In order to use ADFS with the DAM Center, some extra configuration is required.
1 Overview
AD FS ADFS is designed to handle situations where you want to use SSO but your server is not in the same hosting environment as the domain the user is in.
One big difference between AD FS ADFS and normal AD is that AD is a user database you are able to query for different information. AD FS ADFS is not a user database and normally you don't have access to query it for information. It delivers it's information via clams that is configured beforehand.
Seen from the top there are 2 different ways that an AD FS ADFS configuration can be accessed by:
- Active
- The server is able to communicate directly with the AD FS ADFS server. This gives the possibility to make logins without http redirects to the AD FS ADFS server. (Not implemented at the moment.)
- Passive
- The server is not able to communicate with the AD FS ADFS server. So the only way to do logins is via http redirects to the AD FS ADFS server (on the client) and reading the security token the AD FS ADFS server returns when it redirects back.
You can find more information here: https://blogs.technet.microsoft.com/askpfeplat/2014/08/24/AD FSADFS-deep-dive-primer/
At the moment we only support AD FS ADFS with the following products:
- Videoportal
- Media manager
- Digizuite DAM center
- Office Connector
| Note |
|---|
|
This is a quick guide for AD FS ADFS configuration of Digizuite products. There is some more information and some scripts in the AD FSHelper ADFSHelper directory. ?!??! |
1.1 Prerequisites
In order to set up ADFS on DAM, you need to have a running ADFS server. Instructions on installation can be found in the Configure AD FS ADFS on Windows Server 2012 R2 document.
2 AD FS ADFS server
In the AD FS ADFS server create a Relying Party Trust for every site that AD FS ADFS should work on. Under every of these Relying Party Trusts define what data needs to be send in the security token. At the moment, the implementation supports:
- Email
- GivenName
- Role
- GroupSid
- Group
For configuration on Digizuite's servers we need the following certificates.
- Token-decryption
- Token-signing
For a guide on how to set an AD FS ADFS server up and configure it, please read the following documentation: Configure AD FS ADFS on Windows Server 2012 R2
3 Webserver config
The Token-Decrypting certificate needs to be installed in the following place:
- Cert:\\LocalMachine\My Certificate store
The Token-Signing certificate needs to be installed in the following places:
- Cert:\\LocalMachine\My Certificate store
- Cert:\\LocalMachine\TrustedPeople Certificate store
Internal?!?!? In the directory Install_Certificates, the script Install_AD FSADFS_OnWebServer.ps1 are able to help you do this.
3.1 Digizuite DAM center config
In the supplied web.config (from the root of the website) there are some AD FS ADFS configs that need to be changed.
- <allow users="*" /> — Should be removed
- <!-- AD FS ADFS deny users="?" /--> — Needs to be changed to <deny users="?"/>
Original:
| Code Block |
|---|
|
<authorization>
<allow users="*" />
<!-- ADFS deny users="?" /-->
</authorization>
|
ADFS Enabled:
| Code Block |
|---|
|
<authorization>
<deny users="?" />
</authorization> |
- Change <!-- AD FS ADFS add to "<add" and change "/-->" to ">" In the modules part.
Original XML:
| Code Block |
|---|
|
<modules runAllManagedModulesForAllRequests="true">
<remove name="Session" />
<add name="Session" type="Heavysoft.Web.SessionState.HashTableSessionStateModule,Framework.WebLibrary" />
<!-- ADFS add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" / -->
</modules> |
After change:
| Code Block |
|---|
|
<modules runAllManagedModulesForAllRequests="true">
<remove name="Session" />
<add name="Session" type="Heavysoft.Web.SessionState.HashTableSessionStateModule,Framework.WebLibrary" />
<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
</modules> |
- Change <!-- AD FS ADFS add to "<add" and change "/-->" to ">" In the bottom of the web.config file.
Original XML:
| Code Block |
|---|
|
<!-- ADFS system.serviceModel>
<diagnostics>
<messageLogging maxMessagesToLog="30000" logEntireMessage="true" logMessagesAtServiceLevel="true" logMalformedMessages="true" logMessagesAtTransportLevel="true" />
</diagnostics>
</system.serviceModel>
<system.identityModel>
<identityConfiguration saveBootstrapContext="true">
<audienceUris>
<add value="https://dam.company.org/" />
<add value="https://vp.company.org/" />
<add value="https://mm.company.org/" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
<add thumbprint="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" name="http://my-adfs.server.com/adfs/services/trust" />
<add thumbprint="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" name="http://my-adfs.server.com/adfs/services/trust" />
</trustedIssuers>
</issuerNameRegistry>
<certificateValidation certificateValidationMode="PeerOrChainTrust" revocationMode="Online"/>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" domain="tsl2-pc.digidom.dk" path="/" />
<wsFederation passiveRedirectEnabled="true" issuer="https://my-adfs.server.com/adfs/ls/" realm="https://dam.company.org" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services --> |
After change:
| Code Block |
|---|
|
<system.serviceModel>
<diagnostics>
<messageLogging maxMessagesToLog="30000" logEntireMessage="true" logMessagesAtServiceLevel="true" logMalformedMessages="true" logMessagesAtTransportLevel="true" />
</diagnostics>
</system.serviceModel>
<system.identityModel>
<identityConfiguration saveBootstrapContext="true">
<audienceUris>
<add value="https://dam.company.org/" />
<add value="https://vp.company.org/" />
<add value="https://mm.company.org/" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
<add thumbprint="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" name="http://my-adfs.server.com/adfs/services/trust" />
<add thumbprint="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" name="http://my-adfs.server.com/adfs/services/trust" />
</trustedIssuers>
</issuerNameRegistry>
<certificateValidation certificateValidationMode="PeerOrChainTrust" revocationMode="Online"/>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" domain="tsl2-pc.digidom.dk" path="/" />
<wsFederation passiveRedirectEnabled="true" issuer="https://my-adfs.server.com/adfs/ls/" realm="https://dam.company.org" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services> |
| Note |
|---|
|
Remember to replace all URLs in the above XML to reflect your environment. my-adfs.server.com should be replaced with the URL to the ADFS server, dam.company.org with the DAM Center URL, vp.company.org with the Video Portal URL (if applicable) and mm.company.org with the Media Manager URL (if applicable). Also do change the thumbprints from the trustedIssuers element with your own. |
- In the section trustedIssuers change the thumbprint to the correct thumbprints from Token-decryption and Token-signing.
- Be aware that in some cases an unshown character might be copied with the thumbprint if you copy from Powershell. That need to be removed.
- my-adfs.server.com should be replaced with the URL of the ADFS server to be used
| Code Block |
|---|
|
<trustedIssuers>
<add thumbprint="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" name="http://my-adfs.server.com/adfs/services/trust" />
<add thumbprint="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" name="http://my-adfs.server.com/adfs/services/trust" />
</trustedIssuers> |
- In the section audienceUris make certain that all urls where a user needs to be redirected to the AD FS ADFS server is noted. Normally only the main URL for the site Is needed here.
- You need to add all URLs that need AD FS ADFS also frontends.
| Code Block |
|---|
|
<audienceUris>
<add value="https://dam.company.org" />
</audienceUris> |
- In the section wsFederation change realm to the precise the same as relying party in the AD FS ADFS server.
| Code Block |
|---|
|
<wsFederation passiveRedirectEnabled="true" issuer="https://my-adfs.server.com/adfs/ls/" realm="https://dam.company.org" requireHttps="true" />
|
- Replace dam.company.org with the URL to the DAM Center using ADFS
| Code Block |
|---|
|
<cookieHandler requireSsl="true" domain="dam.company.org" path="/" /> |
4 Tips & Tricks
- In the section trustedIssuers change the thumbprint to the correct thumbprints from Token-decryption and Token-signing.
- Be aware that in some cases an unshown character might be copied with the thumbprint if you copy from Powershell. That need to be removed.
- my-adfs.server.com should be replaced with the URL of the ADFS server to be used