Skip to main content

 

Documentation & User Guides | FotoWare

Azure Active Directory integration and SSO

How it works

With Azure AD Authentication, users and groups are managed in the Azure AD console, in much the same was as on a Windows Active Directory server. Group changes in the AD, such as the addition or removal of users, is automatically updated so that all user management can be done in the Azure AD only. 

Azure Active Directory integration involved the following steps:

  • Enable Azure Active Directory integration on the site (see below)
  • Import groups into FotoWeb
  • Assign access to FotoWeb archives based on the groups you've imported

Setting it up

Add the FotoWeb application to the Azure management console

Log in to the Azure portal and add a new application to your AD.

Azure AD setup 1.png
 

Name the application and choose Web application as its type.

Azure AD setup 2.png

Set the Sign-on URL and App ID URI. The Sign-on URL should be the domain name that your fotoweb server responds to followed by /fotoweb/auth, for example: http://fotoweb.company.com/fotoweb/auth/

Azure AD setup 3.png

The APP ID URI is a unique identifier for Azure AD to identify your app. It must be a unique url in your organization's Azure AD - you can for instance use the public hostname that your server responds to in DNS as this will be a unique value.

 

Having completed the above step, Azure AD will assign a Client ID to your application. This ID will be added to the Azure AD setup in the FotoWeb site configuration later.

Azure AD setup 4.png

Next, generate an app key in the keys section in the Azure console. Use the dropdown list to create it and choose a validity period. A key can be valid for a maximum of two years, for security reasons.This key must also be added to the AD configuration in the FotoWeb site configuration later. You need to save the changes before the key is generated and you can copy it to the clipboard for use in the Operations Center.

Now, set the Reply URL to your FotoWeb server's public hostname followed by /fotoweb/auth/

Azure AD setup 5.png

Finally, in the permissions to other applications section in the Azure console, open the Delegated Permissions list and enable two options: (1) Access the directory as the signed-in user and (2) Sign in and read user profile

 

Adding Azure AD information to the Operations Center

On the FotoWeb server, open the Operations Center and go to the FotoWeb site configuration.

Go to the Settings tab and choose the Authentication providers node under Services.

Authentication - Azure AD.png

Choose Microsoft Azure AD as the Authentication Provider. You will then need to provide the following information that can be found in the Azure AD console.

  • ClientID
  • AppKey
  • Tenant
  • TenantID

Finding Tenant and Tenant ID values

Tenant is the name of the FotoWeb instance, while the Tentant ID is a GUID. Both can be extracted from the web browser's address bar when you're on the AD settings page in the Azure Portal. For example, the address bar may read: 

https://manage.windowsazure.com/contoso.onmicrosoft.com#Workspaces/ActiveDirectoryExtension/Directory/<Tenant ID GUID>/directoryQuickStart

where the Tenant value is highlighted in blue, while the Tenant ID (GUID) is in red.

Finally, choose whether users should only be allowed to log in using Azure AD (see checkbox in above screenshot). If this option is ticked, users will not be able to access the regular FotoWeb login screen and manually enter a username and password; rather they will be logged in automatically when accessing the FotoWeb site using their Azure AD credentials. If the option is not selected, users will be given the option to choose between using SSO or logging in with another username and password in the FotoWeb user register. Note that it is not possible to enter the Azure AD credentials to log in manually.

Importing groups and assigning access

Next, you need to import groups from the Active Directory to give them access to FotoWeb.

You can then proceed to assign access to FotoWeb archives and actions using the imported groups.