eMAM Single Sign On

AD FS Setup Guide

Notice
The content in this document represents the current view of Empress Media Asset Management, LLC (Empress) as of the date of
publication. As Empress responds continually to the changing market conditions, this document should not be interpreted as a
commitment on the part of Empress. Empress cannot guarantee the accuracy of any information presented after the date of
publication. Empress is a US registered trademark of Empress Media Inc. and is used by permission. eMAM™ logos are US registered
trademarks of Empress Media Asset Management, LLC.
Information in this document is subject to change without notice.
 eMAM AD FS Setup Guide
Contents
Introduction..................................................................................................................................................... 3
What is Single sign-on (SSO) .............................................................................................................................. 3
What is Active Directory Federation Services (ADFS)............................................................................................. 3
eMAM and Single Sign On ................................................................................................................................. 4
eMAM SSO AD FS Workflow .............................................................................................................................. 4
How to Setup AD FS as SSO for eMAM ................................................................................................................ 5
I. Install Active Directory (AD) .................................................................................................................... 5
II. Install AD FS .......................................................................................................................................... 5
III. Configure AD FS ................................................................................................................................. 6
IV. Create a relying party trust on your federation server ............................................................................ 6
V. Configure eMAM ................................................................................................................................. 12
Glossary ........................................................................................................................................................ 14
Get Help ........................................................................................................................................................ 14

2 www.empressmam.com
 eMAM AD FS Setup Guide
Introduction
Users access a number of applications and systems on a daily basis to get their tasks done. And nowadays
almost all applications authenticate users before they give access to their features and content. Repeated
sign-on requests and remembering all these login credentials are also a hassle, for both customers and
employees. In addition, users who use weak passwords, or even recycle strong ones, can threaten the
security of their companies. This is where Single Sign-On can make life easier – a convenient way to access
all applications using only one login credential. The process authenticates the user for all the applications
they have been given rights to and eliminates further prompts when they switch applications during a
particular session. This simplifies the login process and password management.

What is Single sign-on (SSO)

Single sign-on (SSO) is an authentication process that allows users to login to multiple applications with just
one set of login credentials. So, users can use one login to access a variety of compatible
systems and applications overcoming the hassle of multiple logins. With single sign-on, they can improve
security by reducing the number of required passwords, decrease IT costs associated with password
management, and provide a seamless experience. Single sign-on not only mitigates the security risks but also
provides businesses better control over user authentication and authorization.

Few advantages of Single Sign On are:

• Eliminates repeated credential reauthentication which saves time and improves productivity.
• Streamlines local and remote application and desktop workflow.
• Minimizes phishing and security risks.
• Improves compliance through a centralized database.
• Provides detailed user access reporting.
• It allows users access anywhere, anytime on almost any device without them having to remember
where the application is or how to log in to it.
• Reduces Helpdesk cost.

What is Active Directory Federation Services (AD FS)

AD FS, is a software component that saw its first version published by Microsoft in 2003. Its main purpose is
to provide Windows users with Single Sign-On (SSO) access to a variety of compatible systems and
applications. Through SSO capabilities, AD FS can authenticate a user to different, related web apps during

3 www.empressmam.com
 eMAM AD FS Setup Guide
a single online session. Once a user logs in with his or her Windows credentials, AD Federation Services
authenticates access to all approved third-party systems.

eMAM and Single Sign On

eMAM now supports Single Sign On (SSO) with Active Directory Federation Services (AD FS) identity provider
for better security of all its applications. With single sign-on using AD FS, eMAM users can instantly login to
different eMAM interfaces without being prompted to enter separate login credentials for each interface
thus decreasing the chances of any security breach. eMAM supports Single Sign On feature at various
interfaces and applications level such as, eMAM Director, eMAM Client, eMAM Super Admin, eMAM
Premiere Panel, eMAM DeskLink, eMAM After Effects Panel, eMAM Photoshop Panel, eMAM Illustrator
Panel, eMAM InDesign Panel and eShare. eMAM users can now directly login to any of the eMAM application
with just one login credential in a single online session. This greatly increases user efficiency and productivity
while keeping the data secure.

eMAM SSO AD FS Workflow

Explained below is how eMAM uses Single Sign On workflow to authenticate eMAM users using AD FS.

1. eMAM user requests login to any eMAM application.

2. eMAM application redirects to AD FS end point if SAML authentication is enabled.
4 www.empressmam.com
 eMAM AD FS Setup Guide
3. Login request is redirected to AD FS.
4. AD FS displays the login page.
5. eMAM user submits login page with credentials.
6. AD FS verifies user credentials with Active Directory (Attribute Store).
7. AD FS gets user details like First name, Last name etc. from Active Directory.
8. AD FS redirects to eMAM application with SAML token.
9. eMAM user submits SAML token to eMAM application.
10. Redirects to eMAM application login page (if SAML token is valid).

How to Setup AD FS as SSO for eMAM

To setup AD FS as single sign-on for eMAM, add the eMAM as a relying party trust. Then add a claim rule,
which is a statement that provides information about a user. It is used by the eMAM to determine whether
or not, a user is allowed access. Adjust the trust settings. Optionally, restrict the groups that are federated.
Configure eMAM Gateway web.config and finally test the Configuration. eMAM SSO feature is tested with
Microsoft Windows Active Directory Federation Services (AD FS) 3.0 and 4.0.

Let us look at the steps to setup Active Directory Federation Services (AD FS) for eMAM in detail:
I. Install Active Directory (AD)
1. Install and configure Active Directory (AD) in the server.
2. Create a GMSA account. The Group Managed Service Account (GMSA) account is required during
the Active Directory Federation Services (AD FS) installation and configuration. Open a Windows
PowerShell command window and type following commands (replace the adfs.emam.com with
correct DNS host name for the server)
Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)

New-ADServiceAccount FsGmsa -DNSHostName adfs.emam.com –

ServicePrincipalNames http/adfs.emam.com

II. Install AD FS
AD FS can be installed on the same machine (where AD is installed) or a different machine in the
same domain.
1. Install a server SSL certificate.
2. Install the AD FS server role. From Server Manager- Add Roles and Features install Active Directory
Federation Services role.
5 www.empressmam.com
 eMAM AD FS Setup Guide

III. Configure AD FS
1. On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the
federation service on the server. The Active Directory Federation Service Configuration Wizard
opens.
2. On the Welcome page, select Create the first federation server in a federation server farm, and
then click Next.
3. On the Connect to AD FS page, specify an account with domain administrator rights for the Active
Directory domain that this computer is joined to, and then click Next.
4. On the Specify Service Properties page, do the following, and then click Next:
• Import the SSL certificate. This certificate is the required service authentication certificate.
Browse to the location of your SSL certificate.
• Provide a name for your federation service, type adfs.emam.com (DNS host name).
• Provide a display name for your federation service.
5. On the Specify Service Account page, select Use an existing domain user account or Group
Managed Service Account, and then specify the GMSA account.
6. On the Specify Configuration Database page, select Create a database on this server using
Windows Internal Database, and then click Next.
7. On the Review Options page, verify your configuration selections, and then click Next.
8. On the Pre-requisite Checks page, make sure all prerequisite checks were successfully completed,
and then click Configure.
9. On the Results page, review the results, check whether the configuration has completed
successfully, and then click Next steps required for completing your federation service
deployment.
10. Configure Device Registration Service. Execute following commands in Windows PowerShell
Initialize-ADDeviceRegistration
Enable-AdfsDeviceRegistration
11. In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary
Authentication. Select the check box next to Enable Device Authentication, and then click OK.

IV. Create a relying party trust

To create a relying party trust on your federation server, follow steps below:

1. Sign in to your AD FS management console.

2. In the AD FS Management console, navigate to Relying Party Trusts, and then click Add Relying
Party Trust.
6 www.empressmam.com
 eMAM AD FS Setup Guide

3. On the Select Data Source page, select “Enter data about the relying party manually”.

4. On the Specify Display Name page, specify the display name as eMAMGateway, and then click
Next.

7 www.empressmam.com
 eMAM AD FS Setup Guide

5. On Choose Profile page select “AD FS Profile”

6. On the Configure Certificate page click Next.

8 www.empressmam.com
 eMAM AD FS Setup Guide
7. On the Configure URL page, select “Enable support for ws-Federation Passive protocol URL”. Enter
Gateway URL.

8. On the Configure Identifiers page, click Next.

9. On the Choose Access Control Policy page, click Next.
10. On the Configure Multi-factor Authentication page, click Next
11. On the Choose Issuance Authorization Rules page, select “Permit all users to access this relying
party”

9 www.empressmam.com
 eMAM AD FS Setup Guide

12. On the Ready to Add Trust page, click Next.

13. On the Edit Claim Rules dialog box, click Add Rule.
14. On the Choose Rule Type page, select “Pass Through or Filter an Incoming Claim”, and then click
Next.

10 www.empressmam.com
 eMAM AD FS Setup Guide
15. Give “Name” as Claim rule name. And select “Name” in incoming claim type. Also select Pass
through all claim values option. Then click Finish.

16. Click on Add Rule to add another rule.

17. Select “Send LDAP Attributes as Claims”. Click Next.

11 www.empressmam.com
 eMAM AD FS Setup Guide
18. Enter “eMAM Authentication” as Claim rule name. And select “Active Directory“ as Attribute
store. Select following mapping entries and click on Finish.
✓ E-Mail-Addresses -> E-Mail Address
✓ Given-Name-> Given Name
✓ Surname-> Surname

V. Configure eMAM
eMAM Gateway Web.config changes are mentioned below.

How to configure the identity parameters: Set the Gateway URLs as configured in SSO server in the
following areas:

o audienceUris -> value (eMAM Gateway URL – highlighted in yellow below)

o wsFederation -> realm (eMAM Gateway URL highlighted in yellow below)
o wsFederation -> reply (eMAM Gateway URL highlighted in yellow below)

12 www.empressmam.com
 eMAM AD FS Setup Guide
Set the Issuer configuration under following areas:

o trustedIssuers -> name (ADFS URL to be delivered by the client- highlighted in Blue below)
o trustedIssuers -> thumbprint (ADFS token certificate thumbprint to be delivered by the
client)
o wsFederation -> issuer (ADFS Issuer URL to be delivered by the client- highlighted in Blue
below)

<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://emamsvr.emamdev.local/eMAMGateway/" />
</audienceUris>
<issuerNameRegistry
type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel,
Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
<add thumbprint="1482de6687c4cb44b16336c757d4c72873a3e6e9"
name="https://dc.emamdev.local/adfs/services/trust" />
</trustedIssuers>
</issuerNameRegistry>
<certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>

<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false" />
<wsFederation passiveRedirectEnabled="true" issuer="https://dc.emamdev.local/adfs/ls/"
realm="https://emamsvr.emamdev.local/eMAMGateway/"
reply="https://emamsvr.emamdev.local/emamgateway/Login.aspx" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services>

13 www.empressmam.com
 eMAM AD FS Setup Guide
Glossary
SSO
Single sign-on (SSO) is an authentication process that allows a user to access multiple applications with one
set of login credentials.

AD FS
Active Directory Federation Services (AD FS), a software component developed by Microsoft, can run
on Windows Server operating systems to provide users with single sign-on access to systems and applications
located across organizational boundaries.

SAML
Security Assertion Markup Language (SAML) is a standard protocol for web browser Single Sign-On (SSO) using
secure tokens.

Identity Provider
A service which is capable of authenticating a user, generating and assigning SSO SAML token to a user session,
and verifying an assigned SSO token.

Service Provider
A service that is capable of delegating user authentication to an identity provider via the protocols defined by
the SAML specification.

Get Help
For more information and assistance, please contact [email protected]

14 www.empressmam.com