1. Help and Support | Digital Theatre+
  2. Authentication
  3. Guidance for Specific SSO Service Providers

Configuring ADFS to authenticate to Digital Theatre+

This article explains how to use AD FS to allow your users to sign in to Digital Theatre+

Pre-requisites

  1. You will need to know the Fully Qualified Domain Name (FQDN) of your AD FS Instance
  2. You will need to have the Metadata XML file for your organisation from Digital Theatre+. You can request this by completing Step 1 below.

Summary

  1. Provide your Single Sign On URL and Federation Metadata XML file to Digital Theatre+
  2. Create a Relying Party Trust and Claim Issuance Policy
  3. Retrieve the Encryption certificate used for validating SAML responses
  4. Send details to our support team and, once confirmed
  5. Perform testing of authentication, video playback and search results

Step 1 - Retrieve your Endpoint URLs

Retrieve the Single Sign On URL

  1. Open the AD FS Management tool

    Image for post
  2. Expand the “Service” folder and click Endpoints

    Image for post
  3. The Single Sign On URL path is in the “Token Issuance” section of the Endpoints list.  This value will be “/adfs/ls”, which is appended to the end of your FQDN to construct your Single Sign On URL. E.g. https://sso.digitaltheatreplus.com/adfs/ls

Retrieve your Federation Metadata

  1. The Metadata URL path is in the Metadata section. This value will be “/FederationMetadata/2007–06/FederationMetadata.xml”, which you can append to the end of your FQDN to access your Metadata URL. E.g. https://my-fully-qualified-domain-name.com/FederationMetadata/2007–06/FederationMetadata.xml

    Screenshot 2021-02-08 at 17.53.07
  2. Enter the Metadata URL into your web browser, and save the XML file locally

Send this information to Digital Theatre+ by replying to the support email thread, or if you have not started the process, open a new request via https://sso.digitaltheatreplus.com.  Digital Theatre+ will then provide you with a Metadata XML file for use in the following step.

    Step 2 - Create a relying party trust

    1. Select the Relying Party Trusts folder within the ADFS Management Tool
    2. Select Add Relying Party Trust... from the actions menu

      Screenshot 2021-02-08 at 18.13.47
    3. In the Add Relying Party Trust Wizard select Claims aware and click Start

      Screenshot 2021-02-08 at 18.16.29
    4. Select Import data about the relying party from a file; select the metadata.xml file provided to you by Digital Theatre+, then click Next

      Screenshot 2021-02-08 at 18.17.54
    5. Enter a recognisable Display name. For example: Digital Theatre+.  Click Next

      Screenshot 2021-02-08 at 18.20.50
    6. Select an appropriate access control policy.  If in doubt, select Permit everyone. Click Next

      Screenshot 2021-02-08 at 18.22.10
    7. Confirm the relying party trust configuration and click Next

      Screenshot 2021-02-08 at 18.23.17
    8. Click Finish

    Add a Claim Issuance Policy

      1. Select the Relying Party Trusts folder in the AD FS Management tool
      2. Select the Digital Theatre+ Relying Party Trust you configured above
      3. Select Edit Claim Issuance Policy... from the actions menu
      4. Select Add Rule...

        Screenshot 2021-02-08 at 18.29.57
      5. Select the Send LDAP Attributes as Claims rule template, click Next

        Screenshot 2021-02-08 at 18.30.37
      6. Enter a recognisable name for the rule, e.g. Map Email Addresses to Email Address
      7. Select Active Directory as the Attribute Store
      8. Select E-Mail-Addresses as the LDAP Attribute and E-Mail Address as the Outgoing Claim Type

        Screenshot 2021-02-08 at 18.32.22
      9. Click Finish
      10. Select Add Rule... again
      11. Select the Transform an Incoming Claim rule template and click Next

        Screenshot 2021-02-08 at 18.35.19
      12. Enter a recognisable name for the rule, e.g. Transform email address as NameID
      13. Select E-Mail Address as the Incoming claim type
      14. Select Name ID as the Outgoing claim type
      15. Select Email as the Outgoing name ID format
      16. Select Pass through all claim values, and click Finish

        Screenshot 2021-02-08 at 18.39.43
      17. Click OK to close the Claim Issuance Policy editor

      Step 3 - Retrieve the Encryption certificate

      1. Select the Relying Party Trusts folder in the AD FS Management tool
      2. Right-click the Digital Theatre+ Relying Party Trust you configured above and select Properties

        Screenshot 2021-02-08 at 18.44.26
      3. Go to the Encryption tab and click View...

        Screenshot 2021-02-08 at 18.45.30
      4. Go to the Details tab and click Copy to File...

        Screenshot 2021-02-08 at 18.47.27
      5. Once the Certificate Export Wizard has started, click Next
        Screenshot 2021-02-08 at 18.48.31
      6. Select Base-64 encoded X.509 (.CER) as the file format, and click Next
      7. Export the file to a location you can access; you will need to email this file to Digital Theatre+.

      Step 4 - Send your configuration to our support team

      Send the following information via: https://sso.digitaltheatreplus.com

      1. Your Single Sign On URL
      2. Your Federation Metadata XML file
      3. Your Encryption certificate
      4. Confirmation that the Relying Party Trust and Claims Issuance Policy have been configured as described above
      5. Confirmation of the email domain used by your users to login

      Step 5 - Test the configuration

      On receipt of the above information, our support team will configure the Digital Theatre+ service using your configuration information.

      Once complete, our support team will contact you and request you test that you can sign in using your AD FS SAML Provider.

      Recommended testing procedure:

      1. Browse to https://edu.digitaltheatreplus.com/
      2. Click Sign In
      3. Authenticate to your organisation's AD FS system
      4. You should be logged into Digital Theatre+
      5. (Optional) Go to the Table of Contents, select a Production and confirm video playback works
      6. (Optional) Use the Search Digital Theatre+ form field to search for content - for example "Hamlet" and confirm search results are returned
      7. (Optional) Confirm that your email address is displayed in the top-right, click on this and confirm the organisation name displayed in the User Information Panel is correct.