Active Directory is deprecated

Note: Active Directory integration via LDAP in FotoWeb is set to End of Life from January 1st, 2024, and will be removed from our software in a future version. We strongly recommend switching your identity provider as soon as possible.

Fotoware currently supports a variety of other identity providers, such as Microsoft Entra ID (formerly Azure Active Directory), ADFS + SAML, or any other SAML 2.0 compatible provider, such as Okta, OneLogin, and many more.

Contact Fotoware Support or your Fotoware Partner if you need assistance migrating to a new identity provider.

How it works

Windows Active Directory authentication allows managing users and groups in the Active Directory, while the relevant groups can be imported into FotoWeb through the Site Configuration. After importing the groups, they can be given access to the relevant resources on the FotoWeb server. Group changes in the Active Directory, such as adding or removing users, are automatically updated so that all user management can be done in the Active Directory only.

Windows Active Directory configuration involves the following steps:

• Add the FotoWeb server to the domain
• Enable Windows Active Directory integration on the site (see below)
• Import groups into FotoWeb
• Assign access to FotoWeb archives and workflows based on the groups you've imported
• Configure your browser to use Integrated Windows Authentication (see below)

Setting it up

1. From the Tools menu (cogwheel icon), go to Site Configuration > Security > Single Sign-on.
2. On the General tab, turn on the Enable Single Sign-on toggle.
3. From the Authentication provider drop-down list, select Windows Active Directory.
   
4. Next, enter the required information that FotoWeb needs to communicate with the directory: 
5. Host: Specifies a server name or a domain name to which FotoWeb should connect, i.e., server.domain.com or simply domain.com
6. Port: The default port for communication with Active Directory is 389. This value is pre-entered once the Active Directory option page is enabled and can be modified for special users who use a different port for security reasons.
7. The AD server must accept incoming traffic on this port using both TCP and UDP, so this port must be opened in the firewall for both protocols. No additional ports must be opened in the FotoWeb server for AD support.
8. Username: Login name of a user with enough privileges to list the directory's contents. Note that this is a domain user name and not a local FotoWeb user account.
9. Password: Enter the password corresponding to the username that you supplied.
10. Test Connection: After entering the necessary credentials for connecting to Active Directory, this button will be activated for you to attempt a connection to the directory. You will then receive a success message if the connection to the AD was successfully established.
11. To use single sign-on, enable Enable Integrated Windows Authentication (Single Sign-On). With this option set, users who access the FotoWeb site can choose between manually entering a username and password or selecting Log in with SSO.
12. To enforce Single sign-on as the only available option, choose Only allow login with Integrated Windows Authentication (Single Sign-On). When users access FotoWeb, they will be immediately authenticated and logged in and never see the login screen.
13. After you verify that the connection is working, you can import groups from the AD and then assign archive permissions using those groups.

Importing groups and assigning access

Next, you need to import groups from the Active Directory to give them access to FotoWeb.

You can then assign access to FotoWeb archives and actions using the imported groups.

Enabling Integrated Windows Authentication in your web browser

Having completed the above steps, ensure your browser is configured to use Integrated Windows Authentication.