Setup of Entra AD (SAML2)
Setup of the Entra
Login to the your Entra admin center.
Go to App registration and create a new registration.
Give it a fitting name and select the correct account types.
In the redirect URI you will need to insert (Replace DAMURL)
https://DAMURL/DigizuiteCore/LoginService
If there are multiple DAM URLs, they need to be added as well (with the /DigizuiteCore/LoginService added).
It is important that its the backend URLs, not URLs for Media manager, office connector e.g.
Example:
When the application has been setup, go to the “Expose an API” and set the Application ID URI
It needs to be the same URI as the redirect URI (This only works if the domain is trusted by Azure tenant) or the default App URI.
OR
In many cases it will be the api that needs to be added as the Digizuite domains are not trusted.
Go to Token configuration and add the following tokens:
Note: For groups we suggest adding the “Group ID”
After adding the UPN claim Edit it and make sure to set (If you want guest invites to access the DAM)
Make sure to select ONLY ‘Groups assigned to the application’ : (How to Add groups to application: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-assign-users )
This in order to prevent a ‘HTTP 400 - Bad Request (Request header too long)’/431 (Request header fields too large) or similar error if a lot of security groups are passed via the request.
Now get the Metadata federation URL its needed in the next part:
Setup of the Media manager (Digizuite configuration only)
Login to the media manager with a Super administrator.
Go to “Settings” - “General settings” - “SSO“
Select SAML2
Insert a Template member user ID. You can use the guest user if you want low access: 30006 (Or you can create a template user that matches your need)
Select the Sync level
Enter a name
In the Entity ID you insert the same URL as you used for you redirect URI (https://DAMURL/DigizuiteCore/LoginService) OR api://{GUID]} - e.g. api://d530289c-c796-4521-b0e0-17c9ab986791
Signing behavior:
IfIdpWantAuthnRequestsSigned
Under Identity providers enter
Entity ID: Open the Metadata federation URL from the Azure Active directory. It will have your Entity ID
Metadata location: The federation metadata URL
Now Press Save and then Activate.
Once it says “Latest is active” the SSO configuration is enabled
Example of a configuration:
Setup of Sync groups in the DAM
If you have selected FullSync or AddOnly in your Group sync level you will need to setup your group binding in the DAM.
You will need to Login with a super administrator and go to:
System tools- Users and groups - Groups
Find the group you want to bind and do the following:
Get the groups Object Id from the Azure:
Enter that ID into the Binding group name and enter “Is binding group”
Repeat this process for all the groups that should be synced.
Setup of connectors or media manager:
Set a connector or Media manager to use SSO login