Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 15 Next »

Instead of only using the Picturepark IDS, you can connect an OpenID Provider, which will serve as an Identity Provider to the Picturepark IDS. The selected Identity Provider (IdP) must support the standardized Open ID Connect protocol, which itself allows a flexible implementation that varies in required metadata or ACR values. 

 Choose Identity Provider

Choose Identity Provider

The user opens Picturepark by providing the Picturepark URL. They choose to log in with Picturepark IDS credentials by providing an email and password (1). This will authenticate the user with Picturepark IDS as Identity Provider. If configured, they can also choose another external identity provider (2) that will handle the authentication. 

In the Customer Default Settings, you can set the accent color for the IdP.

 Create Identity Provider

Create Identity Provider

You can configure one or many external Identity Providers for authentication. 

Identity providers (short: IdP, IDP) are systems that manage and maintain identity information (e.g. user attributes). Identity providers offer user authentication as a service. Picturepark outsources the user authentication to the Picturepark Identity Server as the default trusted identity provider and is thus a relying party application to it. See Wikipedia Identity Provider.

Whenever Office 365 needs to verify a user, for example, Azure AD performs all identity and access management and is thus the trusted identity provider. 

Prerequisites

Setup

Adding an external Identity Provider in Picturepark means adding it to the Picturepark IDS. 

  1. Open Settings > IdP setup.

  2. In the list, choose Create new identity provider.

  3. Enter the details.

  4. Save.

Newly created IdP's or changes made to existing ones could take around a minute to take effect.

Settings

Setting

Value Example

Description

Name

PictureparkADFSWinServer2016

A meaningful name that is used as a reference, it cannot be changed afterward.

Display name

Picturepark AD

Something users can relate to, which is shown to the users next to "Continue with"

Type

ADFS

  • ADFS currently supported in Picturepark. 

  • Azure AD currently supported in Picturepark.  

  • Others planned to support, but currently not in use.

Connection protocol

OpenID Connect

IdP must support OpenID Connect. 

URL

https://ad.customer.ch/adfs

The Endpoint for OpenID with https. 

  1. For ADFS something like https://ad.customer.com/adfs. Check this with your IT. 

  2. For other identity providers, it is the Open ID Connect configuration e.g.  https://login.microsoftonline.com/99292bdd-6686-4f0b-817b-f8e8571cf07c/v2.0/.well-know/openid-configuration
    (Remove everything after the version number of the open id config URL)

Do not use the /ls endpoint.

If your ADFS URL is https://adfs02.domain.com/adfs/ls then use the URL without /ls: https://adfs5684.domain.com/adfs. 

Client ID

Application ID e.g. 9df5684-1f10f-4125684-7feb535684

The ID of your application:

Client secret

GBAyfVL7YWtP6gudLIjbRZV_N0dW4f3x
ETiIxqtokEAZ6FAsBtgyIq0MpU1uQ7J0
8xOTO2zwP0OuO3pMVAUTid

This is not needed. You can leave this empty. 

The authentication flow is the definition of how the tokens to identify users are exchanged. Picturepark external Identity Provider must support Authorization Code Flow with PKCE. PKCE, pronounced “pixy” is an acronym for Proof Key for Code Exchange, which does not require users to provide a client_secret. The standard Authorization Code flow would require this. The main benefit is the reduced risk for native apps, as there are no embedded secrets in the source code and this in return limits exposure to reverse engineering. 

If the Identity Provider does not support Authorization Code Flow with PKCE, the Client secret can be used. Then the client secret must match the applications client secret. 

Sort order

0

A number, starting from 0 for the first position, and 1 as the second position.  

After Creating the Identity Provider

  1. Add claim mappings

  2. Add group mappings

  3. Add Identity Provider to users

 Create Identity Provider (Claim) Mappings

Create Identity Provider (Claim) Mappings

You can configure claim mappings and group mappings for your external Identity Provider. 

Identity providers (short: IdP, IDP) are systems that manage and maintain identity information (e.g. user attributes). Identity providers offer user authentication as a service. Picturepark outsources the user authentication to the Picturepark Identity Server as the default trusted identity provider and is thus a relying party application to it. See Wikipedia Identity Provider.

Whenever Office 365 needs to verify a user, for example, Azure AD performs all identity and access management and is thus the trusted identity provider. 

Prerequisites

Create Claim Mappings

  1. Open Settings > IdP Settings.

  2. You will see a setting entry for your new Identity Provider in the list. Double-click to open it.

  3. On the right side, in the first tab, you can add the claim mapping:

    1. Add claim mapping.

    2. Provide the claim name from your AD, which holds the user attributes e.g., company, telephone number. Ensure the correct spelling! 

    3. Map to Picturepark user attributes.

On the right side in the second tab, you can add the group mapping:

  1. Add group mappings.

    1. Provide the claim name (issued claims) from your AD, which holds your user group assignments, e.g., Groups. Ensure the spelling is correct!

    2. Define a Fallback user role. The fallback user role of the IdP will only be used if none of the group mappings find a matching role or the default user role is not defined for the Picturepark. This cannot be Super Admins. 

    3. Map Group names from your AD to user roles in Picturepark. 

Without group mappings your users will be able to login to Picturepark but will either have only the default role or fallback user role of your Picturepark assigned (if these are configured) or will not have any access. Be aware that you can also add roles to federated users in Picturepark. 

There is a Microsoft limitation for ADFS 2.0 which prevents using Domain Local Groups in a claim. Choose global or universal groups. More details on this limitation: https://social.technet.microsoft.com/wiki/contents/articles/13829.ad-fs-2-0-domain-local-groups-in-a-claim.aspx

Automatic Claim Mappings

The following attributes are mapped automatically in CP (if not overridden by a claim mapping). 

Further information about claims here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims

User attribute

Claim types (first to have a value wins)

Email

email, that will be used as a username in Picturepark (mandatory). 

sub

User identifier of the user within the IdP (mandatory; provided by ADFS in basic configuration).

First name

given_name

Last name

family_name

Language code

  • Default language coming from IDS

  • Default customer language, only acceptable values are en and de. 

locale

After Creating Identity Provider Mappings

  1. Add Identity Provider to users

 Update Identity Provider

Update Identity Provider

  1. Open Settings > IdP setup.

  2. In the list, choose your desired Identity Provider.

  3. Edit the details.

    1. You cannot update the name, only the display name.  

  4. Save.

Newly created IdP's or changes made to existing ones could take around a minute to take effect.

Effects of Updating Identity Provider

  • Users cannot log in when their assigned Identity Provider is disabled.

  • The display name will be updated on the login screen. 

  • The protocol cannot be changed. 

  • If you change the URL, your users' login requests will, from now on, be sent to the new URL. 

  • If you change the client ID, your users' login requests will, from now on, contain the new client ID, so you must ensure to have a working IdP with this client ID available. 

  • Changes to the Client secret have no effect if authorization code flow with PKCE is used; otherwise, the client secret must match with the application.

  • Changing the sort order will change the sort order of the buttons on the login form, where 0 is the first position.  

 Delete Identity Provider

Delete Identity Provider

  1. Open Settings > IdP setup.

  2. In the list, delete your Identity Provider.

Before deleting Identity Provider

  1. Open Users.

  2. Switch Search Mode to Advanced.

  3. Search for all users which have the Identity Provider assigned
    identityProviderId:<id> 

  4. Update those users, as otherwise, they can no longer log in to Picturepark.

Effects of deleting Identity Provider

  • The users who were using this Identity Provider can no longer log in. 

  • No default or fallback Identity Provider will be assigned. 

 Purge Identity Provider

Purge Identity Provider

  1. Open Settings > IdP setup.

  2. In the list, select your Identity Provider.

  3. Choose “Purge”.

  4. In the confirmation dialog, select Purge.

Effects of purging Identity Provider

  • Claims of all users will be purged.

  • Users must login again and claims will be updated with the latest information of the IdP.

Setup Solutions

  • No labels

FotoWare Switzerland AG - CH-5033 Buchs - Switzerland
https://picturepark.com - support@picturepark.com
© 2024 Fotoware Switzerland AG