Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Description

The Digizuite™ DAM Center (DC) supports Azure Active Directory (AAD) from the API server level. This is done to enable AAD login from Digizuite products (Incl. satellite applications). This allows Single Sign-on (SSO) functionality for Microsoft and Azure accounts.

The solution supports both single and multi-tenant directory applications. AAD may be set up individually per client application, however, to support AAD for any client it is necessary to enable the server configuration.

Prerequisites

You will need the following to enable AAD:

  1. Azure directory account information.
  2. All other external login functionalities must be disabled (e.g. AD, ADFS).
  3. Your template user's member ID (for mapping rights and roles within the DC).
  4. If the DC client should use AAD itself, an app registration must be done in AAD (As compared to satellite applications, like MM, which do not)

How it works

When you have set it up correctly, it'll work in the following way:

The first time a user tries to login to a Digizuite product using his or her AAD credentials, a new user will be created in your DAM with the email as its username. The new user's rights levels will be a copy of your chosen template user's rights levels, however, a change to the template user will not impact the user's rights after its creation. In order to have the template user and the users created by it to be in sync at all times, you need to make them use the same groups for maintaining rights.

Alternatively, you may create the user up front with the rights you choose. Be aware that the premade user's username must correspond 100% to the AAD user's. If this is not the case, a new user will be created with the template user's template instead (As previously mentioned)

How to invite an Azure user to use the application

In the Azure Active Directory section of the Portal, select "Enterprise applications"→"All applications" and select your application from the list. Then select "Users and groups" and click "Add". Click "Users (none selected)" and press the "Invite" button. 

How to enable it

To enable the AAD functionality, you need to do the following:

  1. Open the Azure portal https://portal.azure.com and navigate to "Azure Active Directory"→"App Registrations"
  2. Click the button to create a new registration
  3. Enter a name for the application, e.g. "DAM Center" and then the URL for the site. Then press "Save".
  4. Access the "Reply URLs" list and add the URL for the DC. 

Configuration schema

Code Block
<?xml version="1.0" encoding="utf-8"?>
<xs:schema id="azureActiveDirectory" xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
  <xs:element name="azureActiveDirectory" msdata:IsDataSet="true" msdata:UseCurrentLocale="true">
    <xs:complexType>
      <xs:choice minOccurs="0" maxOccurs="unbounded">
        <xs:element name="client">
          <xs:complexType>
			<!-- Enables or disables the client using AAD redirect -->
            <xs:attribute name="enabled" type="xs:bool" use="required" />
			<!-- ClientId corresponds to the Application ID in Azure Portal -->
            <xs:attribute name="clientId" use="required">
				<xs:simpleType>
					<xs:restriction base ="Guid" />
				</xs:simpleType>
			</xs:attribute>
            <!-- AADInstance is the login redirect URI -->
			<xs:attribute name="aadInstance" type="xs:string" default="https://login.microsoftonline.com/{0}" />
			<!-- Tenant is the DNS section of the App ID URI in Azure Portal. Required for single tenant usage -->
            <xs:attribute name="tenant" type="xs:string" />
			<!-- Specifies optional post logout URI. Not used in DC and MM -->
            <xs:attribute name="postLogoutRedirectUri" type="xs:string" />
          </xs:complexType>
        </xs:element>
        <xs:element name="server">
          <xs:complexType>
            <xs:sequence>
              <!-- List of audiences allowed when running multi-tenant applications -->
              <xs:element name="validAudiences" minOccurs="0" maxOccurs="unbounded">
                <xs:complexType>
                  <xs:sequence>
                    <xs:element name="clear" type="xs:string" minOccurs="0" />
                    <xs:element name="add" minOccurs="0" maxOccurs="unbounded">
                      <xs:complexType>
                        <xs:attribute name="name" type="xs:string" />
                      </xs:complexType>
                    </xs:element>
                  </xs:sequence>
                </xs:complexType>
              </xs:element>
            </xs:sequence>
			<!-- Enables or disables the server AAD endpoint -->
            <xs:attribute name="enabled" type="xs:bool" use="required" />
			<!-- Discovery endpoint for validating JwT -->
            <xs:attribute name="stsDiscoveryEndpoint" type="xs:string" default="https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration" />
			<!-- Specifies the DAM Center MemberId used to auto-create users on the fly -->
            <xs:attribute name="templateMemberId" type="xs:int" use="required" />
            <!-- Specify to validate the issuer -->
            <xs:attribute name="validIssuer" type="xs:string" />
          </xs:complexType>
        </xs:element>
      </xs:choice>
    </xs:complexType>
	<xs:simpleType name="Guid">
        <xs:restriction base="xs:string">
            <xs:pattern value="([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})|(\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\})"/>
        </xs:restriction>
    </xs:simpleType>
  </xs:element>
</xs:schema>

Make sure to add the section definition:

Code Block
<section name="azureActiveDirectory" type="DigiEyeZ.Framework.WebLibrary.Configuration.AzureActiveDirectorySection" /

Configuration examples

DC API server only

This configuration enables other clients to use AAD, however the DAM Center client itself will use ordinary login.

Code Block
<azureActiveDirectory>
    <server enabled="true" templateMemberId="23" />
  </azureActiveDirectory>

DC API server with single tenant client login

This configuration enables clients to use AAD and also directs DAM Center client to use AAD.

Code Block
<azureActiveDirectory>
    <server enabled="true" templateMemberId="23" />
    <client enabled="true" clientId="33384545-4fe0-4b68-85d6-9edcb35c4690" tenant="mytenantid.onmicrosoft.com" />
  </azureActiveDirectory>