Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  1. Fotoware Alto
    • End-User Manual
    • User Guides
    • Solutions
    • Terminology
    • API Changelog
  2. Fotoware Veloz
    • Managing users and groups
    • Configuring archives
    • Configuring workflows
    • Configuring site behavior
    • Navigating and searching to find your assets
    • Working with your assets
    • Editing asset metadata
    • Uploading files
    • Version Control in Fotoware
    • Albums - Creating and sharing collections
    • Placing assets in a CMS
    • Working with the Fotoware Pro interface
    • Using the Fotoware plugins
    • Consent management
    • User guide to FotoWeb for iPad (Legacy)
    • Picture conferencing with FotoWeb Screens (Legacy)
    • What's what in Fotoware
    • GDPR
    • Fotoware Veloz releases
    • Activity Exports
    • Example workflows
  3. Fotostation
    • Getting started with Fotostation
    • Viewing, selecting and sorting files
    • Managing your assets with archives
    • Adding metadata to assets
    • Searching for assets
    • Working with your assets
    • Version Control in Fotostation
    • Automating tasks with Actions
    • Configuring metadata fields and editors
    • Configuring Fotostation
    • Configuring Fotostation for multi-user environments
    • Troubleshooting Fotostation
  4. Fotoware Flow
    • What is Flow?
    • Getting started
    • Flow dictionary
  5. Fotoware On-Premises
    • Getting started
    • Index Manager
    • FotoWeb
    • Color Factory
    • Connect
    • Operations Center Guide
  6. Integrations and APIs (Fotoware Veloz & On-Premises)
    • The Fotoware API
    • Creating integrations using embeddable widgets
    • Authorizing applications using OAuth
    • Auto-tagging
    • FotoWeb Drag and Drop export
    • Integration using webhooks
    • Optimizely and Episerver plugin documentation
    • User Interface Integrations
  7. Fotoware Mobile
    • User guide for Fotoware Mobile for iPhone and Android
    • User guide to FotoWeb for iPad (Legacy)
    • User guide to FotoWeb for iPhone and Android (Legacy)

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

Support

Table of Contents

Choose Identity Provider Create Identity Provider Create Identity Provider (Claim) Mappings Update Identity Provider Delete Identity Provider Purge Identity Provider Setup Solutions
  • Home
  • Fotoware Alto
  • End-User Manual
  • Access
  • Authentication in Fotoware Alto

Identity Provider

22. August 2025

Elaine Foley

Table of Contents

Choose Identity Provider Create Identity Provider Create Identity Provider (Claim) Mappings Update Identity Provider Delete Identity Provider Purge Identity Provider Setup Solutions

Instead of using only the Fotoware Alto IDS, you can connect an OpenID Provider, which will serve as an Identity Provider to the Fotoware Alto IDS. The selected Identity Provider (IdP) must support the standardized Open ID Connect protocol, which allows a flexible implementation that varies in required metadata or ACR values. 

Choose Identity Provider

The user opens Fotoware Alto by providing the URL. They choose to log in with Fotoware Alto IDS credentials by providing an email and password (1). This will authenticate the user with Fotoware Alto IDS as Identity Provider. If configured, they can also choose another external identity provider (2) that will handle the authentication. 

In the Customer Default Settings, you can set the accent color for the IdP.

 
 

Create Identity Provider

You can configure one or many external Identity Providers for authentication. 

Identity providers (short: IdP, IDP) are systems that manage and maintain identity information (e.g. user attributes). Identity providers offer user authentication as a service. Fotoware Alto outsources the user authentication to the Fotoware Alto Identity Server as the default trusted identity provider and is thus a relying party application to it. See Wikipedia Identity Provider.

Whenever Office 365 needs to verify a user, for example, Azure AD performs all identity and access management and is thus the trusted identity provider. 

Prerequisites

  • ADFS setup (See How To setup ADFS on Windows Server 2016 here)
  • Your user must have Developer permission in the Fotoware Alto configuration to see this menu.
  • Your user role must have permission to manage Identity Provider.

Setup

Adding an external Identity Provider in Fotoware Alto means adding it to theFotoware Alto IDS. 

  1. Go to Settings > IdP setup.
  2. In the list, choose Create new identity provider.
  3. Enter the details.
  4. Save.

Newly created IdP's or changes made to existing ones could take around a minute to take effect.

 

Settings

Setting Value Example Description
Name FotowareAltoADFSWinServer2016 A meaningful name that is used as a reference, it cannot be changed afterward.
Display name Fotoware Alto AD

Something users can relate to, which is shown to the users next to "Continue with"
Type ADFS
  • ADFS currently supported in Fotoware Alto. 
  • Azure AD currently supported in Fotoware Alto.
  • Others planned to support, but currently not in use.
Connection protocol OpenID Connect IdP must support OpenID Connect. 
URL https://ad.customer.ch/adfs
  1. The Endpoint for OpenID with https. 
  2. For ADFS something like https://ad.customer.com/adfs. Check this with your IT department. 
  3. For other identity providers, it is the Open ID Connect configuration e.g. https://login.microsoftonline.com/99292bdd-6686-4f0b-817b-f8e8571cf07c/v2.0/.well-know/openid-configuration
    (Remove everything after the version number of the open id config URL)

Do not use the /ls endpoint.

If your ADFS URL is https://adfs02.domain.com/adfs/ls then use the URL without /ls: https://adfs5684.domain.com/adfs. 

 
Client ID Application ID e.g. 9df5684-1f10f-4125684-7feb535684

The ID of your application:
Client secret GBAyfVL7YWtP6gudLIjbRZV_N0dW4f3x
ETiIxqtokEAZ6FAsBtgyIq0MpU1uQ7J0
8xOTO2zwP0OuO3pMVAUTid

This is not needed. You can leave this empty. 

The authentication flow is the definition of how the tokens to identify users are exchanged. Fotoware Alto external Identity Provider must support Authorization Code Flow with PKCE. PKCE, pronounced “pixy” is an acronym for Proof Key for Code Exchange, which does not require users to provide a client_secret. The standard Authorization Code flow would require this. The main benefit is the reduced risk for native apps, as there are no embedded secrets in the source code and this in return limits exposure to reverse engineering. 

If the Identity Provider does not support Authorization Code Flow with PKCE, the Client secret can be used. Then the client secret must match the applications client secret. 
Sort order 0 A number, starting from 0 for the first position, and 1 as the second position.

After creating the Identity Provider

  1. Add claim mappings
  2. Add group mappings
  3. Add Identity Provider to users
 
 

Create Identity Provider (Claim) Mappings

You can configure claim mappings and group mappings for your external Identity Provider. 

Identity providers (short: IdP, IDP) are systems that manage and maintain identity information (e.g. user attributes). Identity providers offer user authentication as a service. Fotoware Alto outsources the user authentication to theFotoware Alto Identity Server as the default trusted identity provider and is thus a relying party application to it. See Wikipedia Identity Provider.

Whenever Office 365 needs to verify a user, for example, Azure AD performs all identity and access management and is thus the trusted identity provider. 

Prerequisites

  • Identity Provider set up.

Create claim mappings

  1. Go to Settings > IdP Settings.
  2. You will see a setting entry for your new Identity Provider in the list. Double-click to open it.
  3. On the right side, in the first tab, you can add the claim mapping:
    1. Add claim mapping.
    2. Provide the claim name from your AD, which holds the user attributes e.g., company, telephone number. Ensure the correct spelling! 
    3. Map to Fotoware Alto user attributes.
       
Adding multiple claim mappings to your new Identity Provider in Fotoware Alto.

On the right side in the second tab, you can add the group mapping:

  1. Add group mappings.
    1. Provide the claim name (issued claims) from your AD, which holds your user group assignments, e.g., Groups. Ensure the spelling is correct!
    2. Define a Fallback user role. The fallback user role of the IdP will only be used if none of the group mappings find a matching role or the default user role is not defined for Fotoware Alto. This cannot be Super Admins. 
    3. Map Group names from your AD to user roles in Fotoware Alto.
       
Adding multiple group mappings to your new Identity Provider in Fotoware Alto.

Without group mappings your users will be able to login to Fotoware Alto but will either have only the default role or fallback user role of your Fotoware Alto assigned (if these are configured), or will not have any access. Be aware that you can also manually add roles to federated users in Fotoware Alto.

 

There is a Microsoft limitation for ADFS 2.0 which prevents using Domain Local Groups in a claim. Choose global or universal groups. More details on this limitation: https://social.technet.microsoft.com/wiki/contents/articles/13829.ad-fs-2-0-domain-local-groups-in-a-claim.aspx

 

Automatic Claim Mappings

The following attributes are mapped automatically in Fotoware Alto (if not overridden by a claim mapping). 

Further information about claims here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims

User attribute Claim types (first to have a value wins)
Email email, that will be used as a username inFotoware Alto (mandatory). 
sub User identifier of the user within the IdP (mandatory; provided by ADFS in basic configuration).
First name given_name
Last name family_name
Language code
  • Default language coming from IDS
  • Default customer language, only acceptable values are en and de.locale

After creating Identity Provider mappings

  1. Add Identity Provider to users
 
 

Update Identity Provider

  1. Go to Settings > IdP setup.
  2. Select your Identity Provider from the list.
  3. Edit the details.
    1. You cannot update the name, only the display name.
  4. Save.

Newly created IdP's or changes made to existing ones could take around a minute to take effect.

 

Effects of updating Identity Provider

  • Users cannot log in when their assigned Identity Provider is disabled.
  • The display name will be updated on the login screen. 
  • The protocol cannot be changed. 
  • If you change the URL, your users' login requests will, from now on, be sent to the new URL. 
  • If you change the client ID, your users' login requests will, from now on, contain the new client ID, so you must ensure to have a working IdP with this client ID available. 
  • Changes to the Client secret have no effect if authorization code flow with PKCE is used; otherwise, the client secret must match with the application.
  • Changing the sort order will change the sort order of the buttons on the login form, where 0 is the first position.
 
 

Delete Identity Provider

  1. Go to Settings > IdP setup.
  2. In the list, delete your Identity Provider.

Before deleting Identity Provider

  1. Open Users.
  2. Switch Search Mode to Advanced.
  3. Search for all users which have the Identity Provider assigned
    identityProviderId:<id> 
  4. Update those users, as otherwise, they can no longer log in to Fotoware Alto.

Effects of deleting Identity Provider

  • The users who were using this Identity Provider can no longer log in. 
  • No default or fallback Identity Provider will be assigned. 
 
 

Purge Identity Provider

  1. Go to Settings > IdP setup.
  2. Select your Identity Provider from the list.
  3. Select Purge.
  4. In the confirmation dialog, select Purge.

Effects of purging Identity Provider

  • Claims of all users will be purged.
  • Users must login again and claims will be updated with the latest information of the IdP.
 
 

Setup Solutions

How To: Configure ADFS on Windows Server 2016 — The installation and configuration of the ADFS service are on the sole behalf of the customers and not Fotoware Alto related. Before configuring the Identity Provider in Fotoware Alto, ADFS must be properly installed and configured. 

How To: Integrate Azure Active Directory with Fotoware Alto —
This tutorial teaches you how to integrate Content Platform with Microsoft Entra ID (formerly Azure Active Directory).

verifier authentication

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Consent management overview
  • Getting started with consent management
  • Authentication configuration in Fotoware Alto
eco-lighthouse-miljøfyrtårn

Company

  • About us
  • Resellers
  • Careers
  • Contact us

Help & support

  • Support center
  • Consultancy
  • Tech partners
  • Fotostation
  • System status

Trust Center

  • Legal
  • Security
  • Sustainability & ESG

Locations

Fotoware AS (HQ)
Tollbugata 35
0157 OSLO
Norway
Fotoware Switzerland AG
Brown Boveri Str.7
5400 Baden
Switzerland

Copyright 2025 Fotoware All rights reserved.

  • Terms of service
  • Privacy policy
  • Cookie policy

Knowledge Base Software powered by Helpjuice

Expand