Skip to main content
Documentation & User Guides | FotoWare

Setting up SSO with Azure AD

Steps to set up SSO with Azure AD

Add the FotoWare application to the Azure management console

Log in to the Azure portal and add a new application to the Azure Active Directory.

Name the application and choose Web application as its type. At this point, also set the Redirect URI that your application uses. For single sign-on to a FotoWare SaaS tenant, the URL is typically of this format:

https://hostname.fotoware.cloud/fotoweb/auth

1. Azure AD - Register the app.png

Tip:

After creating the application registration, go to App Registrations > Application > Overview to retrieve the Application ID (screenshot below).
This ID needs to be entered into the FotoWare Azure AD configuration in the Site Configuration later.

2. Azure AD - Retrieve app id and other info - blurred.png

Set the correct Redirect URI

Go to ApplicationAuthentication > Redirect URIs and add a new Redirect URI. It should match the FotoWare server's public hostname followed by /fotoweb/auth/signin-oidc, for example https://hostname.fotoware.cloud/fotoweb/auth/signin-oidc

Next, remove any other original Redirect URL that's listed.

3. Azure AD - Set Redirect URI.png

Enable Implicit grant for ID tokens

Under Application > Authentication, locate the Implicit grant section and enable implicit grant for ID tokens as shown in the screenshot below.

4. Azure AD - Implicit Grant - ID Tokens.png

Assign permissions to the application

Next, assign the necessary settings to the application: Go to Application > API Permissions click on the Add a permission button.

Use the Microsoft Graph API to add two Delegated permissions, namely

  • Access the directory as the signed-in user (Directory.AccessAsUser.All)
  • Sign in and read user profile (User.Read)

Select Save to update the permissions.

Finally, click on Grant admin consent for <directory> below to assign the permissions to all users in the directory.

Create application secret

Next, generate an application secret under Application > Certificates and secrets > Client secrets:

Select New client secret and enter a key description (simply a label) and set a duration/validity period. For security reasons, a key can be valid for a maximum of two years.
The key will be created and can be obtained after you save the changes. It can then be copied to the clipboard and pasted into the Application key field in the Azure AD settings in the Operations Center.

Tip

Because the validity of the application key is maximum two years, it's practical to make a reminder in your maintenance calendar to replace the key before it expires. If they key does expire, users will temporarily lose access to the system.

Adding Azure AD information to the FotoWare site

Having completed the above steps, make sure you have gathered the necessary information from the Azure console before proceeding:

Application Id

Found in the Azure console in the application overview:

2. Azure AD - Retrieve app id and other info - blurred.png

Application Key

The secret generated in the Azure console with a validity of maximum two years.

Tenant / Domain Name

The domain name listed in the Azure portal. If you're uncertain about the value, open the Azure console and click on the Azure Active Directory node. The Name field there lists the correct domain name.

Directory ID

This can be found on the Overview blade, next to the Application ID - see the screenshot above.

Adding the information to the FotoWare tenant in the Site configuration

  1. On the FotoWare site, from the Tools menu (cogwheel icon) go to Site Configuration > Security > Single Sign-on.
  2. Choose Microsoft Azure AD as your authentication provider and enter the Application ID, Application Key (called Client Secret in the Azure portal), Authority, and Directory ID values. 
  3. Select Save.

Azure_AD_SSO_settings.png

Importing groups and assigning access

  1. Next, you can open the Linked Groups tab where you can select the groups you would like to add to FotoWare.
  2. Select Add linked group.  
  3. In the dialog that opens, enter a value in the  External Group ID field. 
  4. Select a value from the Group Name drop-down list or enter a group name. The group will be created if it does not already exist.
  5. Select Add to add this group to the Linked Group list. Select Unlink if you need to remove the link to the group.
  6. Select Save on the Single Sign-on page. You can start using these groups when assigning access to archives and workflows in the system.
  • Was this article helpful?