MM5.4 Federated Authentication Configuration
- Stefan Fodor (Unlicensed)
- Gosia Creosteanu (Unlicensed)
To use Federated Authentication with Media Manager, some configuration is required. It is now enough to just add SSO configuration in the DAM Center web.config which will then be inherited to the LoginService - there is one exception to this which is for Azure Active Directory where it is required to add something to the loginservice web.config as described in 5.4.
Prerequisites
One of the Federated Authentication options should be configured for the Digizuite™ DAM Center. Follow setup guides there for the prefered authentication mechanism.
Configure MM for Federated Authentication
Open the web.config file for MM in a text editor like Notepad++.
Two values need up be updated, and a third might need to be changed, depending on requirements.
In <appSettings>, change LoginServiceUrl's value to "#{DC_URL}/LoginService", e.g. "https://dam.digizuite.com/LoginService".
Change UseFederatedAuthentication to "true" instead of "false".
If you open MM now, you should automatically hit the selected federated authentication you configured for DC.
Additional configuration options
If you want to use both normal DAM login and Federated Authentication, set AllowNormalLogin to "true" instead of "false".
This will cause MM to open like normal, but add a special button to the login dialog to login with SSO.
Important
If you set your MM5 to use AD, then it should still have the "UseFederatedAuthentication" be true
But, you must not have "AllowNormalLogin" be true. If you fail do do this, then people will be redirected into the MM5 without being prompted.
Also, you should not have "Windows authentication" enabled for the MM5, as this will result in the end user being prompted by two AD login prompts, instead of one.
Azure Active Directory in LoginService
In case you are using Azure Active Directory, it is required to add the following to the Webconfig which is placed in the LoginService folder in DAM Center web folder.
Important is to try with an empty string in redirectUri or otherwise use 'https://dam.digizuite.com/LoginService/' (important with backslash at the end)
<location inheritInChildApplications="false"> <azureActiveDirectory> <server enabled="true" templateMemberId="30021" /> <client enabled="true" redirectUri="" clientId="99088367-86f5-4ec0-87a6-83f8cfc0b078" tenant="DZPOWERBI.onmicrosoft.com" /> </azureActiveDirectory> <system.web> <authentication mode="None" /> </system.web> <system.webServer> <modules> <remove name="Session" /> <add name="Session" type="Heavysoft.Web.SessionState.HashTableSessionStateModule, Framework.WebLibrary" /> </modules> </system.webServer> </location>
Things to be aware of
As described above, the LoginService can utilize the same configuration as in the DAM Center web.config (when not Azure Active Directory as described in 5.4). This is only true when the Identity Provider allows Digizuite to provide the Redirect URI and therefore can use the same identity provider across both MM5 and DC5.
In some circumstances this is not the same and you could have an Identity Provider for both DC and MM. In this case, you would need to do the configuration twice as with Azure:
- In the DAM Center Web.config
- In the Login Service Web.config
In this case inheritance is important to understand. We want to make sure that we do not inherit the config from the DAM Center web.config because then MM would redirect to the DAM Center instead of the login service. How to solve this is described in 5.4 for Azure Active Directory but if you want to configure it for SAML2, the configuration has to clear the Identity Provider to not inherit from the DC config. It can be done by using the clear tag as described here https://docs.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/configsections-element-for-configuration.
The config would then look:
<location inheritInChildApplications="false"> .... .... <sustainsys.saml2 entityId="https://dam.belden.com/LoginService/Saml2/Acs" returnUrl="https://dam.belden.com/LoginService/" expectSignatureInXml="false" minIncomingSigningAlgorithm="SHA256" authenticateRequestSigningBehavior="Never"> <metadata cacheDuration="0:0:42" validDuration="7.12:00:00" wantAssertionsSigned="false"> <organization name="Digizuite" displayName="Sustainsys" url="http://www.digizuite.com" language="da" /> <contactPerson type="Other" email="mb@digizuite.com" /> <requestedAttributes> <add name="Minimal" /> </requestedAttributes> </metadata> <identityProviders> <!-- PROVIDE THIS CLEAR TAG TO NOT INHERIT FROM PARENT DC WEB CONFIG --> <clear/> <add entityId="https://auth.belden.com/sts_digizuitemm" allowUnsolicitedAuthnResponse="false" binding="HttpRedirect" loadMetadata="true" metadataLocation="~/meta/metadatammprod.xml"> </add> </identityProviders> </sustainsys.saml2> </location>