In this tutorial, you learn how to integrate Fotoware Alto with Microsoft Entra ID (formerly Azure Active Directory).

Integrating Fotoware Alto with Azure AD provides you with the following benefits:

• You can manage who has access to Fotoware Alto in Microsoft Entra ID.
• You can enable your users to be automatically signed in to Fotoware Alto (single sign-on) with their Microsoft Entra ID accounts.
• You can manage your accounts in one central location - the Azure portal.

For more information about app integration with Entra ID, see What is application access and single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before you begin.

Prerequisites

Before configuring the Entra ID integration with Fotoware Alto, you need the following:

• An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account.
• Fotoware Alto single sign-on (SSO) enabled subscription

Scenario description

In this tutorial, you learn how to configure and test Entra ID single sign-on in a test environment.

Fotoware Alto supports OpenID Connect authentication.

Note: As Microsoft regularly updates the Azure Portal interface, the example images below may not always exactly reflect the UI.

In the Azure portal

Register Fotoware Alto as an App

1. In the Azure portal, ensure that you have selected the correct directory. To change directories, select the icon on the upper right, as outlined in the example below.
   
    
2. Open Microsoft Entra ID.
   
    
3. In the navigation panel, select App registrations and then select New registration to add a new registration.
   
   
4. Enter a name for the new app, such as Fotoware Alto SSO.
5. Select which account types should have access (single tenant only allows from the currently selected directory).
6. Redirect URI refers to the URL of the identity server for your Fotoware Alto tenant. To get the IDS, sign in to your Fotoware Alto tenant, go to Help > System Information, and copy the Fotoware Alto IDS value.
   
    
   
   
7. The newly registered app will open directly, and your breadcrumb will look similar to the example.
    

Configuring the Fotoware Alto app

In the Azure Portal, open the app you created in the first part of this tutorial and select Manage > Authentication . 

1. Under Redirect URIs add the ID value obtained in the step before behind the IDS URI provided in section 1. The path contains three parts: the “Fotoware Alto IDS (previously Fotoware Alto IDS) https://ids-cp-ch.picturepark.com“, a “signin-” component, and the ID value. For example: https://ids-cp-ch.picturepark.com signin-598b9251-d7d0-4a53-887e-6bdf2b16c35b 
2. Add a Front-channel logout URL. Use the same values as in the previous step, but replace the signin- component with s-. This step is optional and not required for authentication to work. It is convenient if users are logging out of Entra ID as this will log them out of Fotoware Alto IDS and, within a maximum of 10 minutes, log them out of Fotoware Alto itself. 
   
3. Implicit grant: Leave this empty. Fotoware Alto Open ID Connect integration uses code flow, not implicit flow.  

Add API Permissions  

1. Add permission .
2. Select Microsoft Graph.
3. Select Delegated permissions .
4. Select and save.
   1. email  
   2. offline_access  
   3. openid  
   4. profile  
      

  Add API Exposure to Client Application 

1. Open Manage > Expose an App.
2. Add a scope.
   • You need to set an Application ID URI before you can add a permission. (Microsoft chooses one by default, but it can be changed). Save and continue.
   • Scope name: user.signin
   • Who can consent? Admins only 
   • Consent display names: User Authentication 
   • Consent descriptions: User Authentication 
   • Select Add scope. 
3. Add a new client application.
   • Client ID is taken from the Overview page.
   • Select Scopes.
     

Claiming Steps - Add Tokens to the Azure App  

For information on token creation in Azure AD B2C, see https://docs.microsoft.com/bs-latn-ba/azure/active-directory-b2c/configure-tokens  

1. Go to Manage > Token Configuration.  
2. Add optional claims.  
   1. You need to pass the email address claim to Fotoware Alto, as it is required.    
   2. We also recommend the family name and given name. These three are automatically added and do not need to be mapped in Fotoware Alto. Other claims will also need to be mapped in Fotoware Alto in Settings > IdP Settings/YourIdp/Group Mapping.  
   3. Add any group claims in Azure and then map them into Fotoware Alto. The group claim type in Fotoware Alto IdP settings is groups, and the group name is the group's object ID.
      
      
      
3. Go to Manage Certificates & Secrets, create a new client secret, and copy it.  
4. Add the client ID to the Fotoware Alto IDS, the OpenID Connect metadata document URL to the URLs, and the client secret to the client secrets, and save. 
   We recommend setting a calendar entry to recreate and then reshare the secret value with Fotoware so there is no downtime due to an expired client secret value.

Limitations  

• You cannot add Fotoware Alto from the gallery. If you try, you will find only Fotoware Alto DAM.   
   
• If a user is a member of many groups in Azure (has many claims), the login process may fail because Identity Server cannot handle the size of the response. This results in a 502 error during login. To resolve this, try reducing the number of groups the user belongs to in your identity provider (IdP) or set up a Claims Filter in Alto for your IdP to exclude any unnecessary claims. For information about how to set up a claims filter, see Authentication in Fotoware Alto.
   

In Fotoware Alto 

Before you proceed to the next step (configure the newly created app in Azure), you must set up an Identity Provider in Fotoware Alto.

1. In your Fotoware Alto tenant, go to Settings > IdP setup.
2. Name: Choose a name for your internal use.
3. Display name: the name shown to your users when logging in, for example, Company Access.  
4. Select Azure AD from the dropdown list.
5. Protocol: Choose Open ID Connect .
   
    
6. URL: In Azure Entra ID, open the app you created in part 1 of this tutorial. Go to Overview > Endpoints, copy the value from the Open ID Connect metadata document (remove everything after v2.0), and paste it into the URL field.
7. Client ID: retrieve the value under Application (client) ID and copy it into the Client ID field.
8. Client Secret: go to Manage > Certificates & secrets > Create new secret. Retrieve the Value and copy it into the Client Secret field. 
   
   
    
9. Sort order: This field does not need to be filled out; it will be created automatically. However, if you have multiple IdPs and want to display them in a particular order, you can add a number here, e.g., 0, 1, 2, 3, etc.  
10. Select Create and copy the ID value. You need this to complete your app's configuration in the Azure Portal.
    
    

Assign Groups and Users - optional 

In Entra ID, go to Enterprise applications. Select the app you registered. Assign users and groups, select your users/groups, and assign them their respective roles.

Congratulations, you are all set up! To test your configuration, open Fotoware Alto in a private window.