This is the recommended way of connecting FotoWeb to an on-premise Active Directory and allowing users to sign in to FotoWeb with their Active Directory accounts.
Setting up and managing Active Directory and ADFS efficiently and securely can be a demanding task. This approach is recommended for organizations that already have their own installation of Active Directory, and ideally also ADFS, and intend to keep using it.
Otherwise, the following easier alternatives exist:
- Rather than using ADFS + SAML authentication, consider using Microsoft Azure Active Directory B2C to synchronize your on-premise AD to Azure AD, then use the Azure AD integration of FotoWeb. Please refer to Microsoft's official documentation for details and pricing.
- Rather than using your own Active Directory, consider using Microsoft Office 365 and the Azure AD integration of FotoWeb. for authentication. This is a fully cloud-based authentication solution that requires only minimal setup and management. Please refer to Microsoft's official documentation for details and pricing.
While both alternatives may incur additional costs for cloud services, they may be cheaper than managing your own services and servers.
Setting up ADFS
If ADFS has already been set up for your domain, jump to the next section. Otherwise, learn how to set up ADFS here.
Connecting ADFS to FotoWeb
On the ADFS server, do the following:
- Open ADFS Management console.
- Select "Trust Relationships" node → "Relying Party Trusts" → "Add Relying Party Trust".
- In "Select Data Source", choose "Enter data about the relying party manually".
- Choose a display name, e.g., "FotoWare".
- Select "AD FS profile".
- Do not add a token encryption certificate.
- In "Configure URL", select "Enable support for the SAML 2.0 WebSSO protocol".
- In "Configure URL", set the service URL to
https://yourtenant.fotoware.cloud/fo...aml20/consume/(mind the final slash).
- In "Configure Identifiers", add the URL of the FotoWeb tenant as an identifier, e.g.,
https://yourtenant.fotoware.cloud/fotoweb/(mind the final slash).
- Do not configure Multi-factor authorization.
- Select "Permit all users access to this relying party".
- Finish the wizard.
Editing claim rules
- Select the Relying Party Trust created in the previous step
- Right click → "Edit Claim Rules"
- Add a rule of type "Send LDAP Attributes as Claims" with the following mappings
- "Attribute Store" → Active Directory
- "E-Mail-Addresses" →
- "Surname" →
- "Given-Name" →
- "SAM-Account-Name →
Built-in claim types are shown in double-quotes, e.g., "Surname".
Claim types shown in monospace, e.g.,
givenNamemust be typed in manually.
- Add a rule of type "Transform an incoming Claim" with the following attributes:
- Incoming claim type:
- Outgoing claim type: "Name ID"
- Outgoing name ID format: "Unspecified"
- Select "Certificates" and double-click on the "Token-signing" certificate.
- In "Details", click "Copy to File".
- Select "Base-64 encoded X.509 (.CER)".
- If prompted, do NOT export the private key.
- Select a file name.
- Open the file in a text editor.
In the site settings of the FotoWeb tenant, do the following:
- Go to "Settings" → "Authentication Providers".
- Select "SAML 2.0".
- In "SAML 2.0 endpoint url", enter
- In "X.509 Certificate", paste the contents of the .CER file exported from the ADFS configuration (previous step).
- Add at least one group.
- Save the settings.
Testing sign-in with ADFS
Depending on the way ADFS is set up, the ADFS server may be accessible only from the internal network in which it resides, whereas FotoWeb may be accessible on the open internet (e.g., when using FotoWare SAAS).
- Go to the home page of the FotoWeb tenant.
- In the login form, select "Log in with SSO".
- You should be redirected to the sign-in page of the ADFS server.
- Log in with a user's AD credentials
- You should be redirected back to FotoWeb, and you should be logged in.