How it works
With Azure AD Authentication, users and groups are managed in the Azure AD console, in much the same was as on a Windows Active Directory server. Group changes in the AD, such as the addition or removal of users, is automatically updated so that all user management can be done in the Azure AD only.
Azure Active Directory integration involved the following steps:
- Enable Azure Active Directory integration on the site (see below)
- Import groups into FotoWeb
- Assign access to FotoWeb archives based on the groups you've imported
Setting it up
Add the FotoWeb application to the Azure management console
Log in to the Azure portal and add a new application to your AD.
Name the application and choose Web application as its type.
Set the Sign-on URL and App ID URI. The Sign-on URL should be the domain name that your fotoweb server responds to followed by /fotoweb/auth, for example: http://fotoweb.company.com/fotoweb/auth/
The APP ID URI is a unique identifier for Azure AD to identify your app. It must be a unique url in your organization's Azure AD - you can for instance use the public hostname that your server responds to in DNS as this will be a unique value.
Having completed the above step, Azure AD will assign a Client ID to your application. This ID will be added to the Azure AD setup in the FotoWeb site configuration later.
Next, generate an app key in the keys section in the Azure console. Use the dropdown list to create it and choose a validity period. A key can be valid for a maximum of two years, for security reasons.This key must also be added to the AD configuration in the FotoWeb site configuration later. You need to save the changes before the key is generated and you can copy it to the clipboard for use in the Operations Center.
Now, set the Reply URL to your FotoWeb server's public hostname followed by /fotoweb/auth/
Finally, in the permissions to other applications section in the Azure console, open the Delegated Permissions list and enable two options: (1) Access the directory as the signed-in user and (2) Sign in and read user profile
Adding Azure AD information to the Operations Center
On the FotoWeb server, open the Operations Center and go to the FotoWeb site configuration.
Go to the Settings tab and choose the Authentication providers node under Services.
Choose Microsoft Azure AD as the Authentication Provider. You will then need to provide the following information that can be found in the Azure AD console.
Finding Tenant and Tenant ID values
Tenant is the name of the FotoWeb instance, while the Tentant ID is a GUID. Both can be extracted from the web browser's address bar when you're on the AD settings page in the Azure Portal. For example, the address bar may read:
https://manage.windowsazure.com/contoso.onmicrosoft.com#Workspaces/ActiveDirectoryExtension/Directory/<Tenant ID GUID>/directoryQuickStart
where the Tenant value is highlighted in blue, while the Tenant ID (GUID) is in red.
Finally, choose whether users should only be allowed to log in using Azure AD (see checkbox in above screenshot). If this option is ticked, users will not be able to access the regular FotoWeb login screen and manually enter a username and password; rather they will be logged in automatically when accessing the FotoWeb site using their Azure AD credentials. If the option is not selected, users will be given the option to choose between using SSO or logging in with another username and password in the FotoWeb user register. Note that it is not possible to enter the Azure AD credentials to log in manually.