H: Additional configuration for a multi domain ADFS setup

This chapter describes the additional configuration steps that need to be performed to get the Content Manager Governance and Compliance app running in an ADFS environment when the SharePoint instance and Content Manager server are located on two separate domains. These steps are applicable if and only if your SharePoint instance is located on premise. For SharePoint online please refer to the document “Configuring Content Manager integration for SharePoint Online using Azure AD authentication”. The assumption is made that you have enabled ADFS for your SharePoint web application and for the Content Manager Governance and Compliance app IIS site. If not refer to Additional configuration to support ADFS.

The following configuration need to performed, before you publish the settings using the configuration tool:

1. Token Provider

   The Content Manager Governance and Compliance app comes with a token provider. This provider is available in the assembly HP.Integration.SharePoint.Token.Provider which can be found under the installation directory along with the other integration assemblies. The Content Manager Governance and Compliance app will load this provider, in an ADFS environment when a token is required (during configuration propagation and while relocating older versions of a document).

   1. Configuring Token Provider

      This token provider reads the values for the ADFS from the STSDetails.xml under the installation directory. The contents of this file are:

      

      EndPoint - The full URL of the usernamemixed or windowsmixed federation endpoint. Note that the endpoint is not enabled by default, once the endpoint is enabled, you need to restart the Active Directory Federation Services windows service. If the global authentication policies in ADFS is set to use forms, as well as windows authentication you can use the windowsmixed endpoint. Use the usernamemixed endpoint if forms authentication alone is setup. If you are using windowsmixed endpoint, there is no need to specify the username and password.

      

      For example if your ADFS root URL is https://spadfsdc.sharepointadfs.local, then the full URL for username mixed federation endpoint is

      https://spadfsdc.sharepointadfs.local/adfs/services/trust/13/usernamemixed

      UserName - UPN of the job processing account. Required only when forms authentication alone is setup in ADFS.

      Password- Job processing account password. Required only when forms authentication alone is setup in ADFS.

      RelyingPartySharePoint – The urn identifier of the SharePoint relying party trust in ADFS

      RelyingPartyUrlSharePoint – The URL identifier of the SharePoint relying party trust in ADFS (the one that ends in “_trust”)

      RelyingPartyGovernanceApp – The urn identifier of the Governance app relying party trust in ADFS

      RelyingPartyUrlGovernanceApp – The URL identifier of the Governance app relying party trust in ADFS

2. Configuration propagation

   Publishing the configuration settings requires the ADFS details from the STSDetails.xml. The ADFS details need to be specified in the STSDetails.xml file and the following changes need to be made in the web.config file before the settings can be published. Set the value of clientCredentialType to “None” in the webHttpBinding.

   

   Change the authentication settings of the SecureServices folder from Windows Authentication to Anonymous:

   

3. Relocating older versions of a SharePoint document

   The relocation process needs the SharePoint relying party information from the STSDetails.xml. If the ADFS values for the environment is not specified in this file only the latest version of a SharePoint document will be relocated.

4. Extending the Token Provider

   If the global authentication policy settings in the ADFS is set that only forms authentication is enabled the username mixed endpoint neesd to be specified in STSDetails.xml.

   In the case to attain the token from ADFS the token provider that comes along with the integration will require the username and password for the job processing account be available in the configuration file.

   The password needs to be unencrypted. If the organizational policy doesn’t allow this then it is possible to create a token provider and register it. The Content Manager Governance and Compliance app will load the provider while propagating the configuration changes and while relocating older versions of a SharePoint document.

   The sample provider can be used as reference. Please contact Content Manager Support for the source code for the sample provider.

   1. ITokenProvider Interface

      To create a custom token provider implement the ITokenProvider interface, which is available in the HP.Integration.SharePoint.Common assembly.

      

   2. Registering your own custom token provider

      Once the custom provider assembly has been copied to the bin subdirectory under the installation directory:

      1. open the TokenProvider.xml file which is available under the install directory.

         

      2. Replace the “AssemblyName” and “ClassName” in this file with the custom assembly name and class name. Note that the class name should include the namespace.

5. IIS Configuration

   The following IIS configuration is required for Federated Search using the Content Manager Manager results source and for viewing managed SharePoint documents using Content Manager.

   1. Create a new directory “SearchAndView” under you SharePoint Integration installation directory.

   2. Copy the bin directory from the installation directory to this “SearchAndView” directory.

   3. Copy the following files to the “SearchAndView” directory:

      1. CacheConfiguration.xml

      2. EnterpriseLibrary.Config

      3. Create a new web.config file and copy the following contents to it:

         

   Once these steps have been performed the “ViewAndSearch” directory will look like this:

   

6. Create a new IIS Site

   

   

   1. Type in “SearchAndView” for the Site name.
   2. Select the Content Manager SharePoint Server as the application pool.
   3. Make sure the firewall is allowing access to the port used by the SearchAndView website. If access is not allowed SharePoint search will timeout and will not display any results.
   4. Set the physical path to the “SearchAndView” directory that was created above and click OK.

7. Setup the authentication

   Enable Windows Authentication for the Search site:

   

8. Create virtual directories

   Right click on the ViewAndSearch site in IIS > Manage and select the option “Add Virtual Directory”.

   

   Choose “Pages” for Alias and set the physical path to the “Pages” sub directory under the install directory. Similarly create another virtual directory for “Scripts” and one for “SecureServices”. Once the virtual directories have been created the ViewAndSearch IIS site will look like this:

   

9. To view managed documents in Content Manager

   1. Browse to the installation directory and edit the DocumentViewDetails.xml.
   2. Set the value of the LoadBalancedUrl to the URL of new SearchAndViewSite and save it.
   3. Restart the jobprocessing service.

10. Federated Search

    1. Browse to the SharePoint site collection and edit the Result Source. Refer to Chapter 17 Searching for existing Content Manager records using SharePoint search in the SharePoint Integration User Guide.pdf.
    2. Modify the Source URL of the Content Manager Result Source in SharePoint such that it now points to the SearchAndView IIS site. Note that you need to change the root segment of the URL.