To use ADFS with Media Manager, some configuration is required.
5.1 Prerequisites
In order to use ADFS (Active Directory Federation Services) with Media Manager (MM), the DAM Center which Media Manager uses (DC), which your MM uses, must have ADFS enabled.
I implore you to use an IDE like Notepad++ or Sublime for editing the web.config file. The following images are from Notepad++.
As the file has the extension ".config" and not ".xml" you'll need to manually change the language to be XML.
5.2 Web.config
In the supplied web.config there is some AD FS parts that needs to be changed.
To enable ADFS for MM, you need to make some changes to the MM's web.config file, found in the root if the site folder.
5.2.1 Enable ADFS login prompt (Deny users)
First thing you need to do, is make the ADFS login screen appear. This is done by doing the following:
Around line 79, there is a tag saying <allow users="*" />
— should be removed<!-- AD FS deny. The value of this tag has to be changed to "?" instead.
That is, <allow users="
?*" /
--> — needs to> should be changed
to <denyto <deny users="?" />
OriginalThis is how it looks when ADFS is enabled:
| Code Block | ||
|---|---|---|
| ||
<authorization>
<allow users="*" />
<!-- ADFS deny users="?" /-->
</authorization>
|
ADFS Enabled:
| Code Block | ||
|---|---|---|
| ||
<authorization>
<deny users="?" />
</authorization> |
- In the section trustedIssuers change the thumbprint to the correct thumbprints from Token-decryption and Token-signing.
- Be aware that in some cases an unshown character might be copied with the thumbprint if you copy from Powershell. That need to be removed.
- my-adfs.server.com should be replaced with the URL of the ADFS server to be used
| Code Block | ||
|---|---|---|
| ||
<trustedIssuers>
<add thumbprint="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" name="http://my-adfs.server.com/adfs/services/trust" />
<add thumbprint="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" name="http://my-adfs.server.com/adfs/services/trust" />
</trustedIssuers> |
- In the section audienceUris make certain that all URLs where a user needs to be redirected to the ADFS server is noted. Normally only the main URL for the site Is needed here.
- Replace mm.company.org with the URL of the Media Manager
| Code Block | ||
|---|---|---|
| ||
<audienceUris>
<add value="https://mm.company.org" />
</audienceUris> |
5.2.2 ADFS config section
All the following configurations are occurring in the bottom of the web.config file, around line 255 - so scroll to the bottom.
When you get to it, the entire ADFS segment is most likely commented out. You'll have to comment it in (in Notepad++ the section will appear green - you have to make it "not-green") by removing the <!-- and -->.
5.2.3 Audience URI's
From the top the first thing to edit is the audienceUris.
These need to be the URL of your MM and the URL for its connected DC. E.g:
In the above image, the first entry is the DC, and the second is the MM.
You should of course input you own links - with http(s) in front of the link (like in the image.)
5.2.4 Trusted Issuers (thumbprints)
Next thing you have to do, is to define your thumbprints.
The thumbprints you can find in your certificates. You should have encountered them when enabling the DC to use ADFS as well. They should be in the DC's web.config file. (If you have not enabled ADFS for your DC, then you need to stop using this guide, and start to configure your DC to use ADFS.) The thumbprints are from the token-decryption and token-signing certificates.
In the parameters named thumbprint, you will have to write in the aforementioned thumbprints.
In the parameters named name, you'll have to input your domain e.g. https://yoursite.com/adfs/services/trust
Above you can see how the thumbnails more or less will look on your environment
5.2.5 Cookie Handler and ws Federation (domain, issuer, and realm)
In the section cookieHandler change domain to be your site's URL (no http(s) or slashes in the domain):
In the section wsFederation change:
- Issuer to be https://yoursite.com/adfs/ls
- Realm to precisely the same as Relying party in the ADFS server.
| Code Block | ||
|---|---|---|
| ||
<wsFederation passiveRedirectEnabled="true" issuer="https://my-adfs.server.com/adfs/ls/" realm="https://mm.company.org" requireHttps="true" />
|
- Replace dam.company.org with the URL to the DAM Center using ADFS
| language | xml |
|---|
| Table of Contents |
|---|