How it works
With Azure AD Authentication, users and groups are managed in the Azure AD console, in much the same way as on a Windows Active Directory server. Group changes in the AD, such as the addition or removal of users, is automatically updated so that all user management can be done in the Azure AD only.
Azure Active Directory integration involves the following steps:
- Adding the FotoWeb site to the Azure AD portal
- Enabling Azure Active Directory integration on the FotoWeb site
- Importing groups into FotoWeb
- Assigning access to FotoWeb archives based on the groups you've imported
Setting it up
Add the FotoWeb application to the Azure management console
Log in to the Azure portal and add a new application to your Active Directory.
Name the application and choose Web application as its type. At this point, also set the Sign-on URL that your application uses. For single sign-on to a FotoWare SaaS tenant, the URL is typically of this format:
After creating the application registration, go to App Registrations > Application > Settings to retrieve the Application ID (screenshot below). This ID needs to be entered into the FotoWeb Azure AD config in the site configuration later.
Set the correct Reply URL
Go to Application > Settings > Reply URL and add a new Reply URL. It should match the FotoWeb server's public hostname followed by /fotoweb/auth/signin-oidc, for example https://company.fotoware.cloud/auth/signin-oidc
Next, remove the original reply URL that's listed: http://fotoweb.company.com/fotoweb/auth/
Assign permissions to the application
Next, assign the necessary settings to the application: Go to Application > Settings > Required permissions - Windows Azure Active Directory > Enable Access, and enable two permissions in the Delegated Permissions section:
- Access the directory as the signed-in user
- Sign in and read user profile
Make sure to hit Save to update the permissions.
Next, go to the previous blade in the Azure portal and click on Grant permissions to assign the permissions to all users in the directory:
Create application keys
Next, generate an app key under Application > Settings > Keys in the Azure console:
Enter a key description (simply a label) and set a duration/validity period. For security reasons, a key can be valid for a maximum of two years.
The key will be created and can be obtained after you save the changes. It can then be copied to the clipboard and pasted in the corresponding field in the Azure AD settings in the Operations Center.
Because the validity of the application key is maximum two years, it's practical to make a reminder in your maintenance calendar to replace the key before it expires. If they key does expire, users will temporarily lose access to the system.
Adding Azure AD information to the Operations Center
Having completed the above steps, make sure you have gathered the necessary information from the Azure console before proceeding:
Found in the Azure console in the application properties:
The key generated in the Azure console with a validity of maximum two years.
Tenant / Domain Name
The domain name listed in the Azure portal. If you're uncertain about the value, open the Azure console and click on the Azure Active Directory node. The Name field there lists the correct domain name.
This can be found on the same blade as the Domain name: Open the Azure console and click on the Azure Active Directory node. The Directory ID field can be easily copied out from there.
Adding the information to the FotoWeb tenant in the Operations Center
On the FotoWeb server, open the Operations Center and go to the FotoWeb site configuration.
Go to the Settings tab and choose the Authentication providers node under Services.
Enter the Application Id, Application Key, Tenant/Domain name and Directory Id values and save the changes.