Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Description

Media Manager (MM) supports Azure Active Directory (AAD) which allows Single Sign-On (SSO) functionality for Microsoft and Azure accounts (including Azure accounts created by inviting users from outside the AAD). The solution supports Azure being both single and multi-tenant in regards to directory applications. 

Prerequisites

You DC must accommodate MM

Your DAM Center (DC) must be set up to accommodate MM

...

.

For this, please look at the Configuration Examples beneath your DC's documentation

...

  1. Azure directory account information.
  2. All other external login functionality must be disabled (e.g. AD, ADFS).
  3. Azure Active Directory (AAD) must be configured in the server section of the DAM Center (see the guide "Azure Active Directory" in the DAM Center documentation).
  4. An app registration must be done in AAD.

Ad 4)

Open the Azure portal https://portal.azure.com and navigate to "Azure Active Directory"→"App Registrations" and click the button to create a new registration. Enter a name for the application, e.g. "Media Manager" and the URL for the site. Then press "Save".  Access the "Reply URLs" list and add the URL for the application. 

Configuration schema

...

: .../Configuration Guides/Azure Active Directory (AAD)/2 AAD: Enabling AAD

If you have initially followed the examples given to you by the DC's documentation, your DC should already be configured to accommodate AAD for MM.

You must not have AD or ADFS enabled on your MM

In MM versions prior to MM 4.11.0, some ADFS configuration has already been added to the MM's web.config file.

By using the MM 4.11.0's (or greater) web.config as a template, you can remove these ADFS configurations, so that your MM lives up to this criteria.

Your MM must be a registered app in your Azure's AAD

Just like for the DC, you must create an entry in your Azure Portal's AAD configuration.

Please look for the "4: You must make an App Registration on DC and/or MM in Azure" in your DC's documentation: .../Configuration Guides/Azure Active Directory (AAD)/1 AAD: Requirements

Enabling AAD

Just like for the DAM Center (DC), you have to make changes to the web.config file. Of course, this time it should be for the MM's web.config file, and not the DC's.


To start off, you need to add the section definition below to your MM's config file (Just like in the case of DC):

You do not need to add this to MM's being 4.11.0 or greater.

Code Block
languagexml
<section name="azureActiveDirectory" type="DigiEyeZ.Framework.WebLibrary.Configuration.AzureActiveDirectorySection" />

Configuration example

After having made certain that the section definition above is in the web.config, you must add the following configuration:

MM with single tenant login

Code Block
languagexml
<azureActiveDirectory>
    <client enabled="true" clientId="26667631-53d0-41e5-917c-6ecd05a48820" tenant="mytenantid.onmicrosoft.com" />
</azureActiveDirectory>

You need to input your application's App ID found in the Azure Portal beneath AAD.

The "tenant" you also find in the Azure Portal.

(See the DC's documentation for more information about how to find "App ID" and "Tenant")


If you have issues with getting a grip on where to insert the above section, please see the Enabling AAD section in: .../Configuration Guides/Azure Active Directory (AAD)/2 AAD: Enabling AAD

Alternatively, please see the configuration schema below:

Code Block
languagexml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema id="azureActiveDirectory" xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
  <xs:element name="azureActiveDirectory" msdata:IsDataSet="true" msdata:UseCurrentLocale="true">
    <xs:complexType>
       <xs:element name="client">
          <xs:complexType>
			<!-- Enables or disables the client using AAD redirect -->
            <xs:attribute name="enabled" type="xs:bool" use="required" />
			<!-- ClientId corresponds to the Application ID in Azure Portal -->
            <xs:attribute name="clientId" use="required">
				<xs:simpleType>
					<xs:restriction base ="Guid" />
				</xs:simpleType>
			</xs:attribute>
            <!-- AADInstance is the login redirect URI -->
			<xs:attribute name="aadInstance" type="xs:string" default="https://login.microsoftonline.com/{0}" />
			<!-- Tenant is the DNS section of the App ID URI in Azure Portal. Required for single tenant usage -->
            <xs:attribute name="tenant" type="xs:string" />
          </xs:complexType>
       </xs:element>
    </xs:complexType>
	<xs:simpleType name="Guid">
        <xs:restriction base="xs:string">
            <xs:pattern value="([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})|(\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\})"/>
        </xs:restriction>
    </xs:simpleType>
  </xs:element>
</xs:schema>

Note:

Make sure to add the section definition:

Code Block
<section name="azureActiveDirectory" type="DigiEyeZ.Framework.WebLibrary.Configuration.AzureActiveDirectorySection" />

Configuration examples

Media Manager with single tenant login

Code Block
<azureActiveDirectory>
    <client enabled="true" clientId="26667631-53d0-41e5-917c-6ecd05a48820" tenant="mytenantid.onmicrosoft.com" />
  </azureActiveDirectory>

How to invite an Azure user to the application

...


Table of Contents