Single Sign-on Configuration for SharePoint Integration Version 5.3 SP4 March 2007
Copyright 1994-2007 EMC Corporation. All rights reserved.
Table of Contents Preface... 7 Chapter 1 Windows SharePoint Services Single Sign-on... 9 Modifying Configuration Files for WSS SSO... 9 Configuring the Documentum Content Services web.config... 9 Example of default <ssomanagers> node with both SSO options supported... 10 Specifying WSS SSO in Documentum Content Services... 10 Enabling WSS SSO logon on the top-level site... 10 Documentum Content Services-web part... 11 Chapter 2 Microsoft Single Sign-on... 13 Planning... 13 Set up accounts... 13 Microsoft SSO Application Definitions for Documentum Content Services... 14 Documentum Single Sign-on Con guration Guide 3
Table of Contents List of Figures Figure 1 1. Single Sign-On drop-down list... 10 Figure 1 2. Prompt to configure credentials... 11 Figure 1 3. Documentum credentials... 11 4 Documentum Single Sign-on Con guration Guide
Table of Contents List of Tables Table 2 1. SSO application definitions... 14 Documentum Single Sign-on Con guration Guide 5
Table of Contents 6 Documentum Single Sign-on Con guration Guide
Preface Seamless integration between Documentum and Microsoft Office SharePoint Server (MOSS) 2007 requires you to configure the single sign-on option (SSO). Documentum Content Services support both Microsoft SSO and Windows SharePoint Services SSO. Through SSO, user credentials are stored in a secure database and applied when a user logs in to request information from Documentum. WSS SSO is the default SSO. However, Microsoft SSO is automatically installed as part of the Documentum Content Services installation package and is the recommended SSO option. Additionally, Documentum Content Services supports custom SSO options. Deciding on which SSO you want to use is largely dependent on your environment and requirements. This document is meant to be supplementary to any documentation provided by Microsoft and Documentum regarding the configuration of SSO for MOSS. Con guration overview for administrators For WSS SSO, administrators must reconfigure the web.config files that are packaged with each product in order to complete a successful set up. See the Windows SharePoint Single Sign-on section. When using Microsoft SSO, administrators will need to configure the MOSS server farm. See the Microsoft Single Sign-on section. Con guration overview for end-users The configuration of the SSO method must be communicated to end-users. End-users will modify the SSO method in the Tool Pane when first configuring a web part from the EMC Documentum Content Services suite of web parts. Also, end-users must know their Documentum credentials (username, password, Documentum domain) as they will be prompted for this information when first accessing a web part from the Documentum Content Services suite of web parts. Once entered, Documentum credentials are stored in the SSO database and the user will not be prompted to enter their credentials again. If user credentials change in Documentum Single Sign-on Con guration Guide 7
Preface Documentum (for example, the username or password changes), the user will be prompted to update their stored credentials. 8 Documentum Single Sign-on Con guration Guide
Chapter 1 Windows SharePoint Services Single Sign-on By default, the WSS SSO is installed as part of the installation package for Documentum Content Services and is the recommended SSO option. You will need to configure Documentum Content Services accordingly. Administrator configuration to the system for WSS SSO is done by modifying the web.config files for Documentum Content Services and you will need to enable WSS SSO on the top-level web application. End-users need to configure the EMC Documentum Content Services by accessing the Tool Pane and modifying the SSO settings. Modifying Con guration Files for WSS SSO You will need to make appropriate changes to the configuration files for Documentum Content Services in order to specify WSS SSO. Con guring the Documentum Content Services web.con g The location for the Documentum Content Services web.config configuration file is located in: C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\template\layouts\1033\dctm\webpartpages The <ssomanagers> node within this file specifies that both SSO options are available in the Single Sign-on Option drop-down list of the Tool pane in Documentum Content Services. Documentum Single Sign-on Con guration Guide 9
Windows SharePoint Services Single Sign-on Example of default <ssomanagers> node with both SSO options supported <ssomanagers> <ssomanager id="0" title="wss Single Sign-on" class="wsscredentialmanager" assembly="dctm.wsscredentialmanager,version=3.0.1506.0300, publickeytoken=e4ec877ed211dbd8,culture=neutral" /> <!-- Id="0" is reserved for this item --> <ssomanager id="1" title="ms Single Sign-on" class="ssocredentialmanager" assembly="dctm.ssocredentialmanager,version=3.0.1506.0300, publickeytoken=e4ec877ed211dbd8,culture=neutral" linkurl="/_layouts/1033/ssologon.aspx"/> <!-- Id="1" is reserved for this item --> </ssomanagers> Specifying WSS SSO in Documentum Content Services During the configuration of Documentum Content Services you will need to select the WSS Single Sign-on option from the Single Sign-on Option drop-down list in the Tool pane. Figure 1-1. Single Sign-On drop-down list Note: The options displayed in the Single Sign-on Option drop-down list are defined in the Web Parts web.config file. Enabling WSS SSO logon on the top-level site The following steps must be performed by a user once for each document library. 1. Logon to the top-level site. 2. Open a page containing an enabled Documentum Content Services web part (for example, Documentum Folders). 10 Documentum Single Sign-on Con guration Guide
Windows SharePoint Services Single Sign-on Documentum Content Services-web part 1. An error message will be displayed when you first access the page with an enabled web part. 2. Refresh the page and a message will be displayed to configure credentials for Single Sign-on appears. Figure 1-2. Prompt to con gure credentials Note: If you do not see the Single Sign-on message as above, but instead see the original error creating the storage list message after refreshing your browser, log off and log back on as an administrator and repeat this step. 3. By clicking the link you will be prompted to enter your Documentum credentials, including username, password, and domain name. Figure 1-3. Documentum credentials Documentum Single Sign-on Con guration Guide 11
Windows SharePoint Services Single Sign-on 4. Enter Documentum credentials and click OK. You will be returned to the Web Part page. 12 Documentum Single Sign-on Con guration Guide
Chapter 2 Microsoft Single Sign-on The NT identity of the end-user is used as a key for the Microsoft SSO database, allowing for the seamless and automatic retrieval of the username and password needed for access to Documentum. Before installing Documentum Content Services, you will need to configure the Microsoft SSO service in your MOSS server farm. Planning It is important that you keep the following considerations in mind when planning for the configuration of Microsoft SSO: Choose NT accounts (usually groups) that will have permission to administer SSO, as well as application definitions within SSO. Choose a Run as account for the SSO service. Choose the SQL server that will host the SSO database. This is usually the same server that holds MOSS databases. Set up accounts When setting up accounts for Microsoft SSO, you will need to verify: You are a member of the local administrators group on the job server, the local administrators group on the computer running SQL Server, and the SSO administrators group (if a group is used). The SSO service Run as account is a member of the SSO administrators group (if a group is used), the STS_WPG group, and the SPS_WPG group. The SSO service Run as account has rights associated with db_owner and public on the SQL configuration database. Documentum Single Sign-on Con guration Guide 13
Microsoft Single Sign-on Microsoft SSO Application De nitions for Documentum Content Services You will need to create SSO Application Definitions for each Documentum repository that Documentum Content Services will display using the following settings: Note: Replace the variable DOCBASENAME with the actual Documentum repository name. This value is case sensitive. Table 2-1. SSO application de nitions Setting Display name Application name Contact e-mail address: Account Type: Field 1 Field 2 Field 3 Fields 4-5 Value Documentum repository DOCBASE- NAME VorsiteSSOApp_DOCBASENAME (Your e-mail address) Individual Display Name: Documentum User Name (Mask: No) Display Name: Documentum Password (Mask: Yes) Display Name: Documentum Domain Name (Mask: No) (Unused) 14 Documentum Single Sign-on Con guration Guide