Advance Configurations

PTC Arbortext Content Delivery Deployment > Single sign-on > Advance Configurations

Persisting Manual Configuration

PTC Arbortext Content Delivery provides some default SSO specific configurations that are managed through the Configurator and every restart of the application server re-configures the application. To stop the Configurator from overriding the content, you must set the Configurator_DisableSSOConfiguration=true property in the setup.properties file located at $INS_INSTALL/InS_SW/SW/

Customizing SSO Configuration Files

You might want to make changes to SSO configuration to suit your applications. You can customize these configurations by updating the following configuration files:

Customization Actions	Files to be Updated
• Change client secret in encrypted format • Change certificate details such as jks name, keys, and so on. • Change the path and filename of the IdP metadata	securityContext.properties
• Rename existing file • Update IdP metadata configuration	openam-idp.xml
• Update the client id/secret in encrypted format • Update scopes	resourceServers.xml

To change client secret in encrypted format, perform the following steps for password encryption:

1. Open the command line and execute PasswordEncryptionUtility available at the location: InS_SW\SW\ PasswordEncryptionUtility.

2. Press 1 and then enter the password string that you want to encrypt, as shown in the following image:

Allowing Other Clients to Access APIs

To allow access to other clients,

1. Create a client for a third Party application in PingFederate.

2. Get the authentication token to access the SP by sharing the client ID, secret, scope, and so on.

3. Pass the same authentication token as a bearer token while fetching rest resources

Configuring the Load Balancer for SSO

The Load Balancer (LB) configuration for viewer can be achieved through the Configurator. If you want to configure the LB for ACD Publisher applications (such as TaskManager, Configurator, and Preview), and you also want to configure SSO, perform the following steps.

1. Add the following properties specific to LB in securityContext.properties

◦ org.springframework.security.saml.context.SAMLContextProviderLB.serverName={LB Hostname}

◦ org.springframework.security.saml.context.SAMLContextProviderLB.scheme={http/https}

◦ org.springframework.security.saml.context.SAMLContextProviderLB.contextPath=/ACD

◦ org.springframework.security.saml.context.SAMLContextProviderLB.serverPort={LB Port}

◦ org.springframework.security.saml.context.SAMLContextProviderLB.includeServerPortInRequestURL=false

2. In the securityContext.xml file, update the contextProvider specific bean from SAMLContextProviderImpl to SAMLContextProviderLB, as follows.Update from:

To:

All the properties like scheme, serverName and so on should be referenced from the securityContext.properties file.

3. Update server redirect URI to have a LB specific URI—for MetadataGenerator bean, update the entityBaseURL property by replacing the current value of org.springframework.security.saml.metadata.MetadataGenerator.entityBaseURL with LB URL with context path in securityContext.properties.

Configure authorization token URL to refer to the LB URL for each OAuth Client on PingFederate.