Versions Compared

Version Old Version 5 New Version Current
Changes made by

David Bird (Unlicensed)

Morten Boisen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Setup of the Azure Active directory

...

Setup of the Entra

Login to the your Entra admin center.

Go to App registration and create a new registration. (note 29/11/21) An App may exist already please see note at bottom of page - David Bird.

Give it a fitting name and select the correct account types.

In the redirect URI you will need to insert (Replace DAMURL)
https://DAMURL/DigizuiteCore/LoginService

If there are multiple DAM URLs, they need to be added as well (with the /DigizuiteCore/LoginService added).

Note

It is important that its the backend URLs, not URLs for Media manager, office connector e.g.

Example:

...

When the application has been setup, go to the “Expose an API” and set the Application ID URI

It needs to be the same URI as the redirect URI (This only works if the domain is trusted by Azure tenant) or the default App URI.

...

...

OR

...

In many cases it will be the api that needs to be added as the Digizuite domains are not trusted.

Go to Token configuration and add the following tokens:

...

Make sure to select ONLY ‘Groups assigned to the application’ : (How to Add groups to application: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-assign-users )

...

(warning) This in order to prevent a ‘HTTP 400 - Bad Request (Request header too long)’/431 (Request header fields too large) or similar error if a lot of security groups are passed via the request.

...

Now get the Metadata federation URL its needed in the next part:

...

Setup of the Media manager (Digizuite configuration only)

Login to the media manager with a Super administrator.

...

In the Entity ID you insert the same URL as you used for you redirect URI (https://DAMURL/DigizuiteCore/LoginService) OR api://{GUID]} - e.g. api://d530289c-c796-4521-b0e0-17c9ab986791

Signing behavior:

IfIdpWantAuthnRequestsSigned

...

Example of a configuration:

...

Setup of Sync groups in the DAM

If you have selected FullSync or AddOnly in your Group sync level you will need to setup your group binding in the DAM.

...

Repeat this process for all the groups that should be synced. 29/11/21 - Note by David Bird (Unlicensed) When attempting to setup SSO on one of the Azure tenants digizuite (digizuitebasic5 in my screenshots) This tenant inherits its app/settings from the “root” tenant. The App propagates down. You don’t see this app under owner applications where you would normally see if you create one as per the instructions above.

...

So click on All Applications - Then you can see the AAD SAML as below.

...

Setup of connectors or media manager:

Set a connector or Media manager to use SSO login

Troubleshooting and known issues:

How to troubleshoot SSO and known issues