DRAFT

In this tutorial, you learn how to integrate Picturepark with Azure Active Directory (Azure AD).

Integrating Picturepark with Azure AD provides you with the following benefits:

  • You can control in the Azure AD who has access to Picturepark.

  • You can enable your users to be automatically signed-in to Picturepark (Single Sign-On) with their Azure AD accounts.

  • You can manage your accounts in one central location - the Azure portal.

If you want to know more details about SaaS app integration with Azure AD, see What is application access and single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before you begin.

This tutorial works with Azure AD. For Azure AD B2C the configuration differs in several areas.

Azure AD B2C does not offer features to include group membership in a token issued for user flow. Custom Code is required for this. See details on this limitation here: https://mrochon.azurewebsites.net/2019/05/06/using-groups-in-azure-ad-b2c/

Prerequisites

To configure Azure AD integration with Picturepark, you need the following items:

  • An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account

  • Picturepark single sign-on enabled subscription

Scenario description

In this tutorial, you configure and test Azure AD single sign-on in a test environment.

  • Picturepark supports OpenID Connect authentication

In Picturepark

Create a new Identity Provider

In Settings > IdP Setup > Create a new Identity Provider

  1. Name: Choose a name, used internally and for you to see at first glance what it is

  2. Display name: name is shown to the users on login e.g. Company Access

  3. Type: ADFS, Azure AD, Other 

    1. For Azure select Azure AD 

  4. Protocol: Open ID Connect

    1. The protocol for all authentication in Picturepark is Open ID Connect. 

  5. URL

    1. The Endpoint for OpenID, remove everything after V2.0

    2. Example: https://login.microsoftonline.com/99292bdd-6686-4f0b-817b-f8e8571cf07c/v2.0 (you will need to enter a dummy URL until you have the client id of the application from Azure after the next step regarding what needs to be done in Azure Portal).

    3. You find that in Azure Active Directory > Overview - Endpoints > Open ID Connect

  6. Client ID: The Application (client) ID once you have set this up for now enter a dummy id. 

  7. Client Secret: Open Manage > Certificates & Secrets 

  8. Sort order does not need to be filled out it will be created automatically. If you have multiple IdPs and wish to display them in a certain order you can however add a number here eg. 0,1, 2, 3 etc.

  9. Click on create and then copy the following Id you will need it when setting up the Azure portal. 

In Azure Portal

Create an Azure Active Directory

Check Microsoft How To Create Active Directory Tenant Guide.

  1. Create a new Azure directory if you don't have one already by going to https://portal.azure.com/ and then clicking on Azure Active directory and create a tenant. 

  2. Select a directory type. We are selecting the Azure Active Directory in this tutorial. 

  3. Click on Next

  4. Enter your organization name, initial domain name, and country/region and click on next

Add Users and Groups to Azure Active Directory

  1. Manage > Groups

  2. New Group (default is security)

    1. Name: Admin

  3. New Group 

    1. Name: Editor

  4. Manage > Users

  5. Invite a test user or use an existing AD user and add them to your admin group. Your users must have their email filled out as this is required by Picturepark.

Tutorials on Microsoft: 

Register Picturepark as App

  1. In the Azure portal, ensure that you have the correct directory selected. Click the icon in the upper right bar to switch directories. 

  2. Open Azure Active Directory either from the directory or from the Azure Portal directly.

  3. In the left navigation panel, click "App registrations" and add a new registration

    1. Give it a name e.g. Picturepark Content Portal

    2. Select which account types should have access (single-tenant only allows from the currently selected directory)

    3. Redirect URI: URL to the identity server for your Picturepark platform e.g. https://ids-cp-ch.picturepark.com/ (check in your Picturepark > Settings > Help > System Information.  

  4. The newly registered app will directly open and your breadcrumb should look something like this: 

Configure the Picturepark App

Select Manage > Authentication 

  1. Add Redirect URLs for your Picturepark

    https://ids-cp-ch.picturepark.com/signin-<idpid>
    
    (e.g.https://ids-cp-ch.picturepark.com/signin-bb09dece-aeb5-47fb-8be5-30504e2ba9dc)
    CODE

  2. The ID is the one from Picturepark when creating a new Identity Provider. 

  3. Add a Logout URL if you would like one. This is optional and is not required for authentication to work. It is a convenience if users are logging out of the Azure AD, this will then log them out of picturepark IDS and within 10 minutes at the latest Picturepark itself.

    https://ids-cp-ch.picturepark.com/signout-<idpid> 
    (e.g.https://ids-cp-ch.picturepark.com/signout-bb09dece-aeb5-47fb-8be5-30504e2ba9dc)
    CODE
  4. Implicit grant

    1. Leave this empty, don't select anything.

    2. Picturepark Open ID Connect integration uses code flow, not implicit flow.

  5. Advanced settings

    1. Treat application as a public client. → YES

Add API Permissions

  1. Add permission

  2. Select Microsoft Graph

  3. Select Delegated permissions

  4. Select and save

    1. email

    2. offline_access

    3. openid

    4. profile

Add API Exposure to Client Application

  1. Open Manage > Expose an API

  2. Add a scope 

    1. You'll need to set an Application ID URI before you can add permission. (Microsoft chooses one by default but it can be changed). Save and continue

    2. Scope name: user.signin

    3. Who can consent? Admins only

    4. Consent display names: User Authentication

    5. Consent descriptions: User Authentication

    6. Click Add scope

  3. Add a new client application

    1. Client ID is taken from the Overview page

    2. Select Scopes

Go to Manage Certificates & Secrets and create a new client secret and copy it.

Add the client id into the Picturepark IDS and the openidconnect metadata document url to the urls and client secret to client secrets and save.

Authorization

Authorization is the process of verifying that "you are permitted to do what you are trying to do" by granting permissions. While authorization often happens immediately after authentication (e.g., when logging into a computer system), this does not mean authorization presupposes authentication: an anonymous agent could be authorized to a limited action set. Picturepark grants permissions via assignments to user roles.  See Wikipedia Authorization.

Picturepark does not allow role assignments for federated users. Therefore assignments to roles and groups are required via claim mappings, so-called tokens. 

Add Groups to Users

  1. Open Azure AD

  2. Open Users

  3. Add Membership to your users

Add Tokens to the Azure App

Help on Token creation in Azure AD B2C: https://docs.microsoft.com/bs-latn-ba/azure/active-directory-b2c/configure-tokens

  1. Open Manage > Token Configuration

  2. Add optional claims

    1. You will need to pass the email address claim to Picturepark as it is required.  

    2. We also recommend the family name and given name. These three do not need to be mapped in Picturepark as they are automatically added. Other claims will also need to be mapped in Picturepark under Settings/IdP Settings/YourIdp/Group Mapping

    3. Add any group claims in Azure and then map them into Picturepark. The group claim type in Picturepark IdP settings is groups and the group name is the object id of the group.
       

Get an Overview of your Application

Open the Manifest and see the JSON of your configuration. 

Limitations

You cannot add the Picturepark Content Platform from the gallery. If you try you will find Picturepark DAM only.