6 SAML 2.0 ADFS Configuration MM v4.13.0

Owned by Brian Bak Laursen
Last updated: Oct 22, 2018 by Mathias Mattson (MHM)
2 min read

To use ADFS with Media Manager, some configuration is required.

5.1 Prerequisites

In order to use SAML 2.0 Product & ADFS (Active Directory Federation Services) with Media Manager (MM), the DAM Center (DC), which your MM uses, must have ADFS enabled.

I suggest to use an IDE like Notepad++ or Sublime for editing the web.config file. The following images are from Notepad++.

As the file has the extension ".config" and not ".xml" you'll need to manually change the language to be XML.

5.2 Web.config

To enable ADFS with SAML 2.0 Protocol for MM, you need to make some changes to the MM's web.config file, found in the root if the site folder.

5.2.1 ADFS SAML 2.0 Protocol config section

All the following configurations are occurring in the web.config file, around line 255 - so scroll to the bottom.

In the supplied web.config (from the root of the website) there are some ADFS SAML 2.0 Protocol configs that need to be changed.

Add to <configSections>:

	<section name="sustainsys.saml2" type="Sustainsys.Saml2.Configuration.SustainsysSaml2Section, Sustainsys.Saml2, Version=0.24.0.0, Culture=neutral, PublicKeyToken=f3f81a9c4b80e2ec" />


Add the following two to <modules>:

<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />

After the following under <configuration>:

<system.identityModel>
    <identityConfiguration saveBootstrapContext="true"/>
</system.identityModel>


The SAML 2.0 Protocol specific stuff can be added with the following (this is a sample but you can see all configuration options here https://github.com/Sustainsys/Saml2/blob/master/docs/Configuration.md):

<sustainsys.saml2 entityId="https://local.dev.digizuite.com/DAMUI/Saml2/Acs" returnUrl="https://local.dev.digizuite.com/DAMUI/" minIncomingSigningAlgorithm="SHA256" authenticateRequestSigningBehavior="Never">
    <metadata cacheDuration="0:0:42" validDuration="7.12:00:00" wantAssertionsSigned="false">
      <organization name="Digizuite" displayName="Sustainsys" url="http://www.digizuite.com" language="da" />
      <contactPerson type="Other" email="bbl@digizuite.com" />
      <requestedAttributes>
        <add name="Minimal" />
      </requestedAttributes>
    </metadata>
    <identityProviders>
      <add entityId="http://adfs.digidom.dk/adfs/services/trust" signOnUrl="https://adfs.digidom.dk/adfs/ls/" allowUnsolicitedAuthnResponse="false" binding="HttpRedirect" loadMetadata="true" metadataLocation="https://adfs.digidom.dk/FederationMetadata/2007-06/FederationMetadata.xml">
        <signingCertificate storeName="My" storeLocation="LocalMachine" findValue="bcb69b53ff55993b14d8b7891251c5db6eb94542" x509FindType="FindByThumbprint" />
      </add>
    </identityProviders>
    <serviceCertificates>
      <add fileName="~/App_Data/Sustainsys.Saml2.Tests.pfx" />
    </serviceCertificates>
 </sustainsys.saml2>

In some instances it can be necessary to increase the maxQueryStringLength to accommodate for the SAML token being returned as a parameter from ADFS

<requestFiltering>
        <requestLimits maxAllowedContentLength="2000000000" maxUrl="1638400" maxQueryString="1638400" />
</requestFiltering>
...
...
<httpRuntime maxRequestLength="2048000" executionTimeout="120000" requestValidationMode="2.0" maxUrlLength="16384" maxQueryStringLength="2048000" />