Setup ADFS SAML2

Owned by Morten Boisen
Last updated: Nov 29, 2023
3 min read

Setup in ADFS

Open ADFS management tool and go to Relying Party Trust

Create a new Relying Party trust

Select

Enter a Display name (Only used for visual referance)

(Optional) Select your token encryption certificate

Select the SAML 2 protocol and enter your DAM url like this: https://DAMURL/DigizuiteCore/LoginService/Saml2/Acs

E.g:

 

Relying party identifiers will be https://DAMURL/DigizuiteCore/LoginService

If there are multiple DAM URLs, they need to be added as well (with the /DigizuiteCore/LoginService added).

It is important that its the backend URLs, not URLs for Media manager, office connector e.g.

E.g:

 

Choose who should have access to the solution.

And finish the Relying party trust

 

Configure the following claims

Add the following “Transform an Incoming Claim” like this:

Add the following claims as LDAP Attributers:

E-mail address

Surname

Given name

(Optional - only if Group sync is needed) Groupname (Token-Group - Qualified by Domain)

(Optional - only if Group sync is needed) Groupsid (Token-Groups as SIDs)

 

Note if you have a large AD with many groups, it may be an idea to make a custom extraction of the DAM groups. This will prevent the token from becoming too large for the website to handle.

It can be done by creating the following two custom rules:

Get Groups from AD

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);

Send DAM groups as Claims (remember to update the Regex ^(?i)dam - scheme - .+$ to match your group naming)

c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "^(?i)dam - scheme - .+$"] => issue(Type = "http://schemas.xmlsoap.org/claims/Group", Value = c.Value, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);

 

Get the Metadatafederation url for next step. It will most likely be: https://YourADDomain/FederationMetadata/2007-06/FederationMetadata.xml

Setup of Media manager (Digizuite configuration only)

Login to the media manager with a Super administrator.

Go to “Settings” - “General settings” - “SSO“

Select SAML2

Insert a Template member user ID. You can use the guest user if you want low access: 30006 (Or you can create a template user that matches your need)

Select the Sync level

Enter a name

In the Entity ID you insert the same URL as you used for you redirect URI (https://DAMURL/DigizuiteCore/LoginService)

Signing behavior:

IfIdpWantAuthnRequestsSigned

Under Identity providers enter

Entity ID: Open the Metadata federation URL. It will have your Entity ID

 

Metadata location: The federation metadata URL

Now Press Save and then Activate.

Once it says “Latest is active” the SSO configuration is enabled

Example of a configuration:

 

Setup of Sync groups in the DAM

If you have selected FullSync or AddOnly in your Group sync level you will need to setup your group binding in the DAM.

You will need to Login with a super administrator and go to:

System tools- Users and groups - Groups

Find the group you want to bind and do the following:

In the Binding group name you can input either the domain/groupname or the group SID.

Setup of connectors or media manager:

Set a connector or Media manager to use SSO login

Troubleshooting and known issues:

How to troubleshoot SSO and known issues