Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
In order for AAD to work, you need to make sure that the following requirements are met.
1: Access to your AAD Azure Account
Access https://portal.azure.com and login.
If you're able to see "Azure Active Directory" - you meet this requirement
NOTE: Azure Active Directory Group membership syncronization to DC requires Azure Subscription levels "Premium P1" or "Premium P2"
2: AD and ADFS must be disabled
Access the product or products (DC and or MM) you want to enable AAD login for and verify that you are met with the standard Digizuite login screen (and not ADFS or AD).
If you are not met with a prompt - asking for you to login with AD or ADFS - you meet this requirement and can go ahead with configuring AAD.
3: The ID of a user of which you want all your users to look like (AAD Template User)
Per default the DAM Center is configured with two users, that are "copied" every time either a collection or self-signup user has been created by the system. These two are just users, like any other user. The thing that sets them apart is that their passwords usually is something that's meant never to be written again, and that their member ID's have been set to be called upon by the system.
Usually the self-signup user named "self-sign up template user" has been set up correctly if you already have the self-signup functionality enabled in your Media Manager. If this is the case, usually this user can be used for automatic assigning of roles when creating AAD users. Remember this user's user ID then (usually this is something like "300xx")
Info | ||
---|---|---|
| ||
If the group feature is used, the templateUserId is optional, and can be set to 0, as group membership is assigned from AAD Group membership. |
If you don't want to use the previously mentioned template user, you'll have to create a new user. You do this by doing the following steps:Login to your DAM Center with a Super Administrator or an Administrator user
- Go to System tools → Users and groups → Users → System users and press Add
- In the Username field, you type in "AAD Template User", in the password field you type in something random, and in the Metagroup field "User Config" and press create
- Now make a note about your new user's user ID
- Now edit the user's roles by expanding the right side Edit menu - and then make sure that you're in the view named "Standard" now add the following groups
- Internal access
- Light user or Content Creator
- Public access
- Trusted (usually, already added by default)
- Press save
The ID you've noted down will be used in a upcoming section, where you have to edit some XML.
4: Create Groups in Dam Center that reflects Active Directory Groups
Info | ||
---|---|---|
| ||
This step requires Azure Subscription level "Premium P1" or "Premium P2", otherwise go to step 5 |
Navigate to System Tools / Groups in Dam Center / Users and groups / Groups.
Create a Folder by right clicking Groups and selecting Add folder
Name the new folder "Azure Active Directory"
Select the new Folder.
In the Azure Portal Navigate to "Azure Active Directory" / "Groups"
The Object Id is used to bind the Active Directory Group to a DamCenter Group.
Repeat for each Azure Active Directory group that should grant access to DamCenter
Click "Add", and Give the new DamCenter Group a name.
Click "Create"
Select the new Group, and edit in the right pane.
- Fill the "Binding group name" with the object Id from the azure groups "Object Id" field
- Check the "Is Binding group" checkbox
- Select DamCenter Groups, users that are member of the Azure Group should be member of.
- Click Save.
Repeat for each Azure group that should be mapped.
5:
You must makeMake an App Registration
on DC and/or MM in AzureDC and MM are atm. the only two products we offer, that requires AAD registration to work with AAD.
You should only register the products you want to enable AAD login for.
I.e. if you choose to have MM as the only application which prompts for users' AAD credentials, your DAM Center application should not be registeredfor the DC in the Azure Portal
You have to enable AAD for the DC. All other applications that we support AAD for will inherit it from the DC.
You register your product by doing the following steps:
- Access https://portal.azure.com with your Azure credentials, you have from the first requirement (Access to your AAD Azure Account)
- Access "Azure Active Directory" (see image)
- In here, press the "App registrations" beneath "Manage" (See image)
- Now press the "New application registration"
- Image RemovedImage Added
- In the "Name" and "Sign-on URL" fields, you copy-paste the entire URL of your application
- Image Removed Press Image Removed in the bottom
- Click "Authentication" in the left pane.
- Add Web Redirect UrIs to;
- https://<damurl>
- https://<damurl>/LoginService
- Check Access tokens and ID tokens and click SaveThe user-facing display name for this application (this can be changed later)." simply enter your DC's URL (this makes it easier to locate in the future - this could be anything)
- In the Redirect URI (optional) you may insert your URL again (Note: In some upcoming steps, you have to add yet another Redirect URI)
- Image Added
- Press theImage Addedbutton in the bottom
- Make a note of the "" - you need this for later
- Image Added
- Click on "Redirect URIs"
- Image Added
- Add yet another redirect URI with "/loginservice" appended:
- Image Added
- Wing off ID tokens
- Image Added
- Go to the upper right corner and press your profile card
- Press "Switch Directory"
- Copy the ID on the second line - the one encircled in the image
- Image Added
- Now go into the app registration. Press Settings, and then PropertiesImage RemovedMake a
- note of the App ID URI without https:// and GUID
Info For example "https://digizuite.onmicrosoft.com/95303ff7-f100-47ab-ad3a-2a465ff47bd0" becomes "digizuite.onmicrosoft.com"The last thing that has to be done, is to invite users to the site. This is described in another guide. In short, access your site's registration in the "Enterprise Applications" tab in the AAD section, and take it from there.title Example
Repeat the process for the product you didn't just configure (The MM if you set up the DC, and vice versa)
When this is done, make a note of the Application ID's of the new App registrations you've just made
Image Removed
Configuration for Active Directory Group membership syncronization.
Info | ||
---|---|---|
| ||
This section is only relevant if Azure Premium P1 or Azure Premium P2 subscription is used. |
- Select Manifest in the left pane
- Modify the Json document, by modifying the line "groupMembershipClaims": null, to "groupMembershipClaims" : "SecurityGroup",
Valid options for groupMembershipClaims are;
- "All"
- "SecurityGroup"
- "DestributionList"
- "DirectoryRole"
see: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
Table of Contents |
---|