DC 5.4 ADFS Quick Setup Guide
- Tobias Thornfeldt Wolters
- Mathias Mattson (MHM)
- Rasmus Hjelmberg Duemose Hansen
- Gosia Creosteanu (Unlicensed)
In order to use ADFS with the DAM Center (DC), some extra configuration is required.
Overview
ADFS is designed to handle situations where you want to use SSO, but your server is not in the same hosting environment as the domain the user is in.
One big difference between ADFS and a normal AD is that AD is a user database you are able to query for different information. ADFS is not a user database and normally you don't have access to query it for information. It delivers its information via clams that are configured beforehand.
At the moment we only support ADFS with the following products:
- Media manager
- Digizuite DAM center
- Office Connector
- Creative Cloud Connector
- Digizuite Mobile
Note
This is a quick guide for ADFS configuration of Digizuite products. There is some more information and some scripts in the ADFSHelper directory.
Prerequisites
In order to set up ADFS on DC, you need to have a running ADFS server. Instructions on installation can be found in the Configure ADFS on Windows Server 2012 R2 document.
ADFS server
In the ADFS server create a Relying Party Trust for every site that ADFS should work on. Under every of these Relying Party Trusts define what data needs to be send in the security token. At the moment, the implementation supports:
- GivenName
- Role
- GroupSid
- Group
For configuration on Digizuite's servers we need the following certificates.
- Token-decryption
- Token-signing
For a guide on how to set an ADFS server up and configure it, please read the following documentation: Configure ADFS on Windows Server 2012 R2
Digizuite Configuration
To configure ADFS on the Digizuite side, open Media Manager and go into Settings => SSO
Once that page loads, select "WsFederation in the dropdown"
Configure a template member if required. If not configured for the SSO integration specifically, the general template member for the Digizuite will be used.
Configure "Group sync level". Check the tooltips in MM for specifications about what the individual levels does.
Next give the configuration a "name". This name is arbitrary and does not matter for usage, it's just for internal reference.
Next provide the "Metadata address" for the ADFS server. It probably looks something like "https://my-adfs.server.com/FederationMetadata/2007-06/FederationMetadata.xml".
Next provide the "App ID". In ADFS on AD it's the url of the LoginService, which by default is "{damurl}/DigizuiteCore/LoginService". It's the same url that was configured in the ADFS server.
Next press "save".
Last press "activate". Once the page changes to say "Latest is active", then ADFS should be good to go.
Tips & Tricks
- Configuration of group relationships is handled via bind name as in normal AD configuration for the Digizuite.
- my-adfs.server.com should be replaced with the URL of the ADFS server to be used
- If using Azure, make sure that you remember to expose the API (Under "Application ID URI" in the App Registration's Overview tab)
Table of Contents