2 AAD: Enabling AAD - DAM v4.9.0

Owned by Jens Fristed Navne (Unlicensed)
Jan 25, 2018

When all requirements have been met, you're now able to enable AAD login for the products you decided on (DC and/or MM)

Enabling AAD

To enable the AAD functionality, you need to do the following:

Go to your DC's web.config file and edit it - preferably with Notepad++.

In the <configSections> tag, add the following:

<section name="azureActiveDirectory" type="DigiEyeZ.Framework.WebLibrary.Configuration.AzureActiveDirectorySection" />

Making it look like this

Configuration examples

Not DC - possibly MM

Aka. "DC API server only"

Enabling the beneath configuration will enable only MM to use AAD. The DAM Center will still remain using the default non-AAD login.

Please be aware the the templateMemberId should be the user ID of the template user, you've noted down while verifying that you met the requirements (step 3: The ID of a user of which you want all your users to look like (AAD Template User)). In my case below its 30027.

<azureActiveDirectory>
	<server enabled="true" templateMemberId="30027" />
</azureActiveDirectory>

Implementing the above into the web.config will make it look like the following


DC - possibly MM

Aka. "DC API server with single tenant client login"

The below configuration enabled both DC and MM to use AAD for logging in.

  • The "templateMemberId" is again the one you defined in the requirement section (requirement 3 - just as before).
  • The "clientId" is the Application ID of the DAM Center's App registration you made a note about in the requirements section
  • The "tenant" is the App ID URI without https:// and the GUID (For example "https://digizuite.onmicrosoft.com/95303ff7-f100-47ab-ad3a-2a465ff47bd0" becomes "digizuite.onmicrosoft.com") - You made a note of this in the requirements section.
<azureActiveDirectory>
	<server enabled="true" templateMemberId="30027" />
	<client enabled="true" clientId="[DC'sApplicationID]" tenant="[mytenantid].onmicrosoft.com" />
</azureActiveDirectory>

Implementing the above into the web.config will make it look like the following

Understanding "server" and "client"

The children of azureActiveDirectory, server and client can be a bit difficult to wrap one's head around - here's some explanation:

Server: Defines the user used for creating new AAD users.

Client: Defines that the site corresponding to the chosen client ID/application ID and tenant will use AAD for logging in. The client ID of the MM must not be input into the DC's web.config's azureActiveDirectory tag - instead the MM will have its own client ID defined within its own web.config.

Configuration schema

Beneath, you'll see the definition of all the available options you have for setting up

<?xml version="1.0" encoding="utf-8"?>
<xs:schema id="azureActiveDirectory" xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
  <xs:element name="azureActiveDirectory" msdata:IsDataSet="true" msdata:UseCurrentLocale="true">
    <xs:complexType>
      <xs:choice minOccurs="0" maxOccurs="unbounded">
        <xs:element name="client">
          <xs:complexType>
			<!-- Enables or disables the client using AAD redirect -->
            <xs:attribute name="enabled" type="xs:bool" use="required" />
			<!-- ClientId corresponds to the Application ID in Azure Portal -->
            <xs:attribute name="clientId" use="required">
				<xs:simpleType>
					<xs:restriction base ="Guid" />
				</xs:simpleType>
			</xs:attribute>
            <!-- AADInstance is the login redirect URI -->
			<xs:attribute name="aadInstance" type="xs:string" default="https://login.microsoftonline.com/{0}" />
			<!-- Tenant is the DNS section of the App ID URI in Azure Portal. Required for single tenant usage -->
            <xs:attribute name="tenant" type="xs:string" />
			<!-- Specifies optional post logout URI. Not used in DC and MM -->
            <xs:attribute name="postLogoutRedirectUri" type="xs:string" />
          </xs:complexType>
        </xs:element>
        <xs:element name="server">
          <xs:complexType>
            <xs:sequence>
              <!-- List of audiences allowed when running multi-tenant applications -->
              <xs:element name="validAudiences" minOccurs="0" maxOccurs="unbounded">
                <xs:complexType>
                  <xs:sequence>
                    <xs:element name="clear" type="xs:string" minOccurs="0" />
                    <xs:element name="add" minOccurs="0" maxOccurs="unbounded">
                      <xs:complexType>
                        <xs:attribute name="name" type="xs:string" />
                      </xs:complexType>
                    </xs:element>
                  </xs:sequence>
                </xs:complexType>
              </xs:element>
            </xs:sequence>
			<!-- Enables or disables the server AAD endpoint -->
            <xs:attribute name="enabled" type="xs:bool" use="required" />
			<!-- Discovery endpoint for validating JwT -->
            <xs:attribute name="stsDiscoveryEndpoint" type="xs:string" default="https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration" />
			<!-- Specifies the DAM Center MemberId used to auto-create users on the fly -->
            <xs:attribute name="templateMemberId" type="xs:int" use="required" />
            <!-- Specify to validate the issuer -->
            <xs:attribute name="validIssuer" type="xs:string" />
          </xs:complexType>
        </xs:element>
      </xs:choice>
    </xs:complexType>
	<xs:simpleType name="Guid">
        <xs:restriction base="xs:string">
            <xs:pattern value="([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})|(\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\})"/>
        </xs:restriction>
    </xs:simpleType>
  </xs:element>
</xs:schema>