Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In order to use ADFS with the DAM Center (DC), some extra configuration is required.

1

Overview

ADFS is designed to handle situations where you want to use SSO, but your server is not in the same hosting environment as the domain the user is in.


One big difference between ADFS and a normal AD is that AD is a user database you are able to query for different information. ADFS is not a user database and normally you don't have access to query it for information. It delivers its information via clams that are configured beforehand.

  • Active
    • The server is able to communicate directly with the ADFS server. This gives the possibility to make logins without http redirects to the ADFS server. (Not implemented at the moment.)
  • PassiveThe server is not able to communicate with the ADFS server

    .

    So the only way to do logins is via http redirects to the ADFS server (on the client) and reading the security token the ADFS server returns when it redirects back.

    You can find more information here: https://blogs.technet.microsoft.com/askpfeplat/2014/08/24/ADFS-deep-dive-primer/

    At the moment we only support ADFS with the following products:

    • Videoportal
    • Media manager
    • Digizuite DAM center
    • Office Connector
    • Creative Cloud Connector
    • Digizuite Mobile
    Note
    titleNote

    This is a quick guide for ADFS configuration of Digizuite products. There is some more information and some scripts in the ADFSHelper directory.

    1.1

    Prerequisites

    In order to set up ADFS on DC, you need to have a running ADFS server. Instructions on installation can be found in the Configure ADFS on Windows Server 2012 R2 document.

    2

    ADFS server

    In the ADFS server create a Relying Party Trust for every site that ADFS should work on. Under every of these Relying Party Trusts define what data needs to be send in the security token. At the moment, the implementation supports:

    • Email
    • GivenName
    • Role
    • GroupSid
    • Group

    For configuration on Digizuite's servers we need the following certificates.

    • Token-decryption
    • Token-signing

    For a guide on how to set an ADFS server up and configure it, please read the following documentation: Configure ADFS on Windows Server 2012 R2

    3 Webserver config

    The Token-Decrypting certificate needs to be installed in the following place:

    • Cert:\\LocalMachine\My Certificate store

    Image Removed

    The Token-Signing certificate needs to be installed in the following places:

    • Cert:\\LocalMachine\My Certificate store
    • Cert:\\LocalMachine\TrustedPeople Certificate store

    Image Removed

    Info
    titleApplication pool

    Lastly, It is important to have the Application Pool for the site set to Load User Profile under advanced settings. If this is not set, there's a risk of the site not being able to load, when you have logged in.

    Image Removed

    See: https://social.msdn.microsoft.com/Forums/vstudio/en-US/ad1f7367-7727-4b1a-a190-840ff4ed5709/ADFS-20-sso-the-data-protection-operation-was-unsuccessful?forum=Geneva+ 

    3.1 Digizuite DAM center config

    In the supplied web.config (from the root of the website) there are some ADFS configs that need to be changed.

    • <allow users="*" /> — Should be removed
    • <!-- ADFS deny users="?" /--> — Needs to be changed to <deny users="?"/>

    Original:

    Code Block
    languagexml
    	<authorization>
          <allow users="*" />
          <!-- ADFS deny users="?" /-->
        </authorization>
    

    ADFS Enabled:

    Code Block
    languagexml
    	<authorization>
          <deny users="?" />
        </authorization>
    • Change <!-- ADFS add to "<add" and change "/-->" to ">" In the modules part.

    Original XML:

    Code Block
    languagexml
    	<modules runAllManagedModulesForAllRequests="true">
          <remove name="Session" />
          <add name="Session" type="Heavysoft.Web.SessionState.HashTableSessionStateModule,Framework.WebLibrary" />
          <!-- ADFS add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
          <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" / -->
        </modules>

    After change:

    Code Block
    languagexml
        <modules runAllManagedModulesForAllRequests="true">
          <remove name="Session" />
          <add name="Session" type="Heavysoft.Web.SessionState.HashTableSessionStateModule,Framework.WebLibrary" />
          <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
          <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
        </modules>
    • Change <!-- ADFS add to "<add" and change "/-->" to ">" In the bottom of the web.config file.

    Original XML:

    Code Block
    languagexml
    <!-- ADFS system.serviceModel> <diagnostics> <messageLogging maxMessagesToLog="30000" logEntireMessage="true" logMessagesAtServiceLevel="true" logMalformedMessages="true" logMessagesAtTransportLevel="true" /> </diagnostics> </system.serviceModel> <system.identityModel> <identityConfiguration saveBootstrapContext="true"> <audienceUris> <add value="https://dam.company.org/" /> <add value="https://vp.company.org/" /> <add value="https://mm.company.org/" /> </audienceUris> <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"> <trustedIssuers> <add thumbprint="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" name="http://

    Digizuite Configuration

    To configure ADFS on the Digizuite side, open Media Manager and go into Settings => SSO

    Once that page loads, select "WsFederation in the dropdown"

    Configure a template member if required. If not configured for the SSO integration specifically, the general template member for the Digizuite will be used. 

    Configure "Group sync level". Check the tooltips in MM for specifications about what the individual levels does. 

    Next give the configuration a "name". This name is arbitrary and does not matter for usage, it's just for internal reference. 

    Next provide the "Metadata address" for the ADFS server. It probably looks something like "https://my-adfs.server.com/

    adfs/services/trust" /> <add thumbprint="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" name="http://my-adfs.server.com/adfs/services/trust" /> </trustedIssuers> </issuerNameRegistry> <certificateValidation certificateValidationMode="PeerOrChainTrust" revocationMode="Online"/> </identityConfiguration> </system.identityModel> <system.identityModel.services> <federationConfiguration> <cookieHandler requireSsl="true" domain="tsl2-pc.digidom.dk" path="/" /> <wsFederation passiveRedirectEnabled="true" issuer="https://my-adfs.server.com/adfs/ls/" realm="https://dam.company.org" requireHttps="false" /> </federationConfiguration> </system.identityModel.services -->

    After change:

    Code Block
    languagexml
    <system.serviceModel>
        <diagnostics>
          <messageLogging maxMessagesToLog="30000" logEntireMessage="true" logMessagesAtServiceLevel="true" logMalformedMessages="true" logMessagesAtTransportLevel="true" />
        </diagnostics>
      </system.serviceModel>
      <system.identityModel>
        <identityConfiguration saveBootstrapContext="true">
          <audienceUris>
            <add value="https://dam.company.org/" />
            <add value="https://vp.company.org/" />
            <add value="https://mm.company.org/" />
          </audienceUris>
          <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
            <trustedIssuers>
              <add thumbprint="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" name="http://my-adfs.server.com/adfs/services/trust" />
              <add thumbprint="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" name="http://my-adfs.server.com/adfs/services/trust" />
            </trustedIssuers>
          </issuerNameRegistry>
          <certificateValidation certificateValidationMode="PeerOrChainTrust" revocationMode="Online"/>
        </identityConfiguration>
      </system.identityModel>
      <system.identityModel.services>
        <federationConfiguration>
          <cookieHandler requireSsl="true" domain="tsl2-pc.digidom.dk" path="/" />
          <wsFederation passiveRedirectEnabled="true" issuer="https://my-adfs.server.com/adfs/ls/" realm="https://dam.company.org" requireHttps="false" />
        </federationConfiguration>
      </system.identityModel.services>
    Note
    titleImportant!

    Remember to replace all URLs in the above XML to reflect your environment. my-adfs.server.com should be replaced with the URL to the ADFS server, dam.company.org with the DAM Center URL, vp.company.org with the Video Portal URL (if applicable) and mm.company.org with the Media Manager URL (if applicable).

    Also do change the thumbprints from the trustedIssuers element with your own.

    • In the section trustedIssuers change the thumbprint to the correct thumbprints from Token-decryption and Token-signing.
    • Be aware that in some cases an unshown character might be copied with the thumbprint if you copy from Powershell. That need to be removed.
    • my-adfs.server.com should be replaced with the URL of the ADFS server to be used
    Code Block
    languagexml
            <trustedIssuers>
              <add thumbprint="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" name="http://my-adfs.server.com/adfs/services/trust" />
              <add thumbprint="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" name="http://my-adfs.server.com/adfs/services/trust" />
            </trustedIssuers>
    • In the section audienceUris make certain that all urls where a user needs to be redirected to the ADFS server is noted. Normally only the main URL for the site Is needed here.
      • You need to add all URLs that need ADFS also frontends.
    Code Block
    languagexml
          <audienceUris>
            <add value="https://dam.company.org" />
          </audienceUris>
    • In the section wsFederation change realm to the precise the same as relying party in the ADFS server.
    Code Block
    languagexml
          <wsFederation passiveRedirectEnabled="true" issuer="https://my-adfs.server.com/adfs/ls/" realm="https://dam.company.org" requireHttps="true" />
    
    
    • Replace dam.company.org with the URL to the DAM Center using ADFS
    Code Block
    languagexml
          <cookieHandler requireSsl="true" domain="dam.company.org" path="/" />
    • Locate the following web.config: \dmm3bwsv3\web.config
    • Change this section issuer address to point to the adfs server:
    Code Block
    languagexml
    <ws2007FederationHttpBinding>
            <binding name="ws2007FederationHttpBindingdfd">
              <security mode="TransportWithMessageCredential">
                <message establishSecurityContext="true" issuedKeyType="BearerKey">
                  <!-- uri for adfs server - identification not communication-->
                  <issuer address="https://digiadtest01.cloudapp.net/adfs/services/trust" binding="ws2007HttpBinding" />
                </message>
              </security>
            </binding>
    </ws2007FederationHttpBinding>
    • Furthermore, change this section to have the correct thumbprint in the serviceCertificate section. It has to be the signing certificate.
    Code Block
    languagexml
    <behavior name="adfsbehavior">
              <serviceSecurityAudit auditLogLocation="Application" serviceAuthorizationAuditLevel="Failure" messageAuthenticationAuditLevel="Failure" suppressAuditFailure="true" />
              <!-- To avoid disclosing metadata information, set the values below to false before deployment -->
              <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
              <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
              <serviceDebug includeExceptionDetailInFaults="true" />
              <serviceCredentials useIdentityConfiguration="true">
                <!-- findValue: Thumbnail hash for the Token Signing Certificate -->
                <serviceCertificate findValue="bcb69b53ff55993b14d8b7891251c5db6eb94542" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
              </serviceCredentials>
    </behavior>

    4 Tips & Tricks

    Sometimes it might be necessary to change certificateValidationMode from PeerOrChainTrust to None or to NoCheck.

    FederationMetadata/2007-06/FederationMetadata.xml". 

    Next provide the "App ID". In ADFS on AD it's the url of the LoginService, which by default is "{damurl}/DigizuiteCore/LoginService". It's the same url that was configured in the ADFS server. 

    Next press "save". 

    Last press "activate". Once the page changes to say "Latest is active", then ADFS should be good to go. 

    Tips & Tricks

    • Configuration of group relationships is handled via bind name as in normal AD configuration for the Digizuite.If the Office Connector give an exception with "No version of the CardSpace service was found to be installed on the machine.", don't install it. The exception is because the communication with the ADFS server failed and have nothing to do with CardSpace.
    • In the section trustedIssuers change the thumbprint to the correct thumbprints from Token-decryption and Token-signing.
    • Be aware that in some cases an unshown character might be copied with the thumbprint if you copy from Powershell. That need to be removed.
    • my-adfs.server.com should be replaced with the URL of the ADFS server to be used
    • If using Azure, make sure that you remember to expose the API (Under "Application ID URI" in the App Registration's Overview tab)


    Table of Contents

    Table of Contents