MM5.3.0 5 Federated Authentication Configuration

To use Federated Authentication with Media Manager, some configuration is required. It is now enough to just add SSO configuration in the DAM Center web.config which will then be inherited to the LoginService - there is one exception to this which is for Azure Active Directory where it is required to add something to the loginservice web.config as described in 5.4.

5.1 Prerequisites

One of the Federated Authentication options should be configured for the Digizuite™ DAM Center. Follow setup guides there for the prefered authentication mechanism.

5.2 Configure MM for Federated Authentication

Open the web.config file for MM in a text editor like Notepad++.

Two values need up be updated, and a third might need to be changed, depending on requirements. 

In <appSettings>, change LoginServiceUrl's value to "#{DC_URL}/LoginService", e.g. "https://dam.digizuite.com/LoginService".

Change UseFederatedAuthentication to "true" instead of "false".


If you open MM now, you should automatically hit the selected federated authentication you configured for DC. 

5.3 Additional configuration options

If you want to use both normal DAM login and Federated Authentication, set AllowNormalLogin to "true" instead of "false".

This will cause MM to open like normal, but add a special button to the login dialog to login with SSO.


Important

If you set your MM5 to use AD, then it should still have the "UseFederatedAuthentication" be true

But, you must not have "AllowNormalLogin" be true. If you fail do do this, then people will be redirected into the MM5 without being prompted.

Also, you should not have "Windows authentication" enabled for the MM5, as this will result in the end user being prompted by two AD login prompts, instead of one.


5.4 Azure Active Directory in LoginService

In case you are using Azure Active Directory, it is required to add the following to the Webconfig which is placed in the LoginService folder in DAM Center web folder

Important is to try with an empty string in redirectUri or otherwise use 'https://dam.digizuite.com/LoginService/' (important with backslash at the end)

Web.config in LoginService
   <location inheritInChildApplications="false">
	  <azureActiveDirectory>
		<server enabled="true" templateMemberId="30021" />
		<client enabled="true" redirectUri="" clientId="99088367-86f5-4ec0-87a6-83f8cfc0b078" tenant="DZPOWERBI.onmicrosoft.com" />
	  </azureActiveDirectory>

	<system.web>   
		<authentication mode="None" />   
	</system.web>
    <system.webServer>
      <modules> 
        <remove name="Session" />
		<add name="Session" type="Heavysoft.Web.SessionState.HashTableSessionStateModule, Framework.WebLibrary" />
      </modules>
    </system.webServer>
  </location>
	

5.5 Things to be aware of

As described above, the LoginService can utilize the same configuration as in the DAM Center web.config (when not Azure Active Directory as described in 5.4). This is only true when the Identity Provider allows Digizuite to provide the Redirect URI and therefore can use the same identity provider across both MM5 and DC5.

In some circumstances this is not the same and you could have an Identity Provider for both DC and MM. In this case, you would need to do the configuration twice as with Azure:

  1. In the DAM Center Web.config
  2. In the Login Service Web.config

In this case inheritance is important to understand. We want to make sure that we do not inherit the config from the DAM Center web.config because then MM would redirect to the DAM Center instead of the login service. How to solve this is described in 5.4 for Azure Active Directory but if you want to configure it for SAML2, the configuration has to clear the Identity Provider to not inherit from the DC config. It can be done by using the clear tag as described here https://docs.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/configsections-element-for-configuration.

The config would then look:

Web.config in LoginService
   <location inheritInChildApplications="false">
	  ....
	  ....

	 <sustainsys.saml2 entityId="https://dam.belden.com/LoginService/Saml2/Acs" returnUrl="https://dam.belden.com/LoginService/" expectSignatureInXml="false" minIncomingSigningAlgorithm="SHA256" authenticateRequestSigningBehavior="Never">
		<metadata cacheDuration="0:0:42" validDuration="7.12:00:00" wantAssertionsSigned="false">
			<organization name="Digizuite" displayName="Sustainsys" url="http://www.digizuite.com" language="da" />
			<contactPerson type="Other" email="mb@digizuite.com" />
			<requestedAttributes>
				<add name="Minimal" />
			</requestedAttributes>
		</metadata>
		<identityProviders> 
		    <!-- PROVIDE THIS CLEAR TAG TO NOT INHERIT FROM PARENT DC WEB CONFIG -->
			<clear/>
			
			<add entityId="https://auth.belden.com/sts_digizuitemm" allowUnsolicitedAuthnResponse="false" binding="HttpRedirect" loadMetadata="true" metadataLocation="~/meta/metadatammprod.xml">
			</add>
		</identityProviders>
	</sustainsys.saml2>	 
  </location>