Authentication using Azure Active Directory

This SecurityModule uses federated authentication and is tested with an Azure ad using the Azure AD v1.0 endpoint.

Note: There is a newer version of the Azure AD endpoint availablie (Azure AD v2.0, aka https://graph.microsoft.com) but this method uses the old legacy version (v1.0). For more information, see https://docs.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison

Azure Ad

To be able to use authentication using Azure ad you need to setup an active directory in Azure. Create users and groups or set up a directory synchronize with your on-premises ad.

Create application

To create an application in the Azure AD:

  • navigate to the azure portal.
  • Select App registrations and click New application registration
  • Use the URL for the UI, including trailing slash, as Name, Sign-on URL in the Create form.
  • * When the application is created you must open it and modify the *App ID URI* under the *Properties* tab to the exact same URL. **Example:**

for a standalone imagevault or

http://myepiserver.domain.com/imagevault/

for a virtual UI application.

Create an application key

Since ImageVault needs to read information from the ad, we need to create a key that allows us to communicate with the ad. This is done in the Settings tab for the application. Head to keys and enter a descriptive name as Description and select a duration. It is recommended that you choose the max duration to minimize administration since the key needs to be reissued when it expires.

When saving the key, the key value will be visible (just once) so be sure to copy it and store it before leaving the tab (see its usage below).

Assign permissions

To be able to read information from the active directory you need to add the following permissions for "Windows Azure Active Directory" application.

  • Application Permissions: "Read directory data"
  • Delegated Permissions: "Sign in and read user profiles"
  • Delegated Permissions: "Read all users' basic profiles"
  • Delegated Permissions: "Read all groups"
  • Delegated Permissions: "Read directory data"

This is also done in the Settings tab under Required permissions. (Bear in mind that it can take a while for the changes to take effect)

Note: Since some of the permissions above requires Admin permissions you need to click the "Grant permissions" on the required permissions form to complete the assignment.

Automatically add groups to user claims

Normally in Azure AD, the groups that a user is assinged to is not included in the claims received when logging in. To activate this, you need to edit the manifest for the application.

Open the application in the Azure AD. Click on "Manifest" in the toolbar. Edit the manifest that pops up and set the "groupMembershipClaims" to "All" or "SecurityGroup" (SecurityGroup will not include distribution lists).

"groupMembershipClaims": "SecurityGroup",

Save the file by clicking the Save link in the tabs toolbar.

It is also possible to Download- and Upload the manifest from here if you prefer to edit locally.

ImageVault UI

To activate Azure ad authentication the following changes must be done in web.config.

Authentication

When using Azure ad authentication, the authentication mode must be set to None.

<system.web>
    <authentication mode="None"/>

ConnectionStrings

To use Azure ad with ImageVault add/modify the connection string named ImageVaultSecurityManager.

<connectionStrings>
    <add name="ImageVaultSecurityManager"
         providerName="ImageVault.Adal.Providers.AdalSecurityManager,ImageVault.Adal.Providers"
         connectionString="Tenant=mydemo.onmicrosoft.com;Wtrealm=http://mydemo.com/imagevault/;ClientId=9ae0db67-4d7b-5d45-8ef2-965679509e6c;AppKey=ZoLTp7Koz5SdGxIH+9fiPcEpyDVKFdWRPbiK5pKo2jQ="/>
</connectionStrings>

name

Must be ImageVaultSecurityManager for the UI to detect which connection string that should be used for the SecurityManager

providerName

Tells ImageVault.UI which SecurityManager it will use (See the ISecurityManager for more information)

For Azure ad, use the following providerName: ImageVault.Adal.Providers.AdalSecurityManager,ImageVault.Adal.Providers

connectionString

This is a key value string where key and value are separated by equals (=) and each pair is terminated with a semicolon (;)

Here comes a list of the possible keys (keys are case-insensitive)

Tenant

This is the name of the domain that your Azure directory is connected to. This can be a custom domain or a default domain that Azure has assigned the directory when creating it (like mydirectory.onmicrosoft.com).

You can also use the GUID found in the application endpoint list as the tenant.

Wtrealm

This is the URL to the application that you entered as App ID URI

ClientId

This is the Application ID for the application. You find it as a GUID when opening the applications tab.

AppKey

This is the key value that you generated for the application.

Optional connectionString keys

The following configuration options all have default values and only needs to be adjusted if you need to change the default behavior.

GraphUrl

The URL to the graph resource (service for querying the ad). The default is "https://graph.windows.net".

GraphApiVersion

The version of the GraphApi to use. The default is "1.5"

AADInstance

The URL to the AzureAd instance. The default is "https://login.windows.net".

LogoutUrl

The local URL that is used for logout. Will be remapped to a federated logout. The default is "/account/logout".

LoggedoutUrl

The landing URL to use after a federated logout. The default is "${Wtrealm}/account/loggedout"

EnableGetGroupsFromAd

If true, the group assignment will be requested from the ad after a login and added to the user. A better approach is to include the group/role claims in the ticket from the beginning, using the automap feature described above. The default is false.

CacheTimeout

The timeout in minutes for data retrieved from the ad to be cached. The default is 10.

IdentityPrefix

If multiple UI are using the same core but with different user directories, this prefix can be used to guarantee uniquity between different ad:s.

comments powered by Disqus
+46 (0)480 - 31 47 95
info@imagevault.se
Swedish website