Versions Compared

Old Version 5

changes.mady.by.user Mathias Mattson (MHM)

Saved on

compared with

New Version 6

changes.mady.by.user Mathias Mattson (MHM)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

When all requirements have been met, you're now able to enable AAD login for the products you decided on (DC and/or MM)

Enabling AAD

To enable the AAD functionality, you need to do the following:

Go to your DC's web.config file and edit it - preferably with Notepad++.

In the <sectionGroup name="digiConfig"> tag, add the following:

Code Block
languagexml
<section name="azureActiveDirectory" type="DigiEyeZ.Framework.WebLibrary.Configuration.AzureActiveDirectorySection" />

Making it look like this

Configuration examples

Not DC - possibly MM

Aka. "DC API server only

(MM)

"

Enabling the beneath configuration will enable only MM to use AAD. The DAM Center will still remain using the default non-AAD login.

Please be aware the the templateMemberId should be the user ID of the template user, you've noted down while verifying that you met the requirements (step 3: The ID of a user of which you want all your users to look like (AAD Template User)). In my case below its 30027.

Code Block
languagexml
<azureActiveDirectory>
	<server enabled="true" templateMemberId="30027" />
</azureActiveDirectory>

The Copying the the above into the web.config will make it look like the following

DC - possibly MM

Aka. "DC API server with single tenant client login

(DC and MM)

"

The below configuration enabled both DC and MM to use AAD for logging in.

The "templateMemberId" is again the one you defined in the requirement section (requirement 3 - just as before).

The "clientId" is found the Application ID of the DAM Center's App registration you made a note about in the Azrequirements section

The "tenant" 
Code Block
languagexml
<azureActiveDirectory>
	<server enabled="true" templateMemberId="30027" />
	<client enabled="true" clientId="33384545-4fe0-4b68-85d6-9edcb35c46909edcb35c4590" tenant="mytenantid.onmicrosoft.com" />
</azureActiveDirectory>

Please see the image from "Not DC - possibly MM" to get the gist of how it'll look upon implementing the above config.

Understanding "server" and "client"

The children of azureActiveDirectory, server and client can be a bit difficult to wrap one's head around - here's some explanation:

Server: Defines the user used for creating new AAD users.

Client: Defines that the corresponding site corresponding to the chosen client ID/application ID and tenant will use AAD for logging in. The client ID of the MM must not be input into the DC's web.config's azureActiveDirectory tag - instead the MM will have its own client ID defined within its own web.config.

Configuration schema

Beneath, you'll see the definition of all the available options you have for setting up

Code Block
languagexml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema id="azureActiveDirectory" xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
  <xs:element name="azureActiveDirectory" msdata:IsDataSet="true" msdata:UseCurrentLocale="true">
    <xs:complexType>
      <xs:choice minOccurs="0" maxOccurs="unbounded">
        <xs:element name="client">
          <xs:complexType>
			<!-- Enables or disables the client using AAD redirect -->
            <xs:attribute name="enabled" type="xs:bool" use="required" />
			<!-- ClientId corresponds to the Application ID in Azure Portal -->
            <xs:attribute name="clientId" use="required">
				<xs:simpleType>
					<xs:restriction base ="Guid" />
				</xs:simpleType>
			</xs:attribute>
            <!-- AADInstance is the login redirect URI -->
			<xs:attribute name="aadInstance" type="xs:string" default="https://login.microsoftonline.com/{0}" />
			<!-- Tenant is the DNS section of the App ID URI in Azure Portal. Required for single tenant usage -->
            <xs:attribute name="tenant" type="xs:string" />
			<!-- Specifies optional post logout URI. Not used in DC and MM -->
            <xs:attribute name="postLogoutRedirectUri" type="xs:string" />
          </xs:complexType>
        </xs:element>
        <xs:element name="server">
          <xs:complexType>
            <xs:sequence>
              <!-- List of audiences allowed when running multi-tenant applications -->
              <xs:element name="validAudiences" minOccurs="0" maxOccurs="unbounded">
                <xs:complexType>
                  <xs:sequence>
                    <xs:element name="clear" type="xs:string" minOccurs="0" />
                    <xs:element name="add" minOccurs="0" maxOccurs="unbounded">
                      <xs:complexType>
                        <xs:attribute name="name" type="xs:string" />
                      </xs:complexType>
                    </xs:element>
                  </xs:sequence>
                </xs:complexType>
              </xs:element>
            </xs:sequence>
			<!-- Enables or disables the server AAD endpoint -->
            <xs:attribute name="enabled" type="xs:bool" use="required" />
			<!-- Discovery endpoint for validating JwT -->
            <xs:attribute name="stsDiscoveryEndpoint" type="xs:string" default="https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration" />
			<!-- Specifies the DAM Center MemberId used to auto-create users on the fly -->
            <xs:attribute name="templateMemberId" type="xs:int" use="required" />
            <!-- Specify to validate the issuer -->
            <xs:attribute name="validIssuer" type="xs:string" />
          </xs:complexType>
        </xs:element>
      </xs:choice>
    </xs:complexType>
	<xs:simpleType name="Guid">
        <xs:restriction base="xs:string">
            <xs:pattern value="([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})|(\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\})"/>
        </xs:restriction>
    </xs:simpleType>
  </xs:element>
</xs:schema>




Table of Contents