Setup of Entra AD (SAML2)

Owned by Morten Boisen
Last updated: Nov 29, 2023
3 min read

Setup of the Entra

Login to the your Entra admin center.

Go to App registration and create a new registration.

Give it a fitting name and select the correct account types.

In the redirect URI you will need to insert (Replace DAMURL)
https://DAMURL/DigizuiteCore/LoginService

If there are multiple DAM URLs, they need to be added as well (with the /DigizuiteCore/LoginService added).

It is important that its the backend URLs, not URLs for Media manager, office connector e.g.

Example:

When the application has been setup, go to the “Expose an API” and set the Application ID URI

It needs to be the same URI as the redirect URI (This only works if the domain is trusted by Azure tenant) or the default App URI.

OR

In many cases it will be the api that needs to be added as the Digizuite domains are not trusted.

 

 

Go to Token configuration and add the following tokens:

Note: For groups we suggest adding the “Group ID”

After adding the UPN claim Edit it and make sure to set (If you want guest invites to access the DAM)

Make sure to select ONLY ‘Groups assigned to the application’ : (How to Add groups to application: Quickstart: Create and assign a user account - Microsoft Entra ID )

This in order to prevent a ‘HTTP 400 - Bad Request (Request header too long)’/431 (Request header fields too large) or similar error if a lot of security groups are passed via the request.

 

Now get the Metadata federation URL its needed in the next part:

 

 

Setup of the Media manager (Digizuite configuration only)

Login to the media manager with a Super administrator.

Go to “Settings” - “General settings” - “SSO“

Select SAML2

Insert a Template member user ID. You can use the guest user if you want low access: 30006 (Or you can create a template user that matches your need)

Select the Sync level

Enter a name

In the Entity ID you insert the same URL as you used for you redirect URI (https://DAMURL/DigizuiteCore/LoginService) OR api://{GUID]} - e.g. api://d530289c-c796-4521-b0e0-17c9ab986791

Signing behavior:

IfIdpWantAuthnRequestsSigned

Under Identity providers enter

Entity ID: Open the Metadata federation URL from the Azure Active directory. It will have your Entity ID

 

Metadata location: The federation metadata URL

Now Press Save and then Activate.

Once it says “Latest is active” the SSO configuration is enabled

Example of a configuration:

 

Setup of Sync groups in the DAM

If you have selected FullSync or AddOnly in your Group sync level you will need to setup your group binding in the DAM.

You will need to Login with a super administrator and go to:

System tools- Users and groups - Groups

Find the group you want to bind and do the following:

Get the groups Object Id from the Azure:

Enter that ID into the Binding group name and enter “Is binding group”

Repeat this process for all the groups that should be synced.

 

Setup of connectors or media manager:

Set a connector or Media manager to use SSO login

Troubleshooting and known issues:

How to troubleshoot SSO and known issues