AD FS Quick Setup Guide - DAM v4.6.1

1 Overview

AD FS is designed to handle situations where you want to use SSO but your server is not in the same hosting environment as the domain the user is in.

One big difference between AD FS and normal AD is that AD is a user database you are able to query for different information. AD FS is not a user database and normally you don't have access to query it for information. It delivers it's information via clams that is configured beforehand.

Seen from the top there are 2 different ways that an AD FS configuration can be accessed by:

• Active
  • The server is able to communicate directly with the AD FS server. This gives the possibility to make logins without http redirects to the AD FS server. (Not implemented at the moment.)
• Passive
  • The server is not able to communicate with the AD FS server. So the only way to do logins is via http redirects to the AD FS server (on the client) and reading the security token the AD FS server returns when it redirects back.

You can find more information here: https://blogs.technet.microsoft.com/askpfeplat/2014/08/24/AD FS-deep-dive-primer/

At the moment we only support AD FS with the following products:

• Videoportal
• Media manager
• Digizuite DAM center
• Office Connector

Note: This is a quick guide for AD FS configuration of Digizuite products. There is some more information and some scripts in the AD FSHelper directory. ?!??!

2 AD FS server

In the AD FS server create a Relying Party Trust for every site that AD FS should work on. Under every of these Relying Party Trusts define what data needs to be send in the security token. At the moment, the implementation supports:

• Email
• GivenName
• Role
• GroupSid
• Group

For configuration on Digizuite's servers we need the following certificates.

• Token-decryption
• Token-signing

For a guide on how to set an AD FS server up and configure it, please read the following documentation: Configure AD FS on Windows Server 2012 R2.docx in AD FSHelper

3 Webserver config

The Token-Decrypting certificate needs to be installed in the following place:

• Cert:\\LocalMachine\My Certificate store

The Token-Signing certificate needs to be installed in the following places:

• Cert:\\LocalMachine\My Certificate store
• Cert:\\LocalMachine\TrustedPeople Certificate store

Internal?!?!? In the directory Install_Certificates, the script Install_AD FS_OnWebServer.ps1 are able to help you do this.

3.1 Videoportal/ Media manager config

In the supplied web.config there is some AD FS parts that needs to be changed.

• <allow users="*" /> —  should be removed
• <!-- AD FS deny users="?" /--> — needs to be changed to <deny users="?"/>
  

• All instances of digiadtest01.cloudapp.net needs to be changed to the correct AD FS servers dns name.

• In the section trustedIssuers change the thumbprint to the correct thumbprints from Token-decryption and Token-signing.
• Be aware that in some cases an unshown character might be copied with the thumbprint if you copy from Powershell. That need to be removed.
• In the section audienceUris make certain that all URLs where a user needs to be redirected to the AD FS server is noted. Normally only the main URL for the site Is needed here.
  

• In the section wsFederation change realm to the precise same as Relying party in the AD FS server.
  

• Change domain on cookieHandler.
  

3.2 Digizuite DAM center config

In the supplied web.config there is some AD FS parts that needs to be changed.

• <allow users="*" /> — Should be removed
• <!-- AD FS deny users="?" /--> — Needs to be changed to <deny users="?"/>

• Change <!-- AD FS add to "<add" and change "/-->" to ">" In the modules part.

• Change <!-- AD FS add to "<add" and change "/-->" to ">" In the bottom of the web.config file.
  

• All instances of digiadtest01.cloudapp.net needs to be changed to the correct AD FS servers DNS name.

• In the section audienceUris make certain that all urls where a user needs to be redirected to the AD FS server is noted. Normally only the main URL for the site Is needed here.
  
  • You need to add all url's that need AD FS also frontends.
    

• In the section wsFederation change realm to the precise the same as relying party in the AD FS server.

• Change domain on cookieHandler.

3.3 Office Connector config

You need to do the following as seen in the picture.

• Check Use single signon
• In Single signon URL write: https://[DAM]/dmm3bwsv3/AD FSConnect.svc
• In AD FS server write the DNS for AD FS server

Make sure that the endpoint: AD FS/services/trust/2005/windowstransport is enabled in the AD FS server configuration.

4 Tips & Tricks

• Sometimes it might be necessary to change certificateValidationMode from PeerOrChainTrust to None or to NoCheck.
• It is important to have the Application Pool set to Load User Profile. See: https://social.msdn.microsoft.com/Forums/vstudio/en-US/ad1f7367-7727-4b1a-a190-840ff4ed5709/AD FS-20-sso-the-data-protection-operation-was-unsuccessful?forum=Geneva+ 
• Configuration of group relationships is handled via bind name as in normal AD configuration for the Digizuite.
• If the Office Connector give an exception with "No version of the CardSpace service was found to be installed on the machine.", don't install it. The exception is because the communication with the AD FS server failed and have nothing to do with CardSpace.