Authentication using Azure Active Directory

This SecurityModule uses federated authentication and is tested with an Azure ad using the Azure AD v1.0 endpoint.

Note: There is a newer version of the Azure AD endpoint available (Azure AD v2.0, aka https://graph.microsoft.com) but this method uses the old legacy version (v1.0). For more information, see https://docs.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison

Azure Ad

To be able to use authentication using Azure ad you need to setup an active directory in Azure. Create users and groups or set up a directory synchronize with your on-premises ad.

Create application

To create an application in the Azure AD:

  • navigate to the azure portal.
  • Select App registrations and click New application registration
  • Give it a suitable name, preferably the url of the imagevault site.
  • Enter the URL to the ImageVault site as redirect uri.
  • When the application is created you must add an App ID URL. Use the suggested or enter the url of the site. There is no need to specify any scopes.

Create an application key

Since ImageVault needs to read information from the ad, we need to create a key that allows us to communicate with the ad. This is done in the Certificates & Secrets tab for the application. Click on + New client secret and enter a descriptive name as Description and select a duration. It is recommended that you choose the max duration to minimize administration since the key needs to be reissued when it expires.

When saving the key, the key value will be visible (just once) so be sure to copy it and store it before leaving the tab (see its usage below).

Assign permissions

To be able to read information from the active directory you need to add the following permissions for "Windows Azure Active Directory" application. This is done in the API permissions tab.

Note: Current version of the Azure Ad connector only uses the Legacy Azure Active Directory Graph API so be sure to select that API when adding permissions.

  • Application Permissions: "Read directory data" -> Azure Active Directory Graph -> Directory -> Directory.Read.All
  • Delegated Permissions: "Sign in and read user profiles" -> Azure Active Directory Graph -> User -> User.Read
  • Delegated Permissions: "Read all users' basic profiles" -> Azure Active Directory Graph -> User -> User.ReadBasic.All
  • Delegated Permissions: "Read all groups" -> Azure Active Directory Graph -> Group -> Group.ReadAll
  • Delegated Permissions: "Read directory data" -> Azure Active Directory Graph -> Directory -> Directory.Read.All

    (Bear in mind that it can take a while for the changes to take effect)

Note: Since some of the permissions above requires Admin permissions you need to click the "Grant permissions" on the required permissions form to complete the assignment.

Automatically add groups to user claims

Normally in Azure AD, the groups that a user is assigned to is not included in the claims received when logging in. To activate this, you need to edit the manifest for the application.

Open the application in the Azure AD. Click on the Manifest tab.

Edit the manifest that pops up and set the "groupMembershipClaims" to "All" or "SecurityGroup" (SecurityGroup will not include distribution lists).

"groupMembershipClaims": "SecurityGroup",

Save the file by clicking the Save link in the tabs toolbar.

ImageVault UI

To activate Azure ad authentication the following changes must be done in web.config.

Authentication

When using Azure ad authentication, the authentication mode must be set to None.

<system.web>
    <authentication mode="None"/>

ConnectionStrings

To use Azure ad with ImageVault add/modify the connection string named ImageVaultSecurityManager.

<connectionStrings>
    <add name="ImageVaultSecurityManager"
         providerName="ImageVault.Adal.Providers.AdalSecurityManager,ImageVault.Adal.Providers"
         connectionString="Tenant=mydemo.onmicrosoft.com;Wtrealm=http://mydemo.com/imagevault/;ClientId=9ae0db67-4d7b-5d45-8ef2-965679509e6c;AppKey=ZoLTp7Koz5SdGxIH+9fiPcEpyDVKFdWRPbiK5pKo2jQ="/>
</connectionStrings>

name

Must be ImageVaultSecurityManager for the UI to detect which connection string that should be used for the SecurityManager

providerName

Tells ImageVault.UI which SecurityManager it will use (See the ISecurityManager for more information)

For Azure ad, use the following providerName: ImageVault.Adal.Providers.AdalSecurityManager,ImageVault.Adal.Providers

connectionString

This is a key value string where key and value are separated by equals (=) and each pair is terminated with a semicolon (;)

Here comes a list of the possible keys (keys are case-insensitive)

Tenant

This is the name of the domain that your Azure directory is connected to. This can be a custom domain or a default domain that Azure has assigned the directory when creating it (like mydirectory.onmicrosoft.com).

You can also use the GUID found in the application endpoint list as the tenant.

Wtrealm

This is the URL to the application that you entered as App ID URI

ClientId

This is the Application ID for the application. You find it as a GUID when opening the applications tab.

AppKey

This is the key value that you generated for the application.

Optional connectionString keys

The following configuration options all have default values and only needs to be adjusted if you need to change the default behavior.

GraphUrl

The URL to the graph resource (service for querying the ad). The default is "https://graph.windows.net".

GraphApiVersion

The version of the GraphApi to use. The default is "1.5"

AADInstance

The URL to the AzureAd instance. The default is "https://login.windows.net".

LogoutUrl

The local URL that is used for logout. Will be remapped to a federated logout. The default is "/account/logout".

LoggedoutUrl

The landing URL to use after a federated logout. The default is "${Wtrealm}/account/loggedout"

EnableGetGroupsFromAd

If true, the group assignment will be requested from the ad after a login and added to the user. A better approach is to include the group/role claims in the ticket from the beginning, using the automap feature described above. The default is false.

CacheTimeout

The timeout in minutes for data retrieved from the ad to be cached. The default is 10.

IdentityPrefix

If multiple UI are using the same core but with different user directories, this prefix can be used to guarantee uniqueness between different ad:s.

Known issues

comments powered by Disqus
+46 (0)480 - 31 47 95
info@imagevault.se
Swedish website