When all requirements have been met, you're now able to enable AAD login for the products you decided on (DC and/or MM)
Enabling AAD
To enable the AAD functionality, you need to do the following:
In your DAM Center...
Configuration schema
codeGo to your DC's web.config file and edit it - preferably with Notepad++.
In the <sectionGroup name="digiConfig"> tag, add the following:
| Code Block | ||
|---|---|---|
| ||
<section name="azureActiveDirectory" type="DigiEyeZ.Framework.WebLibrary.Configuration.AzureActiveDirectorySection" /> |
Making it look like this
Configuration examples
DC API server only (MM)
Enabling the beneath configuration will enable only MM to use AAD. The DAM Center will still remain using the default non-AAD login.
Please be aware the the templateMemberId should be the user ID of the template user, you've noted down while verifying that you met the requirements (step 3: The ID of a user of which you want all your users to look like (AAD Template User)). In my case below its 30027.
| Code Block | ||
|---|---|---|
| ||
<azureActiveDirectory>
<server enabled="true" templateMemberId="30027" />
</azureActiveDirectory> |
The web.config will look like the following
DC API server with single tenant client login (DC and MM)
The below configuration enabled both DC and MM to use AAD for logging in.
The "templateMemberId" is again the one you defined in the requirement section (requirement 3 - just as before).
The "clientId" is found in the Az
The "tenant"| Code Block | ||
|---|---|---|
| ||
<azureActiveDirectory>
<server enabled="true" templateMemberId="30027" />
<client enabled="true" clientId="33384545-4fe0-4b68-85d6-9edcb35c4690" tenant="mytenantid.onmicrosoft.com" />
</azureActiveDirectory> |
Understanding "server" and "client"
The children of azureActiveDirectory, server and client can be a bit difficult to wrap one's head around - here's some explanation:
Server: Defines the user used for creating new AAD users.
Client: Defines that the corresponding site corresponding to the chosen client ID/application ID and tenant will use AAD for logging in. The client ID of the MM must not be input into the DC's web.config's azureActiveDirectory tag - instead the MM will have its own client ID defined within its own web.config.
Configuration schema
Beneath, you'll see the definition of all the available options you have for setting up
| Code Block | ||
|---|---|---|
| ||
<?xml version="1.0" encoding="utf-8"?>
<xs:schema id="azureActiveDirectory" xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
<xs:element name="azureActiveDirectory" msdata:IsDataSet="true" msdata:UseCurrentLocale="true">
<xs:complexType>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element name="client">
<xs:complexType>
<!-- Enables or disables the client using AAD redirect -->
<xs:attribute name="enabled" type="xs:bool" use="required" />
<!-- ClientId corresponds to the Application ID in Azure Portal -->
<xs:attribute name="clientId" use="required">
<xs:simpleType>
<xs:restriction base ="Guid" />
</xs:simpleType>
</xs:attribute>
<!-- AADInstance is the login redirect URI -->
<xs:attribute name="aadInstance" type="xs:string" default="https://login.microsoftonline.com/{0}" />
<!-- Tenant is the DNS section of the App ID URI in Azure Portal. Required for single tenant usage -->
<xs:attribute name="tenant" type="xs:string" />
<!-- Specifies optional post logout URI. Not used in DC and MM -->
<xs:attribute name="postLogoutRedirectUri" type="xs:string" />
</xs:complexType>
</xs:element>
<xs:element name="server">
<xs:complexType>
<xs:sequence>
<!-- List of audiences allowed when running multi-tenant applications -->
<xs:element name="validAudiences" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="clear" type="xs:string" minOccurs="0" />
<xs:element name="add" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:attribute name="name" type="xs:string" />
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
<!-- Enables or disables the server AAD endpoint -->
<xs:attribute name="enabled" type="xs:bool" use="required" />
<!-- Discovery endpoint for validating JwT -->
<xs:attribute name="stsDiscoveryEndpoint" type="xs:string" default="https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration" />
<!-- Specifies the DAM Center MemberId used to auto-create users on the fly -->
<xs:attribute name="templateMemberId" type="xs:int" use="required" />
<!-- Specify to validate the issuer -->
<xs:attribute name="validIssuer" type="xs:string" />
</xs:complexType>
</xs:element>
</xs:choice>
</xs:complexType>
<xs:simpleType name="Guid">
<xs:restriction base="xs:string">
<xs:pattern value="([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})|(\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\})"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
</xs:schema> |
Make sure to add the section definition:
| Code Block |
|---|
<section name="azureActiveDirectory" type="DigiEyeZ.Framework.WebLibrary.Configuration.AzureActiveDirectorySection" /> |
Configuration examples
DC API server only
This configuration enables other clients to use AAD, however the DAM Center client itself will use ordinary login.
| Code Block |
|---|
<azureActiveDirectory>
<server enabled="true" templateMemberId="23" />
</azureActiveDirectory> |
DC API server with single tenant client login
This configuration enables clients to use AAD and also directs DAM Center client to use AAD.
| Code Block |
|---|
<azureActiveDirectory>
<server enabled="true" templateMemberId="23" />
<client enabled="true" clientId="33384545-4fe0-4b68-85d6-9edcb35c4690" tenant="mytenantid.onmicrosoft.com" />
</azureActiveDirectory> |
| Table of Contents |
|---|