Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

As every IdP is different we can not provide a guide for every solution.

However we can give some general configuration parameters thats required for the SAML 2 integration to work.

Our SAML AuthNRequest

AssertionConsumerServiceURL=https://DAMURL/DigizuiteCore/LoginService/Saml2/Acs

Issuer (Also called entity ID) = https://DAMURL/DigizuiteCore/LoginService

An example our our saml2p:AuthnRequest

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id14752337c09e4ff19b7cc1089a985597" Version="2.0" IssueInstant="2021-04-23T08:05:09Z" Destination="https://ad-host.digizuite.app/adfs/ls/" AssertionConsumerServiceURL="https://mbdc.dev.digizuite.com/DigizuiteCore/LoginService/Saml2/Acs">
	<saml2:Issuer>https://mbdc.dev.digizuite.com/DigizuiteCore/LoginService</saml2:Issuer>
</saml2p:AuthnRequest>

Token Claims

The attributes we require in the

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name (The unique name of the user could be UPN)

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress (Email)

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname (Surname)

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname (Given name)

http://schemas.xmlsoap.org/claims/Group (List of group memberships in order to connect groups directly)

Example of the <AttributeStatement>

<AttributeStatement>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
                <AttributeValue>mb@digizuite.app</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
                <AttributeValue>mb@digizuite.com</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
                <AttributeValue>Boisen</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
                <AttributeValue>Morten</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/claims/Group">
                <AttributeValue>digizuite\Domain Users</AttributeValue>
                <AttributeValue>digizuite\Super administrator</AttributeValue>
                <AttributeValue>S-1-5-21-2750658348-810332529-726732757-513</AttributeValue>
                <AttributeValue>S-1-5-21-2750658348-810332529-726732757-1106</AttributeValue>
            </Attribute>
        </AttributeStatement>

Note its important that the “Name” attribute is the whole URL!

Example of a complete samlp:Response

<samlp:Response ID="_9466a2eb-3e08-4638-8417-4443070d2860" Version="2.0" IssueInstant="2021-04-23T08:05:17.781Z" Destination="https://mbdc.dev.digizuite.com/DigizuiteCore/LoginService/Saml2/Acs" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="id14752337c09e4ff19b7cc1089a985597" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://ad-host.digizuite.app/adfs/services/trust</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <Assertion ID="_710b91a5-f1e9-496e-9765-659795675aa1" IssueInstant="2021-04-23T08:05:17.780Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <Issuer>http://ad-host.digizuite.app/adfs/services/trust</Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference URI="#_710b91a5-f1e9-496e-9765-659795675aa1">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>mTY/O/ujMR/6s+/VoRqVMfKG47QtXxl1puSB05/6GOU=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>QQhk5ARL7jhhgLF/qu0UOx9ZrvYjRUfDgHx2ZVft0vmnekE9EojR7onh4RfZX/sY/mRn/y4ovx9WbjoP2KXSjJ+ZeiUt590bo1WgqkhUujszWEOpxJSjXBo1TVj7yVrNET+a1pA5KVlGy+s5e/fHRYD1Rzvue+LSR6ZuMeBXGJyCM+iWCaNqS5Co7WIGxP6E35BXY+tgQSXz8dCSoRqdQppcsl+kfIC5wIKYGp529Y1Pmyr5jsnKQYZbKxTo0g3tVkYQLK93svGNLlPLuEm5bqjC5hrfeCAbEXPbZRVe9KuYwIJg1FU20HWllSOb2uMsuVXQs1Swn9creZIXTemZVg==</ds:SignatureValue>
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>MIIC5jCCAc6gAwIBAgIQFFXnNrtUPoVJThePVJ/VazANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBhZC1ob3N0LmRpZ2l6dWl0ZS5hcHAwHhcNMjAwOTE0MTE0MDM4WhcNMjEwOTE0MTE0MDM4WjAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBhZC1ob3N0LmRpZ2l6dWl0ZS5hcHAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCetlw5XG1rFX02eTnGdvQN2xcZ8Q/tNSR4iHCBCVCL53kqzA8Ds39QRRw1RbwJ37dqc87oZBHy+nJTBlGfKKcqizAUHYQAK3r0oL2IeXUqIdrtcCdrNjeeaBRU6JQGuj39BDujYcYHTD4hXbFRAmNNAZGhK+FcAdhH7m5h6wcQg1oTie5tmkgGeRFDd7nXQX/lSqYQ/KfjSd3G/t0uCQtA8a7Sqdr0PIP5kDdHW9gejIF9Ke/ltnzx4gjnq938X0VY90qzWiigdNULVrXZ6EYypI7LBHvdKCT/dbUAXfvvZCEAAd+EUUdcOC5FF/FD5RaJVXE89whz0dV1tnXkI8YJAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJqSc3KCMSo5/i16XsWaijMpCTl5tqtqQnXfL+I3XOw06QaZbYwsQc91GbrqkH5jfl8DsLBuMaeYc5baRMzGrh6qaHfFcUNQ7E4jf42gfmzvqxbQDpTwTCR0EO0eGXNHANHflz4Oob3rPuX31y26wuDngUlyzRj/DltCZENTQQlD9ZYT+2Lp0EYd8r0UC5FfxrWoYCJJnpFTeps7iwh4G8OEW+xa6TZuQL7dk5KCdM84cgkHznLvZ++MV7OI69ye1cHvIEI7+Gr9hLxs04BU7U9qQ5n/USbo+DKN6ZQe45XApTSVLkE2lFw8zdzXM0yvxKPXUDTcXNmrA3tNYxpcMKg=</ds:X509Certificate>
                </ds:X509Data>
            </KeyInfo>
        </ds:Signature>
        <Subject>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData InResponseTo="id14752337c09e4ff19b7cc1089a985597" NotOnOrAfter="2021-04-23T08:10:17.781Z" Recipient="https://mbdc.dev.digizuite.com/DigizuiteCore/LoginService/Saml2/Acs" />
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2021-04-23T08:05:17.774Z" NotOnOrAfter="2021-04-23T09:05:17.774Z">
            <AudienceRestriction>
                <Audience>https://mbdc.dev.digizuite.com/DigizuiteCore/LoginService</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
                <AttributeValue>mb@digizuite.app</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
                <AttributeValue>mb@digizuite.com</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
                <AttributeValue>Boisen</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
                <AttributeValue>Morten</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/claims/Group">
                <AttributeValue>digizuite\Domain Users</AttributeValue>
                <AttributeValue>digizuite\Super administrator</AttributeValue>
                <AttributeValue>S-1-5-21-2750658348-810332529-726732757-513</AttributeValue>
                <AttributeValue>S-1-5-21-2750658348-810332529-726732757-1106</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="2021-04-23T08:05:17.679Z">
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>

When the IdP has been configured correctly then get the Metadatafederation url for next step.

Setup of Media manager

Login to the media manager with a Super administrator.

Go to “Settings” - “General settings” - “SSO“

Select SAML2

Insert a Template member user ID. You can use the guest user if you want low access: 30006 (Or you can create a template user that matches your need)

Select the Sync level

Enter a name

In the Entity ID you insert the same URL as you used for you redirect URI (https://DAMURL/DigizuiteCore/LoginService)

Signing behavior:

IfIdpWantAuthnRequestsSigned

Under Identity providers enter

Entity ID: Open the Metadata federation URL. It will have your Entity ID

 

Metadata location: The federation metadata URL

Now Press Save and then Activate.

Once it says “Latest is active” the SSO configuration is enabled

Example of a configuration:

 

Setup of Sync groups in the DAM

If you have selected FullSync or AddOnly in your Group sync level you will need to setup your group binding in the DAM.

You will need to Login with a super administrator and go to:

System tools- Users and groups - Groups

Find the group you want to bind and do the following:

In the Binding group name you can input either the domain/groupname or the group SID.

Troubleshooting

You can enable the logging of SSO in the DAM website folder\DigizuiteCore\loginservice\appsettings.json

By setting the "EnableLocalLogging": true

That will give you more information on the errors you encounter

Known issues

/wiki/spaces/PSBOK/pages/2262040577

Currently you need membership of atleast 1 group if Full sync or AddOnly is enabled before your allowed to login

  • No labels