Configuring client and server authentication
- To configure client and server authentication, go to Operations Center Settings > Authentication.
- The Authentication view opens. Here you can select the authentication method used for communications between Fotoware applications.
When connecting to an index, for example, a FotoStation user may need to authenticate with a user name and password. The same is true when an Index Manager union server connects to member indexes on other servers, for example. The Client authentication setting manages whether the clients are authenticated in the server's local user registry, through Active Directory (AD), or by using any SAML-compliant identity provider. If you choose AD authentication, the server must first be a member of the domain. For more information about SAML authentication, see SAML Authentication.
Access keys
Select Access keys to open the Server access keys view.
Server access keys are used for incoming connections from other Fotoware server products on the network to this server's Operations Center Settings - without having to use actual user accounts. Another benefit of using access keys rather than user accounts is that an access key can be easily revoked to invalidate it as required. One access key should be created per server.
Example:
You have an Index Manager server that needs to accept incoming connections from Color Factory running on another server on the network.
On the Index Manager server,select Add to create an access key pair and copy the Account ID and Access Key to the clipboard (and store them safely in a secure document). Once you close the dialog you will not be able to retrieve the keys again.
On the Color Factory server, add these account credentials to the Authentication settings in Operations Center Settings, so that when connecting to the Index Manager server Color Factory will pass these credentials.
SAML
Operations Center Settings can be configured to authenticate clients and servers using an SAML Identity Provider (IdP)
- Select SAML to open the SAML view.
- Select SAML 2.0 as the client authentication method and select the Settings link to set up the connection to the IdP.
- Enter the certificate endpoint URL in the corresponding fields as seen in the above screenshot. They are both obtained from the Identity Provider (IdP) configuration interface, although where you find them may vary from one IdP to another.
- Set up group name mappings, mapping the SAML group name with a corresponding Group name stored in Operations Center Settings. This is the group name value Operations Center Settings returns when a client requests to know which group a user is a member of.
- In the Property Mapping section, set the attribute that the IdP sends containing group membership data and the format of the values from the drop down field (Single/Multi).
Note: The First name and Last name fields are only used for the history function.
Tip: To upload configurations from FotoStation to an Index Manager server, the user who updates the configuration must be a member of the Fotoware Administrators group. Therefore, you must set up a mapping between an SAML Group name and a corresponding Operations Center Settings group named Fotoware Administrators (this name must be exact) to facilitate configuration updates for these users.
Server authentication
Here you can set the user name and password that this Fotoware server uses when setting up outgoing connections to other Fotoware servers on the network.
To add a new entry in the list, select Add and enter the host name of the server you want to connect to (and, optionally, the port number) and which user account to use when connecting to that server. You can also specify that you want to authenticate using a domain account by entering domain\username in the Username field.
We recommend creating access keys on the server that receives the incoming connections and then adding the credentials obtained to the server that sets up the connection.
Note: When using the file browser in any of the server interfaces to connect to a server for which no authentication credentials have been defined, you can manually enter a user name and password. This information will be stored in this list in Operations Center Settings and used for future connections to the same server.