This page hosts our write-up/documentation for your Brands' IT teams to reference when they are setting up your SSO IDP (Identity Provider) to integrate with PhotoShelter.
Article Contents:
To get started, please provide your IdP metadata and login page customization preferences to: techsupport@photoshelterbrands.com. With this in hand, our Support team can configure SSO in the backend of your PhotoShelter Brands account using the IdP metadata and the customization options provided.
Setup Process:
In order to support SSO for our new Lumen Portal and the classic portal UI, you need to create two SP apps/entries for PhotoShelter in your IDP:
-
(Classic Portal) Your IT team imports our SP metadata, which is located at https://LABEL.photoshelter.com/sso/SAML2/METADATA.
-
(Lumen Portal) Your IT team imports our SP metadata, which is located at https://LABEL.photoshelter.site/sso/SAML2/METADATA
- Please ensure that the Entity ID and signing certificate within the additional SP are identical for the Classic (photoshelter.com) and Lumen Portal (photoshelter.site) configurations.
-
Our Technical Support team will configure SSO for your PhotoShelter account using the IdP metadata your team sends to us at techsupport@photoshelterbrands.com (XML or CRT format preferred).
The “label” is referring to your PhotoShelter side address, found in “My Website Address” under your PhotoShelter for Brands admin menu. For example, if your PhotoShelter Brands Portal URL is https://lakesideuniversity.photoshelter.com, then your label would is “lakesideuniversity”. Therefore, your metadata would be here: https://lakesideuniversity.photoshelter.com/sso/SAML2/METADATA .
...and you should configure your SAML2 SP URL as https://lakesideuniversity.photoshelter.com/sso/SAML2/ACS/POST (for the Classic Portal).
If you do not know your organization’s PhotoShelter Brands Portal label, please contact your PhotoShelter Brands Admin, or the PhotoShelter Brands Client Services Team who can provide that information.
Technical Info
The SAML2 Assertion Consumer Service endpoint is responsible for the validation of an incoming assertion using the common HTTP profile (SAML2/ACS/POST with SAMLResponse and optional RelayState variables).
Your Brands' IT team needs to set SAML2 service provider (SP) URL as:
- (Classic Portal) https://{label}.photoshelter.com/sso/SAML2/ACS/POST with the entityID as https://{label}.photoshelter.com/sso/SAML2.
- (Lumen Portal) https://{label}.photoshelter.site/sso/SAML2/ACS/POST with the entityID as https://{label}.photoshelter.site/sso/SAML2.
Transport requirements:
- HTTP POST to https://{label}.photoshelter.com/sso/SAML2/ACS/POST
- base64 encoded variable SAMLResponse (URL encoded by HTTP POST)
- base64 encoded variable RelayState (optional and URL encoded by HTTP POST)
SAML2 XML assertion requirements:
- Signed, unencrypted and able to be validated by provided client X.509 certificate (base64 encoded DER)
- IDP entityId as Issuer (provided by client)
- SP entityId as Audience in the form of https://{label}.photoshelter.com/sso/SAML2
-
Attributes specifying email, first name, and last name in one of the following formats:
- urn:oid:0.9.2342.19200300.100.1.3 (mail) or urn:oid:1.3.6.1.4.1.5923.1.1.1.6
- (eduPersonPrincipalName), urn:oid:2.5.4.42 (givenName), and urn:oid:2.5.4.4 (sn).
* If both urn:oid:0.9.2342.19200300.100.1.3 (mail) and urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (eduPersonPrincipalName) attributes are sent over, the urn:oid:0.9.2342.19200300.100.1.3 (mail) will take priority over urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (eduPersonPrincipalName). So if you want to use eduPersonPrincipalName, only map that as the email attribute.
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress,
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname,
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- email, first_name, and last_name
Optional attributes specifying group in one of the following formats:
- group
- urn:oid:2.5.16
- http://schemas.xmlsoap.org/claims/Group
- eduPersonScopedAffiliation
- urn:oid:1.3.6.1.4.1.5923.1.1.1.9
SAML2 XML assertion validation test requirements:
- HTTP POST to https://{label}.photoshelter.com/sso/SAML2/TEST/POST
- base64 encoded DER X.509 certificate variable CERT
- IDP entityId variable IDPID
- enforces Transport requirements using HTTPS POST replacement
- enforces SAML2 XML assertion requirements using CERT and IDPID replacements
SAML2 SP Initiated Authentication Request:
- provide SingleSignOnService HTTP Redirect binding
- HTTP GET https://{label}.photoshelter.com/sso/SAML2/AUTH
PhotoShelter SP Metadata Request:
- HTTP GET https://{label}.photoshelter.com/sso/SAML2/METADATA
SAML2 HTTP Workflow for PhotoShelter Brands:
- Client server offers login form
- User submits credentials to login form
- On success, respond with an HTML page containing a form that auto-submits on page load:
<form action=’https://{label}.photoshelter.com/sso/SAML2/ACS/POST’ method=post>
<input type=’hidden’ name=’SAMLResponse’ value=’{base64 encoded XML assertion}’> </form>
When testing, submit the form to the test endpoint instead, along with CERT and IDPID:
<form action=’https://{label}.photoshelter.com/sso/SAML2/TEST/POST’ method=post>
<input type=’hidden’ name=’SAMLResponse’ value=’{base64 encoded XML assertion}’> <input type=’hidden’ name=’CERT’ value=’{base64 encoded DER X.509 certificate}’> <input type=’hidden’ name=’IDPID’ value=’{IDP entityId}’> </form>
4. PhotoShelter SAML2 gateway attempts to validate the assertion and handles error/success.
In order to activate SAML2 ACS support, the client must provide PhotoShelter with their respective SAML2 metadata, which includes the X.509 certificate, entityID, and SingleSignOnService HTTP-Redirect binding. The SAML2 assertion validation test endpoint will always be active.
Login Page Customization Options (applies to Classic Portal)
There are a few options for customizing your PhotoShelter Brands Portal’s SSO login and public login pages:
- SSO login page:
- Organization name
- SSO login button text “Public Login” hyperlink text
*If you tell the PhotoShelter Brands team to enable restricted domains, users attempting to log in with a restricted email domain will be directed to use the SSO login instead, so that they’re properly funneled through the SSO process
SSO Permissions
Once users log into the client’s PhotoShelter Brands Portal via SSO, they’re automatically placed in a specific contact group. You have has the option of defining the name of this group - just let us know! If no preference is given, the name "All SSO Users" will be used. With this user group, everyone logging in with SSO automatic permission to view and/or download files:
Sharing & Permissions in Lumen
Please note that SSO is a one way sync of contacts into the Invited Users List. When a user authenticates through SSO in your portal, they are added to your Invited Users list in your account with the corresponding user information from the AD. When a user is removed from the AD, the account will still exist in PhotoShelter but the user will no longer be able to authenticate with SSO. We recommend removing users from collection/gallery permissions or any Invited User groups they were once part of as well.