Page Comparison

...

Expand

title	Create Identity Provider

Create Identity Provider

You can configure one or many external Identity Providers for authentication.

Include Page

	TERMS:Identity Provider
	TERMS:Identity Provider

Prerequisites

ADFS setup (See How To setup ADFS on Windows Server 2016 here)
Your user must have "developer" permission in the Picturepark configuration to see this menu.
Your user role must have permission to manage Identity Provider.

Setup

Adding an external Identity Provider in Picturepark means adding it to the Picturepark IDS.

Setup an Identity Provider
1. Open Settings > IdP setup
2. In the list choose "Create new IdP"
3. Provide the details
4. Save

Info
Newly created IdP's or changes made to existing ones could take around a minute to take effect.

Settings

Setting

Value Example

Description

Name

PictureparkADFSWinServer2016

A meaningful name that is used as a reference, it cannot be changed afterward.

Display name

Picturepark AD

Something users can relate to, which is shown to the users next to "Continue with"

Type

ADFS

ADFS currently supported in Picturepark.
Azure AD planned for support in upcoming releases.
Others planned to support.

This setting is currently not in use. It will be used to request different information per provider in one of the following releases. Ensure you choose the correct one already.

Connection protocol

OpenID Connect

IdP must support OpenID Connect.

URL

https://ad.customer.ch/adfs

The Endpoint for OpenID with https.

1. For ADFS something like https://ad.customer.com/adfs. Check this with your IT.
2. For other identity providers, it is the Open ID Connect configuration e.g. https://login.microsoftonline.com/99292bdd-6686-4f0b-817b-f8e8571cf07c/v2.0~~/.well-know/openid-configuration~~
  (Remove everything after the version number of the open id config URL)

Warning

Do not use the /ls endpoint.

If your ADFS URL is httpsis https://adfs02.domain.com/adfs/ls then ls then use the URL without /ls: https https://adfs5684.domain.com/adfs.

Client ID

Application ID e.g. 9df5684-1f10f-4125684-7feb535684

The ID of your application:

Client secret

GBAyfVL7YWtP6gudLIjbRZV_N0dW4f3x
ETiIxqtokEAZ6FAsBtgyIq0MpU1uQ7J0
8xOTO2zwP0OuO3pMVAUTid

This is not needed. You can leave this empty.

The authentication flow is the definition of how the tokens to identify users are exchanged. Picturepark external Identity Provider must support Authorization Code Flow with PKCE. PKCE, pronounced “pixy” is an acronym for Proof Key for Code Exchange, which does not require users to provide a client_secret. The standard Authorization Code flow would require this. The main benefit is the reduced risk for native apps, as there are no embedded secrets in the source code and this in return limits exposure to reverse engineering.

If the Identity Provider does not support Authorization Code Flow with PKCE, the Client secret can be used. Then the client secret must match the applications client secret.

Sort order

0

A number, starting from 0 for the first position, and 1 as the second position.

After Creating the Identity Provider

...

Versions Compared

Old Version 4

New Version 5

Key

Create Identity Provider

Prerequisites

Setup

Settings

After Creating the Identity Provider