TEAM IM Insights

Azure AD SSO for ContentWorX (Oracle WebCenter Content)

Written by Terry Wang | Oct 28, 2021 1:52:13 AM

As we see more ContentWorX (TEAM IM's hosted and managed SaaS version of Oracle WebCenter for Government) clients move into the cloud with their IT infrastructure, it has become a common requirement to support user login with their Office 365 credentials. We have established a pattern to support this by implementing SAML2-based SSO with Azure AD.

As the above diagram shows, a typical authentication flow goes like this:

  1. User client requests to access ContentWorX
  2. If the user is not authenticated, ContentWorX redirects the user client to Azure AD for authentication
  3. User completes authentication against Azure AD. Typically when a user is logged onto a corporate device that is domain joined, the user’s authentication to Azure AD can be seamless.
  4. Azure AD assigns a SAML token to the user client intended to be used by ContentWorX
  5. User client presents the token to ContentWorX, which validates the SAML token
  6. ContentWorX processes the user identity together with attributes. Optionally, the user group memberships can also be asserted on demand by role claims in the SAML token. These group memberships will be mapped to user roles that decide content access privileges in ContentWorX.
    The user attributes and roles are only valid for the current authenticated session. Next time when the user re-authenticates from Azure AD, the attributes and roles will be refreshed with new values from the Azure AD issued SAML token.
  7. ContentWorX establishes an authenticated user session.

 

This architectural pattern has the following clear advantages:

  • User can use a single identity when working in Office 365 and ContentWorX ECM-as-a-Service. This allows easier management for content ownership, access control and records keeping.
  • User access to ContentWorX is managed in the client’s identity infrastructure. The client has full control over user provisioning/deprovisioning and role access permissions.
  • ContentWorX does not keep any client user credentials, eliminating any risk of credentials exposure.