Versions Compared

Old Version 1

changes.mady.by.user Tobias Thornfeldt Wolters

Saved on

compared with

New Version Current

changes.mady.by.user Mathias Mattson (MHM)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
https://www.reddit.com/r/ilerminaty/

In order for AAD to work, you need to make sure that the following requirements are met.

1:

Access to your AAD Azure Account

Access https://portal.azure.com and loginlog in.

If you're able to see "Azure Active Directory" - you meet this requirement

Image Modified


NOTE: Azure Active Directory Group membership syncronization synchronization to DC requires Azure Subscription levels "Premium P1" or "Premium P2"

2: AD and ADFS must be disabled

Access the product or products (DC and or MM) you want to enable AAD login for and verify that you are met with the standard Digizuite login screen (and not ADFS or AD). 

If you are not met with a prompt - asking for you to login with AD or ADFS - you meet this requirement and can go ahead with configuring AAD.

3:

The ID of

a

the user

of which

you want all

your

new users to

look like

inherit from (AAD Template User)

Per default the DAM Center is configured with two users, that are "copied" every time either a collection or self-signup user has been created by the system. These two are just users, just like any all the other users (the user named system excluded). The thing that sets them apart is that their passwords usually is something that's meant never to be written again, and that their member ID's have been set to be user IDs are called upon by the system every time a new user is to be created in its likeness.

Usually the self-signup template user named "self-sign up template user" has been set up correctly if you already is already present in your system when you have the self-signup functionality enabled in your Media Manager. If this is the case, usually this user can be used for automatic assigning of roles when creating AAD users. Remember Write down this user's user ID then (usually this is something like "300xx")

Infotitle

for later in the guide.

Info

Info

If the group sync feature is used, the templateUserId is optional, and can be set to 0, as group membership is assigned from AAD Group membershipof course a bit redundant. You can simply disable it by setting it to 0 - or choose to keep it on as an addition to all newly created SSO users. The reason why it’s now redundant, is that now users' groups are determined by which groups they’ve been assigned to in the AAD.

If you don't want to use the previously mentioned self-sign up template user, you'll, of course, have to create a new user. You do this by doing the following steps::

  1. Login to your DAM Center with a Super Administrator or an Administrator user

  2. Go to System tools → Users and groups → Users → System users and press Add

  3. In the Username field, you type in "AAD Template User", in the password field you type in something random

    , and in the

    (Optionally: Metagroup field "User Config"

    and press create

    )

  4. Press create (image below)

  5. Image ModifiedNow
  6. make a note about your new user's user ID

    Note down this new user’s user ID (image below)

  7. Image Modified
  8. Now edit

    Edit the user's roles by expanding the right-side

    Edit

    edit menu -

    and then

    make sure that you're in the view named "Standard" now add the following groups

    1. Internal access

    2. Light user or Content Creator

    3. Public access

    4. Trusted (usually

      5. ,

    5. already added

      6. by default

    6. )

  9. Image Modified
    10. Press save

  10. Save

The ID you've noted down will be used in a upcoming section, where you have to edit some XML.

4: Create Groups in Dam Center that reflects

Create and map DAM Center groups to reflect your reflects Azure Active Directory Groups

title
Info

Note

This step requires Azure Subscription level "Premium P1" or "Premium P2", otherwise go to step 5

Navigate to System Tools / Groups in Dam Center / Users and groups /

Groups.

Create a Folder by right-clicking Groups and selecting Add folderImage Removed

Image Added

Name the new folder "Azure Active Directory"

Select the new Folder.

In the Azure Portal Navigate to "Azure Active Directory" / "Groups"Image Removed

Image Added

The Object Id is used to bind the Active Directory Group to a DamCenter DAM Center Group.

Repeat for each Azure Active Directory group that should grant access to DamCenterthe DAM Center

Click "Add", and Give the new DamCenter DAM Center Group a name.

Image Removed

Image RemovedImage AddedImage Added

Click "Create"

Select the new Group, and edit in the right pane.Image Removed

Image Added


  • Fill the "Binding group name" with the object Id from the azure groups "Object Id" field

  • Check the "Is Binding group" checkbox

  • Select

    DamCenter Groups

    DAM Center groups, users that are

    member

    members of the Azure

    Group

    group should be member of.

  • Click Save.

Repeat for each Azure group that should be mapped.

5: You must make

Make an App Registration

on DC and/or MM in Azure

DC and MM are atm. the only two products we offer, that requires AAD registration to work with AAD.

You should only register the products you want to enable AAD login for.

I.e. if you choose to have MM as the only application which prompts for users' AAD credentials, your DAM Center application should not be registered

for the DC in the Azure Portal

You have to enable AAD for the DC. All other applications that we support AAD for will inherit it from the DC.

You register your product by doing the following steps:

title

  1. Access https://portal.azure.com with your Azure credentials, you have from the first requirement (Access to your AAD Azure Account)

  2. Access "Azure Active Directory" (see image)

  3. Image Modified

  4. In here, press the "App registrations" beneath "Manage" (See image)

  5. Image Modified

  6. Now press the "New

    application

    registration"

  7. Image RemovedImage Added

  8. In

    the "Name" and "Sign-on URL" fields, you copy-paste the entire URL of your application
  9. Image Removed
    10. Press Image Removed in the bottom
    Repeat the process for the product you didn't just configure (The MM if you set up the DC, and vice versa)
    When this is done, make a note of the Application ID's of the new App registrations you've just made
    Image Removed
  10. Click "Authentication" in the left pane.
  11. Add Web Redirect UrIs to;
    1. https://<damurl>
    2. https://<damurl>/LoginService
  12. Check Access tokens and ID tokens and click Save
    13. Now go into the app registration. Press Settings, and then Properties
    Image RemovedMake a note of the App ID URI without https:// and GUID
    Info
    titleExample

    For example "https://digizuite.onmicrosoft.com/95303ff7-f100-47ab-ad3a-2a465ff47bd0" becomes "digizuite.onmicrosoft.com"

Configuration for Active Directory Group membership syncronization.

Info

  1. the form, set the “name” to something that is easy to remember and find again should that be needed.
    Set the “Redirect URI” to “https://{dc-url}/DigizuiteCore/LoginService”

    Image Added

  2. On the application page, select “endpoints”

    Image Added

  3. Find the “Federation metadata document” url, and save that somewhere convenient. This is the “Metadata address”

    Image Added

  4. Next go to “Expose an api”

    Image Added

  5. Look for “Application ID URI“ - on here, click on “Set“.

    Image Added

    Copy the App ID, and press “Save“

    Image Added

  6. Lastly, invite users to your site. This is described in another guide. In short, access your site's registration in the "Enterprise Applications" tab in the AAD section, and take it from there.

Configuration of the Active Directory Group Membership synchronization mode.

Info

Info

This section is only relevant if Azure Premium P1 or Azure Premium P2 subscription is used.

Select Manifest in the left pane.

Modify the

Json

JSON document, by modifying the line "groupMembershipClaims": null, to be e.g. "groupMembershipClaims":"SecurityGroup",

Image RemovedImage Added

Valid options for groupMembershipClaims are;:

  • "All"

  • "SecurityGroup"

  • "DestributionList"

  • "DirectoryRole"

see: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims for more info.


Table of Contents