Create Identity Provider
You can configure one or many external Identity Providers for authentication.
Identity providers (short: IdP, IDP) are systems that manage and maintain identity information (e.g. user attributes). Identity providers offer user authentication as a service. Picturepark outsources the user authentication to the Picturepark Identity Server as the default trusted identity provider and is thus a relying party application to it. See Wikipedia Identity Provider.
Whenever Office 365 needs to verify a user, for example, Azure AD performs all identity and access management and is thus the trusted identity provider.
Prerequisites
Setup
Adding an external Identity Provider in Picturepark means adding it to the Picturepark IDS.
Setup an Identity Provider
Open Settings > IdP setup
In the list choose "Create new identity provider"
Provide the details
Save
Settings
Setting | Value Example | Description |
Name | PictureparkADFSWinServer2016 | A meaningful name that is used as a reference, it cannot be changed afterward. |
Display name | Picturepark AD | Something users can relate to, which is shown to the users next to "Continue with" |
Type | ADFS | ADFS currently supported in Picturepark. Azure AD planned for support in upcoming releases. Others planned to support.
This setting is currently not in use. It will be used to request different information per provider in one of the following releases. Ensure you choose the correct one already. |
Connection protocol | OpenID Connect | IdP must support OpenID Connect. |
URL | https://ad.customer.ch/adfs | The Endpoint for OpenID with https. For ADFS something like https://ad.customer.com/adfs. Check this with your IT. For other identity providers, it is the Open ID Connect configuration e.g. https://login.microsoftonline.com/99292bdd-6686-4f0b-817b-f8e8571cf07c/v2.0/.well-know/openid-configuration (Remove everything after the version number of the open id config URL)
|
Client ID | Application ID e.g. 9df5684-1f10f-4125684-7feb535684 | The ID of your application: |
Client secret | GBAyfVL7YWtP6gudLIjbRZV_N0dW4f3x ETiIxqtokEAZ6FAsBtgyIq0MpU1uQ7J0 8xOTO2zwP0OuO3pMVAUTid | This is not needed. You can leave this empty. The authentication flow is the definition of how the tokens to identify users are exchanged. Picturepark external Identity Provider must support Authorization Code Flow with PKCE. PKCE, pronounced “pixy” is an acronym for Proof Key for Code Exchange, which does not require users to provide a client_secret. The standard Authorization Code flow would require this. The main benefit is the reduced risk for native apps, as there are no embedded secrets in the source code and this in return limits exposure to reverse engineering. If the Identity Provider does not support Authorization Code Flow with PKCE, the Client secret can be used. Then the client secret must match the applications client secret. |
Sort order | 0 | A number, starting from 0 for the first position, and 1 as the second position. |
After Creating the Identity Provider
Add claim mappings
Add group mappings
Add Identity Provider to users