6 AAD Configuration - MM v4.13.0
- Mathias Mattson (MHM)
Description
Media Manager (MM) supports Azure Active Directory (AAD) which allows Single Sign-On (SSO) functionality for Microsoft and Azure accounts (including Azure accounts created by inviting users from outside the AAD). The solution supports Azure being both single and multi-tenant in regards to directory applications.
Prerequisites
You DC must accommodate MM
Your DAM Center (DC) must be set up to accommodate MM.
For this, please look at the Configuration Examples beneath your DC's documentation: .../Configuration Guides/Azure Active Directory (AAD)/2 AAD: Enabling AAD
If you have initially followed the examples given to you by the DC's documentation, your DC should already be configured to accommodate AAD for MM.
You must not have AD or ADFS enabled on your MM
In MM versions prior to MM 4.11.0, some ADFS configuration has already been added to the MM's web.config file.
By using the MM 4.11.0's (or greater) web.config as a template, you can remove these ADFS configurations, so that your MM lives up to this criteria.
Your MM must be a registered app in your Azure's AAD
Just like for the DC, you must create an entry in your Azure Portal's AAD configuration.
Please look for the "4: You must make an App Registration on DC and/or MM in Azure" in your DC's documentation: .../Configuration Guides/Azure Active Directory (AAD)/1 AAD: Requirements
Enabling AAD
Just like for the DAM Center (DC), you have to make changes to the web.config file. Of course, this time it should be for the MM's web.config file, and not the DC's.
To start off, you need to add the section definition below to your MM's config file (Just like in the case of DC):
You do not need to add this to MM's being 4.11.0 or greater.
<section name="azureActiveDirectory" type="DigiEyeZ.Framework.WebLibrary.Configuration.AzureActiveDirectorySection" />
Configuration example
After having made certain that the section definition above is in the web.config, you must add the following configuration:
MM with single tenant login
<azureActiveDirectory> <client enabled="true" clientId="26667631-53d0-41e5-917c-6ecd05a48820" tenant="mytenantid.onmicrosoft.com" /> </azureActiveDirectory>
You need to input your application's App ID found in the Azure Portal beneath AAD.
The "tenant" you also find in the Azure Portal.
(See the DC's documentation for more information about how to find "App ID" and "Tenant")
If you have issues with getting a grip on where to insert the above section, please see the Enabling AAD section in: .../Configuration Guides/Azure Active Directory (AAD)/2 AAD: Enabling AAD
Alternatively, please see the configuration schema below:
<?xml version="1.0" encoding="utf-8"?> <xs:schema id="azureActiveDirectory" xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata"> <xs:element name="azureActiveDirectory" msdata:IsDataSet="true" msdata:UseCurrentLocale="true"> <xs:complexType> <xs:element name="client"> <xs:complexType> <!-- Enables or disables the client using AAD redirect --> <xs:attribute name="enabled" type="xs:bool" use="required" /> <!-- ClientId corresponds to the Application ID in Azure Portal --> <xs:attribute name="clientId" use="required"> <xs:simpleType> <xs:restriction base ="Guid" /> </xs:simpleType> </xs:attribute> <!-- AADInstance is the login redirect URI --> <xs:attribute name="aadInstance" type="xs:string" default="https://login.microsoftonline.com/{0}" /> <!-- Tenant is the DNS section of the App ID URI in Azure Portal. Required for single tenant usage --> <xs:attribute name="tenant" type="xs:string" /> </xs:complexType> </xs:element> </xs:complexType> <xs:simpleType name="Guid"> <xs:restriction base="xs:string"> <xs:pattern value="([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})|(\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\})"/> </xs:restriction> </xs:simpleType> </xs:element> </xs:schema>