Federated Authentication with Open ID Connect

Choose Identity Provider

The user opens Picturepark by providing the Picturepark URL. She chooses to log in with Picturepark IDS credentials by providing email and password (1). This will authenticate the user with Picturepark IDS as Identity Provider. If configured she can choose also another external identity provider (2) that will handle the authentication. 

Create Identity Provider

You can configure one or many external Identity Providers for authentication. 

Prerequisites

• ADFS setup (See How To setup ADFS on Windows Server 2016 here) 

• Your user must have "developer" permission in the Picturepark configuration to see this menu.

• Your user role must have permission to manage Identity Provider.  

Setup

Adding an external Identity Provider in Picturepark means adding it to the Picturepark IDS. 

1. Setup an Identity Provider

   1. Open Settings > IdP setup

   2. In the list choose "Create new IdP"

   3. Provide the details

   4. Save

Settings

Setting	Value Example	Description
Name	PictureparkADFSWinServer2016	A meaningful name that is used as a reference, it cannot be changed afterward.
Display name	Picturepark AD	Something users can relate to, which is shown to the users next to "Continue with"
Type	ADFS	ADFS currently supported in Picturepark.  Azure AD planned for support in upcoming releases.  Others planned to support.  This setting is currently not in use. It will be used to request different information per provider in one of the following releases. Ensure you choose the correct one already.
Connection protocol	OpenID Connect	IdP must support OpenID Connect.
URL	https://ad.customer.ch/adfs	The Endpoint for OpenID with https.    For ADFS something like https://ad.customer.com/adfs. Check this with your IT.  For other identity providers, it is the Open ID Connect configuration e.g.  https://login.microsoftonline.com/99292bdd-6686-4f0b-817b-f8e8571cf07c/v2.0/.well-know/openid-configuration (Remove everything after the version number of the open id config URL) Do not use the /ls endpoint. If your ADFS URL is https://adfs02.domain.com/adfs/ls then use the URL without /ls: https://adfs5684.domain.com/adfs.
Client ID	Application ID e.g. 9df5684-1f10f-4125684-7feb535684	The ID of your application:
Client secret	GBAyfVL7YWtP6gudLIjbRZV_N0dW4f3x ETiIxqtokEAZ6FAsBtgyIq0MpU1uQ7J0 8xOTO2zwP0OuO3pMVAUTid	This is not needed. You can leave this empty.  The authentication flow is the definition of how the tokens to identify users are exchanged. Picturepark external Identity Provider must support Authorization Code Flow with PKCE. PKCE, pronounced “pixy” is an acronym for Proof Key for Code Exchange, which does not require users to provide a client_secret. The standard Authorization Code flow would require this. The main benefit is the reduced risk for native apps, as there are no embedded secrets in the source code and this in return limits exposure to reverse engineering.  If the Identity Provider does not support Authorization Code Flow with PKCE, the Client secret can be used. Then the client secret must match the applications client secret.
Sort order	0	A number, starting from 0 for the first position, and 1 as the second position.

After Creating the Identity Provider

1. Add claim mappings

2. Add group mappings

3. Add Identity Provider to users

Create Identity Provider (Claim) Mappings

You can configure claim mappings and group mappings for your external Identity Provider. 

Prerequisites

• Identity Provider set up.

Create Mappings

1. Open Settings > IdP Settings

2. Add claim mappings

   1. Provide the claim name from your AD which holds the user attributes e.g. company, telephone number. Ensure the correct spelling! 

   2. Map to Picturepark user attributes

      

3. Add group mappings

   1. Provide the claim name (issued claims) from your AD which holds your user group assignments e.g. Groups. Ensure the correct spelling!

      

   2. Define a Fallback user role. The fallback user role of the IdP will only be used if none of the group mappings find a matching role or the default user role is not defined for the Picturepark. This cannot be Super Admins. 

   3. Map Group names from your AD to user roles in Picturepark. 
      

      

Automatic Claim Mappings

The following attributes are mapped automatically in CP (if not overridden by a claim mapping). 

Further information about claims here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims

After Creating Identity Provider Mappings

1. Add Identity Provider to users

Update Identity Provider

1. Open Settings > IdP setup

2. In the list choose your desired Identity Provider

3. Update the details

   1. You can not update the name. 

4. Save

Effects of Updating Identity Provider

• The display name will be updated on the login screen. 

• The type is not yet in use. 

• The protocol cannot be changed. 

• If you change the URL your users' login requests will from now on be sent to the new URL. 

• If you change the client ID your users' login requests will from now on contain the new client ID, so you must ensure to have a working IdP with this client ID available. 

• Changes to the Client secret have no effect if authorization code flow with PKCE is used, otherwise client secret must match with the application.

• Changing the sort order will change the sort order of the buttons on the login form, where 0 is the first position.  

Delete Identity Provider

1. Open Settings > IdP setup

2. In the list delete your desired Identity Provider.

Before Deleting Identity Provider

1. Open Users

2. Switch Search Mode to Advanced

3. Search for all users which have the Identity Provider assigned
   identityProviderId:<id> 

Effects of Deleting Identity Provider

• The users who were using this Identity Provider can no longer login. 

• No default or fallback Identity Provider will be assigned.