Identity Providers

 Go to top  Open direct link

Claims in general can be described as a mapping of an active directory field into a claim and are usually expressed with a URI (Uniform resource identificator). For example http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress). More information regarding claims can be found here: http://technet.microsoft.com/en-us/library/ee913589.aspx

 

As soon as at least one identity provider is configured, you can show an area on the start page (configuration required) or in the login window, in which you can login with the selected identity provider (right).

adfs login

 

Identity providers can be created in the left hand area of the configuration by clicking on "Add". Existing identity providers can be deleted by clicking on "Delete". The configuration for the selected identity provider can be made in the right hand area, and needs to be saved using the "Save" button.

adfs configuration

  1. Name of the identity provider (e.g. "fs.vit.ch")
  2. Importing of an image that is shown to the user in the login form (see screenshot above). The image cannot be larger than 220 x 75 pixels.
  3. Link to the FederationMetadata.xml: the link under which the FederationMetadata.xml can be found. In our specific case the metadata xml contains the claims that Picturepark requires. This simplifies the setup of your relying party (in ADFS).

 

WS Federation:

  1. Set as Default: You can set a default identity provider which will be selected first when you have more than one identity provider
  2. Audience URI: Sets the Picturepark URL. Tells the application for which url the token is valid - the url gets wrapped into the token
  3. Realm URI: Would be used if you use subdomains - the realm URI is the top domain URI.
  4. TrusedIssuerName: Name of the Issuer - just for display purposes
  5. Issuer URI: URL of the ADFS server which creates the token
  6. TrustedIssuer Thumb Print: Used for the authentication between ADFS Server and Picturepark Server (Token Signing certificate)

 

Group Mapping Settings - can be defined per identity provider:

  1. Claims User Group Mapping Enabled: Enables group mapping. The user groups don't have to be configured as an additional seperate claim

adfs_user_group_mapping

  1. Join Default User Group: Select if the authenticated user should also be added to the default user group defined in groups & rights
  2. User Group Claim URI: From where the user groups are mapped for example: http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid or your can use your own.

13.User Field Mapping: Add the mapping for the claims (See Claim Description on the ADFS Server for existing claims).