5 ADFS Configuration MM 4.11.0

Owned by Jens Fristed Navne (Unlicensed)
Last updated: Jan 02, 2018 by Mathias Mattson (MHM)
3 min read

To use ADFS with Media Manager, some configuration is required.

5.1 Prerequisites

In order to use ADFS (Active Directory Federation Services) with Media Manager (MM), the DAM Center (DC), which your MM uses, must have ADFS enabled.

I implore you to use an IDE like Notepad++ or Sublime for editing the web.config file. The following images are from Notepad++.

As the file has the extension ".config" and not ".xml" you'll need to manually change the language to be XML.

5.2 Web.config

To enable ADFS for MM, you need to make some changes to the MM's web.config file, found in the root if the site folder.

5.2.1 Enable ADFS login prompt (Deny users)

First thing you need to do, is make the ADFS login screen appear. This is done by doing the following:

Around line 79, there is a tag saying <allow users="*" />. The value of this tag has to be changed to "?" instead.

That is, <allow users="*" /> should be changed to <deny users="?" />


This is how it looks when ADFS is enabled:

5.2.2 ADFS config section

All the following configurations are occurring in the bottom of the web.config file, around line 255 - so scroll to the bottom.

When you get to it, the entire ADFS segment is most likely commented out. You'll have to comment it in (in Notepad++ the section will appear green - you have to make it "not-green") by removing the <!-- and -->.

5.2.3 Audience URI's

From the top the first thing to edit is the audienceUris.

These need to be the URL of your MM and the URL for its connected DC. E.g:

In the above image, the first entry is the DC, and the second is the MM.

You should of course input you own links - with http(s) in front of the link (like in the image.)

5.2.4 Trusted Issuers (thumbprints)

Next thing you have to do, is to define your thumbprints.

The thumbprints you can find in your certificates. You should have encountered them when enabling the DC to use ADFS as well. They should be in the DC's web.config file. (If you have not enabled ADFS for your DC, then you need to stop using this guide, and start to configure your DC to use ADFS.) The thumbprints are from the token-decryption and token-signing certificates.

In the parameters named thumbprint, you will have to write in the aforementioned thumbprints.

In the parameters named name, you'll have to input your domain e.g. https://yoursite.com/adfs/services/trust

Above you can see how the thumbnails more or less will look on your environment

5.2.5 Cookie Handler and ws Federation (domain, issuer, and realm)

In the section cookieHandler change domain to be your site's URL (no http(s) or slashes in the domain):

In the section wsFederation change:

  • Issuer to be https://yoursite.com/adfs/ls
  • Realm to precisely the same as Relying party in the ADFS server.