Reason for this is the email address often goes through changes when staff change names or staff move to different areas within the organisation (due to different domains).

Outside of changing the logins of the users in Content Manager to use the UPN address instead, the updates in Azure to the Application Registration and the changes in Enterprise Studio to ensure the UPN comes back are straight forward.

Azure App Registration Changes

Underneath the application registrations ‘Token configuration’ menu, add the following optional claim. Make sure the Token Type is ID (not Access or SAML).

Within the API permissions, make sure the Delegated Profile permission has been added.

TRIM Enterprise Studio

Within Enterprise Studio, jump into the OpenID Authentication tab (may be under right click ➡ properties, or may be under right click ➡ authentication)

Update the Identity scopes to include ‘profile’ as per the screenshot

Update the Identity claim from ‘email’ to ‘upn’ as per the screenshot

Hit the Test Authentication button and try logging in. Note, for the login to the provider, you may still require to use the primary email for autentication, then the UPN will be what is returned from the provider to Content Manager.

If the new claim comes back OK you will see a success message returned with the UPN claim value for this test user.

When ready, Save + Deploy to commit the changes to the workgroup pool.

⚠ Warning - As always, changes should be first tested in a non-production environment to verify it works as expected

Now for the script, my main go-to’s are either VBA, which I write in the back of an excel spreadsheet, or PowerShell.

The choice between the two usually depends on if a client site allow Excel VBA macros to be run, or allows powershell scripts to be run. This is as each client site typically has a different security policy.

For most of my powershell scripts, they tend to be along the lines of connect to a dataset, loop through a CSV, and then do something to either records or locations based on the values in the CSV.

Below you will find my some sample powershell to remove record relationships from a CSV.

This powershell contains my current boilerplate of loading the SDK, connecting to a DB, loading the CSV file, looping through the entries, and writing out values both to console and to a log file.

Sample CSV layout:

Sample Record Prior to Change:

Sample Output:

Sample Log File that gets created:

Sample PS1 script can be found here

Sample CSV that this script used can be found here

⚠ Warning - As always, scripts should first be run in a non-production environment to verify they work as intended

Bad News: It needs a few extra steps (which i found out weren’t greatly documented) Good News: The steps are below and can be done using AzureAD! 😁

Step 1 - Enable the Web Client to use AzureAD for Authentication

Follow the steps here to configure your 23.4 Content Manager WebClient to use AzureAd for authentication.

Step 2 - portal.azure.com App Registration Updates

Jump into the AzureAD App Registration you spun up for the WebClient

Double check the Redirect URIs

For my own application registration, there are 2x Redirect URIs for the WebClient (one with www and one without) but both go to /contentmanager/serviceapi/auth/openid

And since I’m also using this for my dekstop app, I’ve got urn:ietf:wg:oauth:2.0:oob added as a Desktop redirect as well

API Permissions

Make sure the following Delegated permissions are present: email, offline_access, openid, profile, User.Read

Make sure the status shows as Granted for your domain. If not, there is a button to ‘Grant admin consent’ next to the ‘Add Permission’ button

Expose an API

In the Expose an API tab, up the top, where there is an Application ID URI, press ‘Add’. This should auto fill in an api:// URI based on the client ID of the application registration (we will need this later).

Step 3 - adfs_config.xml

We need to make sure that in the ThinOffice Roaming Directory (C:\Users\Scotty\AppData\Roaming\Micro Focus\Content Manager\OfficeIntegration) we create an adfs_config.xml with the following details (NB. A ‘blank’ one of these can be found in your WebClients ADFS directory C:\Program Files\Micro Focus\Content Manager\Web Client\ADFS)

How you deploy this out to end users is up to yourself.

The clientAuthority is the AuthorityURL found from your Application Registrations Endpoint for this organizational directory only (App Registraion -> Overview -> Endpoint Button up the top)

The clientResourceUri and clientID is your Azure App Registraion Client ID (same value for both)

The clientReturnUri is urn:ietf:wg:oauth:2.0:oob

Step 4 - preferences

In the same directory as the adfs_config.xml open up the preferences file in your favourite notepad editor.

Fill in the RMClientURL property. It needs to point to the landing page for your CM Web Client (note, no ending slash)

Step 5 - Update the WebClient hprmServiceAPI.config

Now back onto the WebClient server, open up the mprmServiceAPI.config file. Find the existing ‘openIdConnect add’ stubb and add an additional value entry for appIdURI (CASE SENSITIVE) as per below

This is the same value in the ‘Exponse an API’ in AzureAD with the Application ID URI

Step 6 - PRAY 🙏 and give it a go

Now, when I open Word and click on ‘New Document’ I’m now presented with a login screen. Once logged in, the Integration should light up.

When Word is next launched, it should now also auto-log-in remembering your previous credentials.

If you ever need to remove the saved credentials from the machine they are saved in the same Roaming directory as ToekCache.dat. Deleting this will clear the saved credentials.

Still got a bunch of config to adjust, set up a propper root URL, as well as looking at implementing some CSS.

Who knew I could fork a repo that others already had set up to get myself off the ground.

If you have your own GitHub and want to turn your home page into a Blog head over to to the Jekyll Now repo to get started.