Skip to main content

 

Documentation & User Guides | FotoWare

Managing groups using SAML

There are two available options when managing groups with SAML. These are described in the following and can also be combined.

Default groups

These are groups that are configured in FotoWeb's SAML settings interface in the site configuration: In the site configuration, go to the Settings tab, expand the Services group and choose the Single sign-on node.
By defining at least one default group, all users who log in with SAML will be allowed access and placed in these default FotoWeb groups on import.

For example, it's possible to create a "SAML Users" group in FotoWeb and add it as a default group. All users who log in using SAML SSO are then placed in this group and are assigned access to the system accordingly. In the screenshot above, two default groups are defined: Everyone and Registered users. Users imported via SAML will be placed in these groups and be assigned a license and permissions according to these groups' settings.

Linked Groups

These are FotoWeb groups that are linked to groups in the SAML Identity provider (IdP). When using ADFS, the IdP will be Active Directory.
When a user logs in with SAML SSO, that user will be added to one or more linked groups based on the group information obtained from the IdP.

For example, it's possible to create a group called FW-Editors in FotoWeb and configure it as a linked group so that all members of the Active Directory group "AD-Editors" are added to the corresponding FW-Editors group in FotoWeb when they log in. This way, groups can be managed in the IdP and synced to FotoWeb and used for fine-grained access control based on group membership or other attributes set in the IdP.

Configuring a linked group

1. Create a group in FotoWeb. For the sake of this example, let's name it Photo Editors. Set the group permissions and the license that should apply to the group and any any parent group that the group should be nested in.

2. In the group details, the SAML group name should be the group attribute value that comes from the IdP. In the example screenshot below, the value served by the IdP is "adfs_editors".

 

3. In the identity provider, configure an attribute mapping rule that sets the groups attribute to Editors for all users that are to be added to the FotoWare Editors group.

3. In the identity provider, configure an attribute mapping rule for group membership(s) that transfer group names as values of the attribute.
How to perform this last step depends on the identity provider. For example, in Microsoft ADFS, it is possible to add a claim rule (which is called an attribute mapping in SAML) of type Send group membership as claim, select an Active Directory group to be linked to the FotoWeb group, set the outgoing claim type to Groups and set the outgoing claim value to the value that corresponds to the "SAML group name" in the group details in FotoWeb.

This is described in the paragraphs below. Additional information can be found in the official documentation from Microsoft, here: https://docs.microsoft.com/en-us/win...hip-as-a-claim 

In the following, ADFS is used to illustrate the attributes that needs to be mapped. However, the same can be accomplished by configuring FotoWeb with a SAML interface toward other Identity Providers.

Example: Mapping AD groups to FotoWeb groups in Microsoft ADFS

In the ADFS manager, right-click the selected trust, and then click Edit Claim Issuance Policy.

The Claim Issuance Policy window is displayed, and you need to add one rule for every group you'd like to link to FotoWeb.

Note: In the above screenshot, Entry 3 in the list is the group claim. For help on setting up entries 1 and 2 (LDAP and Name ID mapping) information can be found further down.

Click on Add Rule... to create a new rule.

From the dropdown, choose Send Group Membership as a Claim.

Now, fill in the rule specifics (screenshot below):

Claim rule name is simply used for identification of the rule. Give it a name that allows you to easily identify it later.

Choice of group: Next, choose the group that should be synced to FotoWeb. Use the Browse button to select a group in the identify provider (AD)

Outgoing claim type: This should always be named groups - this will allow FotoWeb to identify the transferred claim as a group attribute.

Outgoing claim value: Here, enter a unique name that will be used to identify the group when linking it to a group in FotoWeb. It does not have to have the same name as the group; the value should be identical to the SAML group name specified in the FotoWeb group. (adfs_editors was used in the example FotoWeb group above - the screenshot below reflects this.)

It is also possible to specify multiple groups in the groups attribute separated by commas. For example, a value of group1,group2 will cause the user to be added to the linked groups where the SAML group name is group1 or group2. How to set the attribute like this depends on the identity provider. To our knowledge, it is not easily possible in ADFS.

How are groups synchronized?

Upon login, the user will be removed from any linked groups that have a SAML group name that is not listed in the groups attribute. This allows an administrator to revoke a user's access to resources in FotoWeb by, e.g., removing the user from a group in Active Directory. In no event is the user removed from any groups that do not have a SAML group name (i.e., that are not linked groups).

A user is permitted to log in to FotoWeb via SAML SSO if and only if the user is added to at least one linked group, OR if at least one default group is configured.

This means that if any default groups are configured, then all users that can successfully sign in via SAML SSO have permission to log in to FotoWeb, and if no default groups are configured, then membership of linked groups can be used to control access to FotoWeb in general. Note that most SAML identity providers have configurable access control of their own as well, so it is possible to configure access control even when using default groups.

Example: How to assign different user licenses to different user groups?

Based on the information above, here's an example that illustrates how to control the assignment of user licenses (Standard, Plus, Pro) based on group membership in the IdP. Note that the example is based on FotoWeb Feature Release 13 - it won't work with previous versions.

  1. Create a group "AD Pro Users" in Active Directory and add all users/group to it that should receive a pro license
  2. Create a group "FW Pro Users" in FotoWeb and set the default license to Pro
  3. Set the "SAML name" of the group to pro_users
  4. In ADFS, create a new "Send Group Membership as a Claim" rule
  5. Select the AD group "AD Pro Users"
  6. Set outgoing claim type to group (type it in, do not select from drop-down)
  7. Set outgoing claim value to pro_users.

Licenses can now be managed in AD by adding/removing users/groups to/from the group "AD Pro Users".

(All the names and identifiers can be varied. Names here are chosen as placeholders to illustrate which names must match or not)