Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Description

DAM Center supports Azure Active Directory (AAD) from the API server level (to enable AAD login from satellite applications) and from the DAM Center client. This allows Single Sign On (SSO) functionality for Microsoft and Azure accounts. The solution supports both single and multi tenant directory applications. AAD may be setup individually per client application, however to support AAD for any client it is necessary to enable the server configuration.

Prerequisites

  1. Azure directory account information.
  2. All other external login functionality must be disabled (e.g. AD, ADFS).
  3. Template user id (for mapping rights and roles within the DAM Center).
  4. If DAM Center client should use AAD itself, an app registration must be done in AAD.


Ad 3)

When a user tries to log into the DAMCenter using AAD, the email value in AAD must exist as a user in DAM. If you specify a template member id, the user will be auto-created using that template. Alternatively you can create the user up front. Just as long as you remember that the identifier from AAD is the user email. 


Ad 4)

Open the Azure portal https://portal.azure.com and navigate to "Azure Active Directory"→"App Registrations" and click the button to create a new registration. Enter a name for the application, e.g. "DAM Center" and the URL for the site. Then press "Save".  Access the "Reply URLs" list and add the URL for the application. 

Configuration schema

<?xml version="1.0" encoding="utf-8"?>
<xs:schema id="azureActiveDirectory" xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
  <xs:element name="azureActiveDirectory" msdata:IsDataSet="true" msdata:UseCurrentLocale="true">
    <xs:complexType>
      <xs:choice minOccurs="0" maxOccurs="unbounded">
        <xs:element name="client">
          <xs:complexType>
			<!-- Enables or disables the client using AAD redirect -->
            <xs:attribute name="enabled" type="xs:bool" use="required" />
			<!-- ClientId corresponds to the Application ID in Azure Portal -->
            <xs:attribute name="clientId" use="required">
				<xs:simpleType>
					<xs:restriction base ="Guid" />
				</xs:simpleType>
			</xs:attribute>
            <!-- AADInstance is the login redirect URI -->
			<xs:attribute name="aadInstance" type="xs:string" default="https://login.microsoftonline.com/{0}" />
			<!-- Tenant is the DNS section of the App ID URI in Azure Portal. Required for single tenant usage -->
            <xs:attribute name="tenant" type="xs:string" />
			<!-- Specifies optional post logout URI. Not used in DC and MM -->
            <xs:attribute name="postLogoutRedirectUri" type="xs:string" />
          </xs:complexType>
        </xs:element>
        <xs:element name="server">
          <xs:complexType>
            <xs:sequence>
              <!-- List of audiences allowed when running multi-tenant applications -->
              <xs:element name="validAudiences" minOccurs="0" maxOccurs="unbounded">
                <xs:complexType>
                  <xs:sequence>
                    <xs:element name="clear" type="xs:string" minOccurs="0" />
                    <xs:element name="add" minOccurs="0" maxOccurs="unbounded">
                      <xs:complexType>
                        <xs:attribute name="name" type="xs:string" />
                      </xs:complexType>
                    </xs:element>
                  </xs:sequence>
                </xs:complexType>
              </xs:element>
            </xs:sequence>
			<!-- Enables or disables the server AAD endpoint -->
            <xs:attribute name="enabled" type="xs:bool" use="required" />
			<!-- Discovery endpoint for validating JwT -->
            <xs:attribute name="stsDiscoveryEndpoint" type="xs:string" default="https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration" />
			<!-- Specifies the DAM Center MemberId used to auto-create users on the fly -->
            <xs:attribute name="templateMemberId" type="xs:int" use="required" />
            <!-- Specify to validate the issuer -->
            <xs:attribute name="validIssuer" type="xs:string" />
          </xs:complexType>
        </xs:element>
      </xs:choice>
    </xs:complexType>
	<xs:simpleType name="Guid">
        <xs:restriction base="xs:string">
            <xs:pattern value="([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})|(\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\})"/>
        </xs:restriction>
    </xs:simpleType>
  </xs:element>
</xs:schema>


Note:

Make sure to add the section definition:

<section name="azureActiveDirectory" type="DigiEyeZ.Framework.WebLibrary.Configuration.AzureActiveDirectorySection" /


Configuration examples

DAM Center API server only

<azureActiveDirectory>
    <server enabled="true" templateMemberId="23" />
  </azureActiveDirectory>

This configuration enables other clients to use AAD, however the DAM Center client itself will use ordinary login.


DAM Center API server with client single tenant login

<azureActiveDirectory>
    <server enabled="true" templateMemberId="23" />
    <client enabled="true" clientId="33384545-4fe0-4b68-85d6-9edcb35c4690" tenant="mytenantid.onmicrosoft.com" />
  </azureActiveDirectory>

This configuration enables clients to use AAD and also directs DAM Center client to use AAD.


How to invite an Azure user to the application

In the Azure Active Directory section of the Portal, select "Enterprise applications"→"All applications" and select your application from the list. Then select "Users and groups" and click "Add". Click "Users (none selected)" and press the "Invite" button. 



  • No labels