Introduction


Single sign-on with Active Directory can be set up for Imageshop bases or interfaces. The requirement for the integration is an ADFS server or identity providers with WS-FED support or Azure Active Directory for the organization integrating with Imageshop.

If group memberships for the user is forwarded to Imageshop (through AD FS or Azure AD), this can be used to give the user access to specific interfaces based on group membership. Default behavior is that all AD users are given access to the internal and public interface, and forwarded to the internal interface when accessing Imageshop.

If the user already exists in Imageshop when authenticating with Active Directory, the user access will remain the same as it was (no additional access will be given). This means that if an Imageshop Administrator changes the access or blocks a user in Imageshop, the user still has the changed access / blocked access after logging in.

This describes how to set up of the ADFS 2.0 server after it is installed and also briefly how Azure AD should be set up.


Option 1: Integration with ADFS or other identity providers with WS-FED support


  • Preferably public certificates should be used for token signing, token decryption and service communication, if Imageshop should be able to verify the certificate. Otherwise we will have to run without certificate validation or install the root certificate at the Imageshop server.
  • Send address of Federationmetadata to Screentek. Typically it is placed at https://hostname/federationmetadata/2007-06/federationmetadata.xml. Check if it is externally available before sending the address. Otherwise the xml can be sent directly to us (support@imageshop.no).
  • We will then send an XML file to you, so you can set up the relying party trust.
  • Relying party trust must have the following claims: Note that “Token-Groups” are not mandatory if Imageshop should not to filter access based on this.





  • Set the ADFS server in the intranet zone in Internet Explorer.
  • If auto sign on doesn’t work locally, setspn -S http/<adfs server url> <computer name> might fix it depending on which user the AD FS services run as.



Option 2: Azure AD setup


Imageshop has to be added with correct url in the format *.imageshop.no. Usually <organization>ansatt.imageshop.no or similar is used, but this must be agreed uplong. Imageshop needs the metadatafile for setup in Imageshop.


In this example we are using sceentek.imageshop.no as AD url. First you need to verify your domain, by adding it as a custom domain:



The txt settings has to be sent to Imageshop so that we can enter it into our DNS for verification.


Go to Azure Active Directory, and create a new registration for your domain:







See below for further settings. Replace all occurrences of  screentek.imageshop.no in the screenshots below with your own domain for connecting with Imageshop provided by us.




In the end, Screentek needs the federationmetadata url for the integrasjon to be able to connect. Send this to your contact person: