Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

To use ADFS with Media Manager, some configuration is required.

5.1 Prerequisites

In order to use ADFS (Active Directory Federation Services) with Media Manager (MM), the DAM Center (DC), which your MM uses, must have ADFS enabled.

I suggest to use an IDE like Notepad++ or Sublime for editing the web.config file. The following images are from Notepad++.

As the file has the extension ".config" and not ".xml" you'll need to manually change the language to be XML.

5.2 Web.config

To enable ADFS for MM, you need to make some changes to the MM's web.config file, found in the root if the site folder.

5.2.1 Enable ADFS login prompt (Deny users)

First thing you need to do, is make the ADFS login screen appear. This is done by doing the following:

Around line 79, there is a tag saying <allow users="*" />. The value of this tag has to be changed to "?" instead.

That is, <allow users="*" /> should be changed to <deny users="?" />


This is how it looks when ADFS is enabled:

5.2.2 ADFS config section

All the following configurations are occurring in the bottom of the web.config file, around line 255 - so scroll to the bottom.

In the supplied web.config (from the root of the website) there are some ADFS SAML 2.0 Protocol configs that need to be changed.

Add to <configSections>:

	<section name="sustainsys.saml2" type="Sustainsys.Saml2.Configuration.SustainsysSaml2Section, Sustainsys.Saml2, Version=0.24.0.0, Culture=neutral, PublicKeyToken=f3f81a9c4b80e2ec" />


Add the following two to <modules>:

<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />

After the following under <configuration>:

<system.identityModel>
    <identityConfiguration saveBootstrapContext="true"/>
</system.identityModel>


The SAML 2.0 Protocol specific stuff can be added with the following (this is a sample but you can see all configuration options here https://github.com/Sustainsys/Saml2/blob/master/docs/Configuration.md):

<sustainsys.saml2 entityId="https://local.dev.digizuite.com/DAMUI/Saml2/Acs" returnUrl="https://local.dev.digizuite.com/DAMUI/" minIncomingSigningAlgorithm="SHA256" authenticateRequestSigningBehavior="Never">
    <metadata cacheDuration="0:0:42" validDuration="7.12:00:00" wantAssertionsSigned="false">
      <organization name="Digizuite" displayName="Sustainsys" url="http://www.digizuite.com" language="da" />
      <contactPerson type="Other" email="bbl@digizuite.com" />
      <requestedAttributes>
        <add name="Minimal" />
      </requestedAttributes>
    </metadata>
    <identityProviders>
      <add entityId="http://adfs.digidom.dk/adfs/services/trust" signOnUrl="https://adfs.digidom.dk/adfs/ls/" allowUnsolicitedAuthnResponse="false" binding="HttpRedirect" loadMetadata="true" metadataLocation="https://adfs.digidom.dk/FederationMetadata/2007-06/FederationMetadata.xml">
        <signingCertificate storeName="My" storeLocation="LocalMachine" findValue="bcb69b53ff55993b14d8b7891251c5db6eb94542" x509FindType="FindByThumbprint" />
      </add>
    </identityProviders>
    <serviceCertificates>
      <add fileName="~/App_Data/Sustainsys.Saml2.Tests.pfx" />
    </serviceCertificates>
 </sustainsys.saml2>

In some instances it can be necessary to increase the maxQueryStringLength to accommodate for the SAML token being returned as a parameter from ADFS

<requestFiltering>
        <requestLimits maxAllowedContentLength="2000000000" maxUrl="1638400" maxQueryString="1638400" />
</requestFiltering>
...
...
<httpRuntime maxRequestLength="2048000" executionTimeout="120000" requestValidationMode="2.0" maxUrlLength="16384" maxQueryStringLength="2048000" />

  • No labels