Table of Contents
Authentication configuration in Fotoware Alto
22. August 2025
Table of Contents
Fotoware Alto (formerly Picturepark Content Platform) uses a secure authentication system built on OpenID Connect. This system allows users to log in to one or multiple Fotoware Alto platforms with the same Fotoware Alto account. This login is also the preferred method for connecting your users with Fotoware Alto apps and microsites, or via direct user-centric API requests.
Benefits of one account for multiple platforms:
- One central user repository (Identity Provider) for authentication.
- Different permissions per platform role assignments.
- Accessing multiple Fotoware Alto platforms with the same account.
- One login to connect them all: Fotoware Alto apps, microsites, and customer systems.
- Authentication using a highly secure and flexible protocol, OpenID Connect.
- Easy administration and faster development cycles for new apps.
Fotoware Alto Identity Server
Fotoware Alto serves the needs of multiple Fotoware Alto customers, where separate user databases become an administrative and security nightmare. To save valuable IT resources, delegated user authentication and user provisioning to the Fotoware Alto Identity Server as the default trusted Identity Provider (IdP), connected with OpenID Connect, the industry-standard protocol for secure and flexible authentication. The Fotoware Alto IDS saves all user attributes required to authenticate users in one or multiple Fotoware Alto platforms.
Copyright Image: Designed by gstudioimagen / Freepik
Fotoware Alto IDS Scenario
- 💻 The user requests access to Fotoware Alto via the Login Form.
- 🏢 The request is sent to the Fotoware Alto IDS, which verifies the identity.
- 🔑 The Fotoware Alto IDS grants or denies access.
Prerequisites
To configure the Fotoware Alto IDS authentication, you need a Fotoware Alto subscription.
Configure and test
The Fotoware Alto IDS authentication is built in and needs no further configuration except to create a user, via an administrator or self-registration on the sign-up form.
Federated authentication
Instead of using only the Fotoware Alto IDS, you can connect an OpenID Provider, which will serve as an Identity Provider to theFotoware Alto IDS. The desired Identity Provider (IdP) must support the standardized OpenID Connect protocol, which allows a flexible implementation that varies in required metadata or ACR values.
Benefits of adding an external Identity Provider (IdP):
- Linking third-party accounts to your Fotoware Alto.
- Connect to Fotoware Alto quickly, seamlessly, and securely with an existing user account, for example, from Active Directory or any trusted, in-place Identity Provider (IdP).
- Add one or multiple supported OpenID Providers easily to your Fotoware Alto.
- Full control over permitted Identity Provider (IdP) on a user base is achieved by adding the allowed IdP to the user, for example, ADFS for employees only, Azure for agencies, and Fotoware AltoIDS for all other users.
Copyright Image: Designed by gstudioimagen / Freepik
External IdP scenario
- 💻 The user requests access to Fotoware Alto via the IdP button on the Login Form, via the "Connect via IdP" button.
- 🌍 Fotoware Alto IDS sends the request to the configured OpenID Provider (IdP), verifying the identity and sending the configured claims.
- 🔑 Fotoware AltoCP authenticates the user.
Prerequisites
To configure an OpenID provider, you need:
- a Fotoware Alto subscription.
- a supported OpenID Provider setup and configuration, such as ADFS on Windows Server 2016.
Limitations
- You cannot remove roles from federated users when these roles were assigned from an IdP. Roles must be added to or removed from users via role mappings.
- Federated users cannot create API tokens.
- Federated users cannot be invited or set to "In Review".
- The IdP's fallback user role is only assigned when no role mapping finds a match and there is no default role.
Claims filter
If a user is a member of many groups in Azure (has many claims), the login process may fail because Identity Server cannot handle the size of the response. This results in a 502 error during login.
To resolve this, try reducing the number of groups the user belongs to in your identity provider (IdP) or set up a Claims filter in Alto for your IdP to exclude any unnecessary claims.
The Claims filter (an API-only feature) allows administrators to manage which identity claims from external identity providers (IdPs), such as Azure AD or ADFS, are passed to Alto during federated login. This helps manage user attributes and group mappings securely and ensures only relevant data is persisted. You can filter any claim type; however, do not filter out the email claim, as it is essential for user identification.
How to apply claims filtering per IdP
Note
The claims filter can only be configured using the API.
- Retrieve IdP configuration.
GET {{ids_management_base_url}}/identityProviders/{{idpId}}
- Modify and apply the claims filter.
Use the result from the GET call and update theclaimsFiltersproperty.
Send it back via:PUT {{ids_management_base_url}}/identityProviders/{{idpId}}endpoint
Example Payload
"claimsFilters": {
"{{claim}}": {
"filterType": "Include" / "Exclude",
"values": [
"{{anyClaimValue}}"
]
}
}-
{claim}}: the type of claim. This is the same as what is set on the IdP settings page. -
"filterType":"Include"or“Exclude” -
"values": Array of claim values to include or exclude. An empty array means all values.
Common use cases
| Scenario | Result |
|---|---|
| No claims filter applied | All claims passed to Alto. |
Filter out "givenname"
|
First name not mapped in Alto. |
Filter out "groups"
|
Group-based roles not assigned. |
Filter out "email"
|
Login may fail or the user may not be identified. |
Further information for External IdP
- Fotoware Alto Redirect URL is the URL of the Fotoware Alto IDS + /signin-<Idp-id>
- You can see the Fotoware Alto IDS when you open the Login Form of your Fotoware Alto in the URL.
- You find the Identity Provider ID in the list of external IdP in Settings > IdP Setup
- Client Secret is not needed as Fotoware Alto uses the authorization code flow + PKCE.
FAQs
FAQ: Why do I need an external Identity Provider?
FAQ: Which external Identity Providers are supported?
FAQ: What authentication flows are supported?
FAQ: Is Multi-factor Authentication MFA supported?
FAQ: Is One Login supported as an OpenID Provider?
FAQ: Is Okta OP supported as an OpenID Provider?
FAQ: Is Google as an OpenID Provider supported?
FAQ: Do I have an in-built Identity Provider in Fotoware Alto?
FAQ: Is Azure AD a supported OpenID Provider?
Glossary OpenID Connect
Relying Party (short: RP) is an app that outsources the authentication of users, which is Fotoware Alto itself. Fotoware Alto does not handle authentication but outsources authentication to the Fotoware Alto IDS or any trusted Identity Provider configured in the system.
Fotoware Alto IDS is the Fotoware Altok Identity Server, which serves as the default trusted Identity Provider of your Fotoware Alto. All identity information (for example, user attributes) is saved in the Fotoware Alto IDS. You can access multiple Fotoware Alto tenants with the same identity.
OpenID Providers are implementations based on OpenID Connect, such as servers, services, or libraries. They are listed on the official OpenID Connect page: https://openid.net/developers/certified. Popular services like Google, Microsoft, or Amazon support OpenID, but each OpenID Provider can define different metadata describing the OpenID Connect configuration. Therefore, not all OpenID Providers are supported with Fotoware Alto.
OIDC —
OpenID Connect is a leading standard for authentication, specifically identity provisioning and single sign-on. It uses JSON-based identity tokens (JWT), delivered via OAuth 2.0 flows designed for web, browser-based, and native/mobile applications. OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing participants to use optional features such as encryption of identity data, the discovery of OpenID Providers, and session management, when it makes sense for them. See the Fotoware Alto OpenID Configuration for the live environment. Add well-known/openid-configuration to the identity server URL to get the configuration for your platform.
Identity providers (short: IdP, IDP) are systems that manage and maintain identity information (for example, user attributes). Identity providers offer user authentication as a service. Fotoware Alto outsources the user authentication to the Fotoware Alto Identity Server as the default trusted identity provider and is thus a relying party application to it. See Wikipedia Identity Provider.
Authorization is the process of verifying that "you are permitted to do what you are trying to do" by granting permissions. While authorization often happens immediately after authentication (for example, when logging into a computer system), this does not mean authorization presupposes authentication: an anonymous agent could be authorized to a limited action set. Fotoware Alto grants permissions via assignments to user roles. See Wikipedia Authorization.
The authentication flow is the definition of how the tokens used to identify users are exchanged. Fotoware Alto external Identity Provider must support Authorization Code Flow with PKCE. PKCE, pronounced “pixy”, is an acronym for Proof Key for Code Exchange, which does not require users to provide a client_secret. The standard Authorization Code flow would require this. The main benefit is the reduced risk for native apps, as there are no embedded secrets in the source code, and this, in turn, limits exposure to reverse engineering.
Authentication is the act of proving that "you are who you say you are" usually done via passwords. The act of verifying the identity of a computer system user. Identity providers offer user authentication as a service. See Wikipedia Authentication.
ACR Values are optional parameters provided as space-separated strings. These values specify additional context values that the authorization server shall use to process the client request for authentication. If the client provides a value the IdP understands, it will be respected, but if the IdP does not understand it, the authentication request is either denied or the acr_values are sent back to the client, which can then decide if the level of authentication is satisfying and carry on with the authentication or reject it. The values appear in order of preference. Possible values may be multi-factor or phishing-resistant. See here for more information: https://ldapwiki.com/wiki/Acr_values.