Page Comparison

...

Prerequisites

To configure Azure AD integration with Picturepark, you need the following items:

...

In Settings > IdP Setup > Create a new Identity Provider

1. Name: Choose a name, used internally and for you to see at first glance what it is

2. Display name: name is shown to the users on login e.g. Company Access

3. Type: ADFS, Azure AD, Other 

   1. For Azure select Azure AD 

4. Protocol: Open ID Connect

   1. The protocol for all authentication in Picturepark is Open ID Connect. 

5. URL

   1. The Endpoint for OpenID, remove everything after V2.0

   2. Example: https://login.microsoftonline.com/99292bdd-6686-4f0b-817b-f8e8571cf07c/v2.0 (you will need to enter a dummy URL until you have the client id of the application from Azure after the next step regarding what needs to be done in Azure Portal).

   3. You find that in Azure Active Directory > Overview - Endpoints > Open ID Connect

6. Client ID: The Application (client) ID once you have set this up for now enter a dummy id. 

   Image Modified

7. Client Secret: Open Manage > Certificates & Secrets 

8. Sort order does not need to be filled out it will be created automatically. If you have multiple IdPs and wish to display them in a certain order you can however add a number here eg. 0,1, 2, 3 etc.

9. Click on create and then copy the following Id you will need it when setting up the Azure portal. 

   Image Modified

In Azure Portal

Create an Azure Active Directory

Check Microsoft How To Create Active Directory Tenant Guide.

1. Create a new Azure directory if you don't have one already by going to https://portal.azure.com/ and then clicking on Azure Active directory and create a tenant. 

2. Select a directory type. We are selecting the Azure Active Directory in this tutorial. 

3. Click on Next

4. Enter your organization name, initial domain name, and country/region and click on next

Add Users and Groups to Azure Active Directory

1. Manage > Groups

2. New Group (default is security)

   1. Name: Admin

3. New Group 

   1. Name: Editor

4. Manage > Users

5. Invite a test user or use an existing AD user and add them to your admin group. Your users must have their email filled out as this is required by Picturepark.

Tutorials on Microsoft: 

• Adding users

• Adding Groups

Register Picturepark as App

1. In the Azure portal, ensure that you have the correct directory selected. Click the icon in the upper right bar to switch directories. 

   Image Modified

2. Open Azure Active Directory either from the directory or from the Azure Portal directly.

   Image Modified

3. In the left navigation panel, click "App registrations" and add a new registration
   

   Image Modified

   1. Give it a name e.g. Picturepark Content Portal

   2. Select which account types should have access (single-tenant only allows from the currently selected directory)

   3. Redirect URI: URL to the identity server for your Picturepark platform e.g. https://ids-cp-ch.picturepark.com/ (check in your Picturepark > Settings > Help > System Information.  

4. The newly registered app will directly open and your breadcrumb should look something like this: 

   Image Modified

Configure the Picturepark App

Select Manage > Authentication 

1. Add Redirect URLs for your Picturepark

   Code Block
   https://ids-cp-ch.picturepark.com/signin-<idpid> (e.g.https://ids-cp-ch.picturepark.com/signin-bb09dece-aeb5-47fb-8be5-30504e2ba9dc)

2. The ID is the one from Picturepark when creating a new Identity Provider. 

   Image Modified

3. Add a Logout URL if you would like one. This is optional and is not required for authentication to work. It is a convenience if users are logging out of the Azure AD, this will then log them out of picturepark IDS and within 10 minutes at the latest Picturepark itself.

   Code Block
   https://ids-cp-ch.picturepark.com/signout-<idpid> (e.g.https://ids-cp-ch.picturepark.com/signout-bb09dece-aeb5-47fb-8be5-30504e2ba9dc)

   Image Modified

4. Implicit grant

   1. Leave this empty, don't select anything.

   2. Picturepark Open ID Connect integration uses code flow, not implicit flow.

Add API Permissions

1. Add permission

2. Select Microsoft Graph

3. Select Delegated permissions

4. Select and save

   1. email

   2. offline_access

   3. openid

   4. profile

...

Add API Exposure to Client Application

1. Open Manage > Expose an API

2. Add a scope 

   1. You'll need to set an Application ID URI before you can add permission. (Microsoft chooses one by default but it can be changed). Save and continue

   2. Scope name: user.signin

   3. Who can consent? Admins only

   4. Consent display names: User Authentication

   5. Consent descriptions: User Authentication

   6. Click Add scope

3. Add a new client application

   1. Client ID is taken from the Overview page

   2. Select Scopes

...

Go to Manage Certificates & Secrets and create a new client secret and copy it.

...

Picturepark does not allow role assignments for federated users. Therefore assignments to roles and groups are required via claim mappings, so-called tokens. 

Add Groups to Users

1. Open Azure AD

2. Open Users

3. Add Membership to your users

   Image Modified

Add Tokens to the Azure App

Help on Token creation in Azure AD B2C: https://docs.microsoft.com/bs-latn-ba/azure/active-directory-b2c/configure-tokens

1. Open Manage > Token Configuration

2. Add optional claims

   1. You will need to pass the email address claim to Picturepark as it is required.  

   2. We also recommend the family name and given name. These three do not need to be mapped in Picturepark as they are automatically added. Other claims will also need to be mapped in Picturepark under Settings/IdP Settings/YourIdp/Group Mapping

   3. Add any group claims in Azure and then map them into Picturepark. The group claim type in Picturepark IdP settings is groups and the group name is the object id of the group.
       

      Image Modified

      Image Modified

Get an Overview of your Application

...