Skip to main content

 

Documentation & User Guides | FotoWare

Managing groups using SAML

There are two available options when managing groups with SAML. These are described in the following and can also be combined.

Default groups

These are groups that are configured in FotoWeb's SAML settings interface in the site configuration: In the site configuration, go to the Settings tab, expand the Services group and choose the Single sign-on node.
By defining at least one default group, all users who log in with SAML will be allowed access and placed in these default FotoWeb groups on import.

For example, it's possible to create a "SAML Users" group in FotoWeb and add it as a default group. All users who log in using SAML SSO are then placed in this group and are assigned access to the system accordingly. In the screenshot above, two default groups are defined: Everyone and Registered users. Users imported via SAML will be placed in these groups and be assigned a license and permissions according to these groups' settings.

Linked Groups

Important: Linked groups are currently only available in FotoWare SaaS. They will be made available in FotoWeb for installation on premises in a future update.

These are FotoWeb groups that are linked to groups in the SAML Identity provider (IdP) - Active Directory when using ADFS. When a  user logs in with SAML SSO, that user will be added to one or more linked groups based on information from the IdP.

For example, it's possible to create a group "Editors" in FotoWeb and configure it as a linked group so that all members of the group "Editors" in Active Directory are added to the corresponding "Editors" group in FotoWeb when they log in. This approach allows the adding of different users to different groups and thus give them different permissions and access in FotoWeb based on their groups membership or other attributes set in the IdP. With this approach, administrators can manage access to FotoWeb's archives and resources entirely from outside FotoWeb (e.f. in Active Directory).

Configuring a linked group

1. Create a group in FotoWeb. For the sake of this example, let's name it Photo Editors. Set the group permissions and the license that should apply to the group and any any parent group that the group should be nested in.

2. In the group details set the SAML group name to a unique value, for example adfs_editors. In reality, adfs_editors is an attribute that we will set up in the ADFS server and that works as a unique identifier that helps FotoWeb connect the selected group in ADFS with the correct matching group in FotoWeb.

 

3. In the identity provider, configure an attribute mapping rule that sets the groups attribute to Editors for all users that are to be added to the FotoWare Editors group.

Note: How to perform the last step depends on the identity provider. For example, in Microsoft ADFS, it is possible to add a claim rule (which is called an attribute mapping in SAML) of type Send group membership as claim, select an Active Directory group to be linked to the FotoWeb group, set the outgoing claim type to Groups and set the outgoing claim value to the value also used as "SAML group name" in the group details in FotoWeb. This is described in the paragraphs below. Additional information can be found in the official documentation from Microsoft, here: https://docs.microsoft.com/en-us/win...hip-as-a-claim 

In the following, ADFS is used to illustrate the attributes that needs to be mapped. However, the same can be accomplished by configuring FotoWeb with a SAML interface toward other Identity Providers.

Mapping AD groups to FotoWeb groups in Microsoft ADFS

In the ADFS manager, right-click the selected trust, and then click Edit Claim Issuance Policy.

The Claim Issuance Policy window is displayed, and you need to add one rule for every group you'd like to link to FotoWeb.

Note: In the above screenshot, Entry 3 in the list is the group claim. For help on setting up entries 1 and 2 (LDAP and Name ID mapping) information can be found further down.

Click on Add Rule... to create a new rule.

From the dropdown, choose Send Group Membership as a Claim.

Now, fill in the rule specifics (screenshot below):

Claim rule name is simply used for identification of the rule. Give it a name that allows you to easily identify it later.

Choice of group: Next, choose the group that should be synced to FotoWeb. Use the Browse button to select a group in the identify provider (AD)

Outgoing claim type: This should always be named groups - this will allow FotoWeb to identify the transferred claim as a group attribute.

Outgoing claim value: Here, enter a unique name that will be used to identify the group when linking it to a group in FotoWeb. It does not have to have the same name as the group; the value should be identical to the SAML group name specified in the FotoWeb group. (adfs_editors was used in the example FotoWeb group above - the screenshot below reflects this.)

It is also possible to specify multiple groups in the groups attribute separated by commas. For example, a value of group1,group2 will cause the user to be added to the linked groups where the SAML group name is group1 or group2. How to set the attribute like this depends on the identity provider. To our knowledge, it is not easily possible in ADFS.

How are groups synchronized?

Upon login, the user will be removed from any linked groups that have a SAML group name that is not listed in the groups attribute. This allows an administrator to revoke a user's access to resources in FotoWeb by, e.g., removing the user from a group in Active Directory. In no event is the user removed from any groups that do not have a SAML group name (i.e., that are not linked groups).

A user is permitted to log in to FotoWeb via SAML SSO if and only if the user is added to at least one linked group, OR if at least one default group is configured.

This means that if any default groups are configured, then all users that can successfully sign in via SAML SSO have permission to log in to FotoWeb, and if no default groups are configured, then membership of linked groups can be used to control access to FotoWeb in general. Note that most SAML identity providers have configurable access control of their own as well, so it is possible to configure access control even when using default groups.

LDAP and Name ID mappings

The SAML connection also requires mappings of LDAP and Name ID fields. Their configuration is described below.

LDAP

In the ADFS manager, navigate to Relying Party Trusts and right-click the selected trust. Then click Edit Claim Issuance Policy.

Click on Add Rule and then choose Send LDAP Attributes as Claims from the dropdown list.

Name the rule and choose Active Directory as the Attribute Store

Now set up mappings according to the below screenshot.

Note the naming of the Outgoing Claim Type - these have to be precisely the attributes shown in the screenshot - email, username, givenName, sn - for FotoWeb to correctly map the attributes.

However, the LDAP attributes from which they're derived can be set differently; this way it's possible to use the user's email address as username, for example.

Click OK to save.

Name ID

Next, in the ADFS manager, navigate to Relying Party Trusts and right-click the selected trust. Then click Edit Claim Issuance Policy.

Click on Add Rule and then choose Transform an Incoming Claim from the dropdown list.

Name the rule, and set the rule details exactly as shown in the screenshot below.

Finally, click OK to save.