Setting up SSO with Azure AD
Azure AD integration
Note: Microsoft ended support for Azure Active Directory Authentication Library (ADAL) in June 2023.
All 8.0 versions of FotoWeb On-Premises use the Azure Active Directory Authentication Library (ADAL) for Single Sign-on (SSO) with Azure AD. FotoWeb 8.1 uses the newer Microsoft Authentication Library (MSAL) and is therefore supported by Microsoft. For security reasons and to ensure that SSO will continue to work, we recommend that all customers using FotoWeb On-Premises 8.0 and SSO with Azure AD update to the FotoWeb version 8.1.
Azure AD integration supports organizational accounts as well as personal Microsoft accounts. Access control and assignment of groups and user licenses are either group-based or role-based access control.
Tip: The Azure AD integration uses the Open ID Connect protocol and is recommended because it is the easiest to set up. If more advanced customization is required or additional user information needs to be imported from the directory, then you can use SAML with Azure AD.
The following user properties are imported from the directory. Currently, these cannot be configured and all of these fields must have values:
- Username
- First name
- Last name
- Email address
Prerequisite
Connecting clients to Azure AD requires a secure connection, so FotoWare needs to be configured with TLS (HTTPS) and a trusted certificate. For more information, see Configuring FotoWare for secure connections.
Configuring SSO with Azure AD
Adding the FotoWare application to the Azure management console
- Log in to the Azure portal and open Azure Active Directory.
- Select Add application registration.
- Enter a name for the application.
- Select Web from the Select a platform drop-down list.
- Select the Redirect URI that your application uses. For single sign-on to a FotoWare site, the URL must have the following format:
https://<site hostname>/fotoweb/auth/signin-oidc
Example: https://contoso.fotoware.cloud/fotoweb/auth/signin-oidc
Alternatively, you can copy the URI (https://internalpreview.fotoware.cloud/fotoweb/auth/signin-oidc
) from the Single Sign-on settings for the site. (Go to Site Configuration > Security > Single Sign-on).
- Select Register.
Tip: After creating the application registration, open the Overview section for your newly registered application to retrieve the Application ID (see the example below). You need this ID for the FotoWare Azure AD configuration in the site configuration later.
Note: If you previously enabled implicit grant for ID tokens (in the Authentication section) for FotoWare 8.0, we recommend that you disable this option for FotoWare 8.1.
Assigning permissions to the application
- Open the API permissions view for your application and select Add a permission.
- Use Microsoft Graph and add the User.Read Delegated permission:
- Select Save to update the permissions.
Creating the application secret
- Open the Certificates & secrets view for your application. You find this in the same menu as API permissions above or as a link in the Overview section.
- Select New client secret.
- Enter a description (simply a label) in the Description field.
- Select a duration from the Expires drop-down list. For security reasons, a key can be valid for a maximum of two years.
- Select Add to create the client secret. You can then copy it to the clipboard and paste it into the Application key field in the Azure AD settings in the Operations Center.
Note: Application keys must be renewed before they expire, otherwise users will temporarily lose access to the system. Each customer has the responsibility to avoid this situation. We recommend setting reminders and designating responsibility so that there is always someone available to renew the application keys when necessary.
Adding Azure AD information to the FotoWare Site Configuration
Make sure you have the necessary information from the Azure console before proceeding:
Application Id - You can find this in the Overview section.
Application Key - The secret generated in the Azure console.
Authority - This is the URL of the Azure AD authentication service. Typically, it is https://login.microsoftonline.com
(the global Azure AD service), but this can be different when using different authentication providers.
Directory ID - You can find the Directory ID in the Overview section, next to the Application ID.
Microsoft Graph Authority - This is the base URL for Microsoft Graph, used for retrieving user and group information.
Adding the information to the FotoWare tenant in FotoWeb Settings
- In the FotoWeb Settings app, open Sites.
- Select Configuration for the site in question.
- Go to Security > Single Sign-on.
- Turn on the Enable Single Sign-on toggle.
- Enter the Application ID, Application Key (called Client Secret in the Azure portal), and Directory Id values and save the changes.
Groups and access control for Azure
Next, you need to import groups from the Azure AD to give them access to FotoWare. You can then proceed to assign access to FotoWare archives and actions using the imported groups.