

Step 2: Configure the Content Manager to switch internal accounts to Windows AD accounts

On Content Manager, set the following:
User type to “External”
External ID to AD login username (domain\velmurugan)

Step3: Enable Windows Authentication

  1. Open the PowerShell with administrator mode and run this below script
#Ensure windows authentication IIS feature enabled
Enable-WindowsOptionalFeature -Online -FeatureName IIS-WindowsAuthentication

$deploymentName="InfoShare"
Set-ISHSTSConfiguration -ISHDeployment $deploymentName -AuthenticationType "Windows"

 

Note:

If the database is SQL Server and the connection string utilizes integrated authentication then we need to grant the computer account permissions to the database.

Configuring the Content Manager SQL Server database for Windows Authentication


References
SDL Documentation
PS Documentation

I hope it helps if you have any questions regarding post your question in Tridion StackExchange.

Content Delivery · DXA · Elastic · Tridion Docs

TDS event presentation DXA 2.2 NET + Dynamic Documentation Module + SDL Tridion Docs 14 + DXD 11.1

Tridion Developer Summit has been held at Meervaart Theater Nov 4th and 5th, I also had the opportunity to present and speak in the event,  about DXA 2.2 NET + Dynamic Documentation Module + SDL Tridion Docs 14 + DXD 11.1 and followed by Demo.

The presentation can be downlod it from here.

DXA 22 NET + Dynamic Documentation Module + SDL Tridion Docs 14 + UDP 111 from TDS on Vimeo.

Introduction to Dynamic Documentation Module

DXA Dynamic Documentation module enables you to retrieve structured content (in the DITA standard) stored in an SDL Tridion Docs database and present it through your DXA web application.

The Dynamic Documentation module includes a Dynamic Documentation web application, or more briefly the Dynamic Documentation, which provides users with a responsive interface for viewing, navigating, and interacting with content published from SDL Tridion Docs.

Benefits

  • Single-page web application designed as a documentation portal
  • Modern, graphical user interface design
  • Responsive design for mobile support
  • Highly extensible and customizable
  • Includes search and commenting capabilities

DXA Dynamic Documentation prerequisites

  • Tridion Docs 14
  • DXD 11.0 Supported
  • DXD 11.1 Prefered
    • Discovery Service
    • Deployer Service
    • Content Service
    • IQ Index Service
    • IQ Query Service or IQ Combined service
  • DXA .NET websites
    • Microsoft .NET Framework 4.6.2
    • IIS or IIS Express with ASP .NET module
  • GUI Building
    • NodeJs v6.x or higher (64bit)
    • Webpack
    • Gulp
  • Front End
    • JavaScript (ES6)
    • TypeScript
    • React
    • Redux
    • HTML
    • LESS
    • CSS

DXA DD Module Installation / configuration

  1. Download the following OOTB sources and modules from github:
    https://github.com/sdl/dxa-web-application-dotnet/tree/release/2.2
    https://github.com/sdl/dxa-modules/tree/release/2.2
    https://github.com/sdl/dxa-modules/releases/download/DXA_2.2.2_Hotfix/SDL.DXA.DynamicDocumentation.Module.2.2.2.zip
  2. Extract both sources zip and Go to dxa-modules-release-2.2\webapp-net this folder and copy DynamicDocumentation and Search folder modules and also DxaModulesCommon.Props file
  3. Go to dxa-web-application-dotnet-release-2.2 folder and paste those folders and DxaModulesCommon.Props file here
  4. Open the DxaFramework.sln and click ok to ignore the unsupported Sdl.Web.Documentation project errror message
  5. Right click DxaFramework solution to add the following existing projects
    • DynamicDocumentation\Sdl.Web.Modules.DynamicDocumentation.csproj
    • Search\Sdl.Web.Modules.Search.csproj
    • Search\SI4T.Query.CloudSearch\SI4T.Query.CloudSearch.csproj
  6. Go to Sdl.Web.Site project references and then right click and add reference and then click left side Projects and select the following projects
    • Sdl.Web.Modules.DynamicDocumentation
    • Sdl.Web.Modules.Search
    • SI4T.Query.CloudSearch
  7. Right click Sdl.Web.Modules.DynamicDocumentation project and build
  8. Once succesfull build – expand the Sdl.Web.Modules.DynamicDocumentation project and copy the Areas folder and go to Sdl.Web.Site project paste it in the root folder.
  9. Right click Sdl.Web.Modules.Search project and build
  10. Once succesfull build – expand the Sdl.Web.Modules.Search project and copy the Areas folder and go to Sdl.Web.Site project paste it in the root folder.
  11. Go to SDL.Web.Site and open web.config update the following configs sections
    In the modelBuilderPipeline section, add the Dynamic Documentation model builder to the pipeline, placing it first in the list and before the Default model builder.
    <add type="Sdl.Web.Modules.DynamicDocumentation.Mapping.ModelBuilder, Sdl.Web.Modules.DynamicDocumentation" />
    
    In the appSettings section Update the Web.config to change the default module to DynamicDocumentation 
    <add key="default-module" value="DynamicDocumentation" /> 
    Also update the following configs to as per your cusotomer environment.
    
    <add key="discovery-service-uri" value="http://staging.dev.dxa.sdldev.net:8082/discovery.svc"/> 
    <add key="oauth-client-secret" value="xxxx" />
  12. Update to Add the following Unity Declaration settings in Unity.config
    <assembly name="Sdl.Web.Modules.DynamicDocumentation" />
    <namespace name="Sdl.Web.Modules.DynamicDocumentation.Localization" />
    <namespace name="Sdl.Web.Modules.DynamicDocumentation.Providers" />
    <namespace name="Sdl.Web.Modules.DynamicDocumentation.Navigation" />
  13. Update the existing INavigationProvider type to Set Unity Type Mapping to DynamicNavigationProvider
    <type type="INavigationProvider" mapTo="DynamicNavigationProvider">
       <lifetime type="singleton" />
    </type>
    
  14. Update the existing ILocalizationResolver type to Set Unity Type Mapping to DynamicDocumentationLocalizationResolver
    <type type="ILocalizationResolver" mapTo="DynamicDocumentationLocalizationResolver">
       <lifetime type="singleton" />
    </type>
  15. Update Unity.config for IContextClaimsProvider to AdfContextClaimsProvider instead of ContextServiceClaimsProvider
    <type type="IContextClaimsProvider" mapTo="AdfContextClaimsProvider">
       <lifetime type="singleton" />
    </type>
  16. Go to Site project root folder and create this folder path \system\assets\gui
    New-Item -Path “.\system\assets\gui” -ItemType Directory | Out-Null
    Copy the gui folder from DDMoudle\web\ to your project and go to gui root folder and run this below commands
    npm install -registry https://nexus.sdl.com/content/groups/npm/
    npm run-script buildCopy the dist\assets folder to \system\assets\gui in websiteCopy cd_ambient_conf.xml config to keep in the website bin\config folder (File can be copied from SDL Tridion Sites Installation Media \Content Delivery\roles\api\rest\dotnet\config\cd_ambient_conf.xml)

Installing the Search module in the web application

  1. Open Unity.config to update to add the following config sections
  2. Add UnityDeclaration:
    <assembly name="Sdl.Web.Modules.Search" /> 
    <namespace name="Sdl.Web.Modules.Search.Providers" />
    
    Set UnityTypeMapping:
    <type type="ISearchProvider" mapTo="IQSearchProvider" />
    
    Update web.config to add elastic index name
    <add key="iq-search-index" value="udp-index" />

Dynamic Documentation GUI

Building

In order to build make sure you have Node.js installed (v6 or higher).

Installing the necessary packages

npm install gulp-cli -g
npm install

Gulp tasks

# Build (debug)
gulp build
# Build everything and setup a server (debug)
gulp serve
# Build everything and setup a server (release)
gulp serve:dist
# Build (release)
gulp


Note:

For a DXA for Dynamic Documentation implementation, you must install at least the Dynamic Documentation module. All other modules are optional.

I hope it helps if you have any questions regarding post your question in Tridion StackExchange.

Content Delivery · Sites 9 · Tridion

Installation of Add on Service in SDL Tridion Sites 9.1

In SDL Tridion Sites 9.1 released this new feature Add-On Service based on .NET Core Rest API and UI to manage Add ons and their configuration, it is easy to deploy and manage all the customizations in a unified way, there are no more configuration changes in various
config files, no manual deployment, and No downtime. Furthermore, it’s fully supported to manage and install both Content Manager and Content Delivery supported extensions points customizations as a single package or individual packages, completely separated and easy to upgrade and install to keep configuration in sync for scale-out environments and supports environment-specific configurations.

 

Add-On Service Benefits

  • No downtime to deploy extensions
  • Enabler for automated server deployments
    • Reduce the Total Cost of Ownership
    • Speed up disaster recovery
  • Enabler for Connector Framework
  • Improves visibility of the deployed extensions
  • Reduce the complexity of upgrades
  • No manual configuration
  • Extensions are loaded/updated on the fly
  • One Add on for multiple extensions (CM, ECL, UI, DXD)
  • One contact point for the scale-out scenario

Add on service architecture

 

 

Add-on Service prerequisites

The Add-on Service can run on Windows or Linux, and it requires .NET Core Runtime.

  • Any Database version that is supported by Content Manager and Content Delivery
    • Microsoft SQL Server, AWS RDS-MSSQL or Microsoft Azure database
    • Oracle database
  • Any Microsoft Windows server operating system that is supported for Content Manager server or Content Delivery server
  • .NET Core Runtime version 2.2 for Microsoft Windows: https://www.microsoft.com/net/download/windows

For more detailed Add-On service installation details, please refer to the SDL Documentation portal

 

Installing the Add-on Service in MSSQL database

  1. Open a PowerShell prompt as Administrator and then navigate to the folder Database\MSSQL\ in the Installation media folder of  SDL Tridion Sites 9.1
  2. Run the following PowerShell command and then follow the instructions to create the Add-On service database
    & '.\Install Add-on Service database.ps1'

Installing the Add-on Service on a Windows machine

We can install the Add-on Service in a Content Manager server environment, or Content Delivery server environment, or on a completely separate server running Windows or Linux.

  1. Download and Install the .NET Core Runtime version 2.2
  2. Copy the Add-on Service installation resource from the Tridion Sites installation media, copy the entire root-level folder Add-on Service to a folder of your choice on the target machine on which you want to install the Add-on Service.
  3. and then Go to \Add-on Service\bin\ and open appsettings.json file and edit to update to configure the location of the Add-On service database.
  4. For MSSQL in the database, a section set the Type and ConnectionString value as per your environment setup
    Example:

    "Type": "MSSQL",
    "ConnectionString": "Server=localhost;Database=Tridion_AddonService;User Id=AddonServiceUser;Password=xxxx",
  5. Configuring a storage location for Add-ons – By default configuration stores the uploaded packages in Database File Storage, In case if you looking to store the packages in AWS S3 bucket, then refer to the documentation to update the AWS S3 bucket name and API key credentials details in appsettings.json.
  6. By default, the Add-on service runs on port 83. if you want to change to run on a different port then go to Kestrel section in the appsettings.json and update to change the default port number.
  7. Open a PowerShell console as an administrator and navigate to the Add-on Service\ folder you copied, run the following command:
    & .\installService.ps1 -InstallationDir "D:\Apps\Add-On-Service"
  8. Go to [Add-On-Service-Installation-Home]\bin folder and ensure it has full access to the Key\ folder to the Local System account and to restrict access to the Key\ folder for all other users.
  9. Go to http://localhost:83/ to verify Add-On service UI

 

Configure Add-On Service on Content Manager side (Add-ons link on the left side slide-out navigation menu)

  1. In the SDL Tridion Sites 9.1 Installer last step there an option to enable add-on service to provide the URL of the Add-On service URL, if you enable then this menu automatically enabled.
  2. Or in case if you looking to install the SDL Tridion Sites by scripted to install silently then it is required to pass ADDON_SERVICE_URL=http://localhost:83
  3. In case if you want to change the Add-On service URL later then go to [Tridion-Home]\config\ and open addonsSettings.json to edit

 

Configure Add-On Service on Content Delivery DXD side

  • Add-on Service location is determined from addonserviceurl environment variable
  • Also environment-specific staging / live is determined from cdenvironment environment variable

Authentication:
Only consider running your Add-on service unsecured on a development environment. If you choose to run your Add-on service without security, the product still has some basic security measures set up and Restrict access to Add on service to localhost only on that machine.

For customer environments always recommended to securing the add-on service, By securing your Add-on service, you restrict access to the service UI or the service API to authenticated and authorized users. The service uses a OpenIdConnect protocol, which means that you can use any identity provider (IdP) that supports that protocol.

Add-on service supports the following IdPs:

  • Microsoft Azure Active Directory
  • Microsft Active Directory Federation Services (ADFS)
  • Auth0
  • OpenAM


Note:

  • If you planned to use Add-On service then ensure before installing the DXD services, Add-On service and environment variables should be created first, if not DXA services will fail to startup
  • DxD loading mechanism – DxD is loading extensions on service startup. No support of loading on the fly

 

I hope it helps if you have any questions regarding this please post your question in Tridion StackExchange.

Content Delivery · Sites 9 · Tridion

Using an in-browser IDE to Explore SDL Tridion Sites 9 Public Content API with GraphQL

In SDL Tridion Sites 9.0 released this new Public Content API (PCA) based on GraphQL query language and available as GraphQL endpoint in the Unified Delivery Platform (UDP) as combined content service for content delivery for Sites and Docs to deliver the dynamic experience to different channels in a headless way.

GraphQL

Why GraphQL?

  • Elegant Data Retrieval
    • Single endpoint
    • No versioning required
  • Query efficiency
    • Single-trip requests
    • Return only what’s needed
  • Backend stability
    • Data can be changed without changing clients
    • Structure dictated by spec
  • Improves data
    • API organized into a simple, understandable graph schema
    • Self-documenting
  • Large community

To explore GraphQL using in-browser GraphQL IDE:

To explain how to test and explore GraphQL using Chrome extension in-browser  Embedded GraphQL IDE in the Content service OAuth Authentication enabled URLs.

Before that test to make sure SDL Microservices are installed correctly and ensure it’s accessible in your local or where you are going to run this test that system should be able to access SDL microservices URL with respective port.

  1. To install chrome extension requestly plugin by visiting this below URL in the browser and install it.
    https://chrome.google.com/webstore/detail/requestly-redirect-url-mo/mdnleldcmiljblolnjhpnblkcekpdkpa
  2. Add New Rule and select “Modify Headers in HTTP Request and Response” rule.
    requesting-plugin-step1
  3.  In order to perform queries on the Public Content API from a graphical IDE such as GraphiQL, obtain an authentication token from the Content Delivery Token Service(which runs alongside the Discovery Service), then pass that token to GraphiQL in a request header in your requests, In our case,  To create a new rule to pass the pre-generated valid token value, How to generate the token value using postman request refer to this article.
    Request Header: Authorization 
    Value: Bearer client_id%3Dcduser%26Role%3Dcd%26FirstName%3DCD%26AllowedCookieForwarding%3Dtrue%26LastName%3DUser%26expiresOn%3D1531835268069%26digest%3D0fSvAGLWzRtX7TLZSzxTwnVOP5AP-fkF13AjpKS81U%3D
    Request URL contains: /cd/api 

    requesting-plugin-step2

  4. Access this below content service graphQL endpoint URL in the browser
    http://localhost:8081/cd/api/graphiql
  5. Copy and paste below simple query to the GraphQL IDE
Request:
{
  # Get first 10 publications
  publications(namespaceId: 1, first:10) {
    edges {
      node {
        publicationId
        title
      }
    }
  }
}

GraphQL-response

self-document

Note:
Multi namespace id 1 is Sites, id 2 is docs.

GraphQL samples refer to the SDL documentation

I hope it helps

If you have any questions, please direct your questions here.

ECL · Sites 9 · Tridion

Using Flicker ECL Connector Integration with SDL Tridion Sites 9.0

This post will explain step by step how to install and setup to use Flicker External Content Library (ECL) connector in SDL Tridion Sites 9.0.

  1. Download the Bart ECL Flicker provider source
  2. Extract and Open the Flickr ECL Provider.sln solution file
  3. Copy the Tridion.ExternalContentLibrary.V2.dll from your SDL Tridion Sites installed server location
    [Tridion-Home]\bin\clients\ to your solution and Add a References make it CopyToLocal to false
  4. Build the application
  5. Go to C:\ProgramData\SDL\SDL Tridion\External Content Library\AddInPipeline\AddIns\ and create a folder  “FlickrProvider”
  6. Copy the build files to FlickrProvider
  7. Create a Flickr API key?
    • Step 1: Go to Flickr
    • Step 2:  If you have created an account with Flickr, Sign In, else Sign Up
    • Step 3:  Click on API Keys
    • Step 4: Apply and create the app details to get the API Key and note the UserID of your Flicker account
      Eg User account ID: "389927622@N03"
  8. Go to CME Administration -> Multimedia Types and create the ECL Library MIME Type as application/externalcontentlibrary, the extension is eclecl_mimetype
  9. Go to your Master publication and create the folder as “Flicker Stubs” and note down the TCM URI of the folder
  10. Go to SDL Tridion Sites Installation [Tridion-Home]\config\ folder and update the ExternalContentLibrary.xml config to add the mount point for Flickr provider
    <MountPoint type="FlickrProvider" version="*" id="flickr" rootItemName="Flickr">
        <StubFolders>
            <StubFolder id="tcm:2-4-2" />
        </StubFolders>
        <PrivilegedUserName>MTSUser</PrivilegedUserName>
        <FlickrApiKey xmlns="http://flickr.com/services/api">fb32195b65809d25da2ec84983833xxxx</FlickrApiKey>
        <FlickrNSID xmlns="http://flickr.com/services/api">13313714@N04</FlickrNSID>
    </MountPoint>
  11. Restart the SDL Web Content Manager Service Host
  12. Access to verify the Content Publication for Flicker ECL Items

ECL_Items

 

I hope it helps

If you have any questions, please direct your questions here.