Sitecore Content Hub: Advanced Security Setup and Policies

To run synchronization with Sitecore Content Hub, you must have a Sitecore Content Hub user who has access to the necessary data. To give the user permission to run synchronizations, you must assign the correct access rights to the user.

The rights you assign depend on whether the user needs access to the Digital Assets Management (DAM) of Content Hub, the Content Management Platform (CMP), or both.

To configure a user group policy, you have to adhere to the following steps:

• Begin by setting up a rule
• Then, add conditions
• Define permissions
• Set up a rule for portal pages
• Then, add privileges
• And finally, set up member security

Example:

Single Sign-on

Single Sign-On (SSO) enables users to log in to Sitecore Content Hub using OAuth authentication providers. For accessing the page navigate to "Manage" > "Settings" > "Authentication," change the formatting from "Tree" to "Text" on the toolbar of the JSON structure, and proceed with modifying your configuration as required.

Configuration

Structure

The behavior of SSO can be configured in the ‘Authentication’ setting in the PortalConfiguration category.

The setting looks as follows:

Overrides

The following "global" attributes can be overridden on the provider level:

• username_claim_type
• email_claim_type

Redirecting to another user creation page

When autoCreateUsers is set to true, a new user account is automatically created. However, when set to false, by default, you are redirected to an error page.

It is possible to override this behavior to redirect to an external user creation page instead by using the external_user_creation_url parameter in the provider configuration shown in the Structure snippet.

SAML

Example:

Properties

• metadataLocation (required): The URL or path pointing to the XML metadata of a SAML service provider.
• spEntityId (required): The entity-id of the service provider.
• idpEntityId (required): The entity-id of the identity provider.
• providerName (optional, default=SAML): The name of the identity provider, as shown in the UI.
• authenticationMode (optional; default=Passive): If set to "Active", the website will automatically redirect to the provider's login page. If set to passive, the user has to click the "Use SAML authentication" button, after which they are redirected to the provider's login page.

 

Notes:

• Multiple SAML providers are only supported when they're all set to "authentication_mode = Passive". If one of the providers is "Active", the application will automatically redirect users to that provider's login page.
• If multiple SAML providers are used, make sure they all have a unique "provider_name". The provider-name will be used in the callback-URL, so it cannot contain any spaces or slashes.
• Content Hub does not support signed authentication requests via certificates.

 

To learn more about security measures that you can use and implement for your business’s digital presence reach out to us. Our team of certified experts will not only provide you with relevant information but also assist in implementing security measures for your specific business requirements.