DC 5.7 AAD: Requirements

In order for AAD to work, you need to make sure that the following requirements are met.

Access to your AAD Azure Account

Access https://portal.azure.com and log in.

If you're able to see "Azure Active Directory" - you meet this requirement



NOTE: Azure Active Directory Group membership synchronization to DC requires Azure Subscription levels "Premium P1" or "Premium P2"

The ID of the user you want all new users to inherit from (AAD Template User)

Per default the DAM Center is configured with two users, that are "copied" every time either a collection or self-signup user has been created by the system. These two are users, just like all the other users (the user named system excluded). The thing that sets them apart is that their passwords usually is something that's meant never to be written again, and that their user IDs are called upon by the system every time a new user is to be created in its likeness.

Usually the self-signup template user named "self-sign up template user" is already present in your system when you have the self-signup functionality enabled. If this is the case, usually this user can be used for automatic assigning of roles when creating AAD users. Write down this user's user ID for later in the guide.

Info

If the group sync feature is used, the templateUserId is of course a bit redundant. You can simply disable it by setting it to 0 - or choose to keep it on as an addition to all newly created SSO users. The reason why it’s now redundant, is that now users' groups are determined by which groups they’ve been assigned to in the AAD.

If you don't want to use the self-sign up template user, you'll, of course, have to create a new user:

  1. Login to your DAM Center with a Super Administrator or an Administrator user

  2. Go to System tools → Users and groups → Users → System users and press Add

  3. In the Username field, you type in "AAD Template User", in the password field you type in something random (Optionally: Metagroup field "User Config")

  4. Press create (image below)

  5. Note down this new user’s user ID (image below)

  6. Edit the user's roles by expanding the right-side edit menu - make sure that you're in the view named "Standard" now add the following groups

    1. Internal access

    2. Light user or Content Creator

    3. Public access

    4. Trusted (usually already added)

  7. Save

The ID you've noted down will be used in a upcoming section, where you have to edit some XML.

Create and map DAM Center groups to reflect your reflects Azure Active Directory Groups

Note

This step requires Azure Subscription level "Premium P1" or "Premium P2"

Navigate to System Tools → Groups in Dam Center → Users and groups →

Groups.

Create a Folder by right-clicking Groups and selecting Add folder

Name the new folder "Azure Active Directory"

Select the new Folder.

In the Azure Portal Navigate to "Azure Active Directory" / "Groups"

The Object Id is used to bind the Active Directory Group to a DAM Center Group.

Repeat for each Azure Active Directory group that should grant access to the DAM Center

Click "Add", and Give the new DAM Center Group a name.

Click "Create"

Select the new Group, and edit in the right pane.



  • Fill the "Binding group name" with the object Id from the azure groups "Object Id" field

  • Check the "Is Binding group" checkbox

  • Select DAM Center groups, users that are members of the Azure group should be member of.

  • Click Save.

Repeat for each Azure group that should be mapped.

Make an App Registration for the DC in the Azure Portal

You have to enable AAD for the DC. All other applications that we support AAD for will inherit it from the DC.

You register your product by doing the following steps:

  1. Access https://portal.azure.com with your Azure credentials, you have from the first requirement (Access to your AAD Azure Account)

  2. Access "Azure Active Directory" (see image)

  3. In here, press the "App registrations" beneath "Manage" (See image)

  4. Now press the "New registration"

  5.  

  6. In the form, set the “name” to something that is easy to remember and find again should that be needed.
    Set the “Redirect URI” to “https://{dc-url}/DigizuiteCore/LoginService”

     

  7. On the application page, select “endpoints”

     

  8. Find the “Federation metadata document” url, and save that somewhere convenient. This is the “Metadata address”

  9. Next go to “Expose an api”

     

  10. Look for “Application ID URI“ - on here, click on “Set“.

    Copy the App ID, and press “Save“

  11. Lastly, invite users to your site. This is described in another guide. In short, access your site's registration in the "Enterprise Applications" tab in the AAD section, and take it from there.

Configuration of the Active Directory Group Membership synchronization mode.

Info

This section is only relevant if Azure Premium P1 or Azure Premium P2 subscription is used.

Select Manifest in the left pane.

Modify the JSON document, by modifying the line "groupMembershipClaims": null, to be e.g. "groupMembershipClaims":"SecurityGroup",

Valid options for groupMembershipClaims are:

  • "All"

  • "SecurityGroup"

  • "DestributionList"

  • "DirectoryRole"

see: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims for more info.