Configuring ADFS to authenticate to Digital Theatre+

This article explains how to use AD FS to allow your users to sign in to Digital Theatre+

Pre-requisites

1. You will need to know the Fully Qualified Domain Name (FQDN) of your AD FS Instance
2. You will need to have the Metadata XML file for your organisation from Digital Theatre+. You can request this by completing Step 1 below.

Summary

1. Provide your Single Sign On URL and Federation Metadata XML file to Digital Theatre+
2. Create a Relying Party Trust and Claim Issuance Policy
3. Retrieve the Encryption certificate used for validating SAML responses
4. Send details to our support team and, once confirmed
5. Perform testing of authentication, video playback and search results

Step 1 - Retrieve your Endpoint URLs

Retrieve the Single Sign On URL

1. Open the AD FS Management tool
   
   
2. Expand the “Service” folder and click Endpoints
   
   
3. The Single Sign On URL path is in the “Token Issuance” section of the Endpoints list.  This value will be “/adfs/ls”, which is appended to the end of your FQDN to construct your Single Sign On URL. E.g. https://sso.digitaltheatreplus.com/adfs/ls

Retrieve your Federation Metadata

1. The Metadata URL path is in the Metadata section. This value will be “/FederationMetadata/2007–06/FederationMetadata.xml”, which you can append to the end of your FQDN to access your Metadata URL. E.g. https://my-fully-qualified-domain-name.com/FederationMetadata/2007–06/FederationMetadata.xml
   
   
2. Enter the Metadata URL into your web browser, and save the XML file locally

Send this information to Digital Theatre+ by replying to the support email thread, or if you have not started the process, open a new request via https://sso.digitaltheatreplus.com.  Digital Theatre+ will then provide you with a Metadata XML file for use in the following step.

Step 2 - Create a relying party trust

1. Select the Relying Party Trusts folder within the ADFS Management Tool
2. Select Add Relying Party Trust... from the actions menu
   
   
3. In the Add Relying Party Trust Wizard select Claims aware and click Start
   
   
   
4. Select Import data about the relying party from a file; select the metadata.xml file provided to you by Digital Theatre+, then click Next
   
   
5. Enter a recognisable Display name. For example: Digital Theatre+.  Click Next
   
   
6. Select an appropriate access control policy.  If in doubt, select Permit everyone. Click Next
   
   
   
7. Confirm the relying party trust configuration and click Next
   
   
   
8. Click Finish

Add a Claim Issuance Policy

1. Select the Relying Party Trusts folder in the AD FS Management tool
2. Select the Digital Theatre+ Relying Party Trust you configured above
3. Select Edit Claim Issuance Policy... from the actions menu
4. Select Add Rule...
   
   
5. Select the Send LDAP Attributes as Claims rule template, click Next
   
   
6. Enter a recognisable name for the rule, e.g. Map Email Addresses to Email Address
7. Select Active Directory as the Attribute Store
8. Select E-Mail-Addresses as the LDAP Attribute and E-Mail Address as the Outgoing Claim Type
   
   
9. Click Finish
10. Select Add Rule... again
11. Select the Transform an Incoming Claim rule template and click Next
    
    
12. Enter a recognisable name for the rule, e.g. Transform email address as NameID
13. Select E-Mail Address as the Incoming claim type
14. Select Name ID as the Outgoing claim type
15. Select Email as the Outgoing name ID format
16. Select Pass through all claim values, and click Finish
    
    
17. Click OK to close the Claim Issuance Policy editor

Step 3 - Retrieve the Encryption certificate

1. Select the Relying Party Trusts folder in the AD FS Management tool
2. Right-click the Digital Theatre+ Relying Party Trust you configured above and select Properties
   
   
3. Go to the Encryption tab and click View...
   
   
4. Go to the Details tab and click Copy to File...
   
   
5. Once the Certificate Export Wizard has started, click Next
   
6. Select Base-64 encoded X.509 (.CER) as the file format, and click Next
7. Export the file to a location you can access; you will need to email this file to Digital Theatre+.

Step 4 - Send your configuration to our support team

Send the following information via: https://sso.digitaltheatreplus.com

1. Your Single Sign On URL
2. Your Federation Metadata XML file
3. Your Encryption certificate
4. Confirmation that the Relying Party Trust and Claims Issuance Policy have been configured as described above
5. Confirmation of the email domain used by your users to login

Step 5 - Test the configuration

On receipt of the above information, our support team will configure the Digital Theatre+ service using your configuration information.

Once complete, our support team will contact you and request you test that you can sign in using your AD FS SAML Provider.

Recommended testing procedure:

1. Browse to https://edu.digitaltheatreplus.com/
2. Click Sign In
3. Authenticate to your organisation's AD FS system
4. You should be logged into Digital Theatre+
5. (Optional) Go to the Table of Contents, select a Production and confirm video playback works
6. (Optional) Use the Search Digital Theatre+ form field to search for content - for example "Hamlet" and confirm search results are returned
7. (Optional) Confirm that your email address is displayed in the top-right, click on this and confirm the organisation name displayed in the User Information Panel is correct.