Single-Sign On (SSO) Integration for Canto Cumulus

One of our enterprise clients required single sign-on (SSO) for all internal users accessing Canto Cumulus hosted in an Amazon virtual private cloud (VPC), since they do not allow any incoming or outgoing LDAP traffic to and from the WAN. The goal was to provide immediate access once internal users are initially authenticated on their respective Windows workstations (“keys to the castle”). The problem we faced is that Canto does not provide an SSO connector yet … thus, such an integration had to be specifically developed.

We decided to use PingOne acting as the SAML service provider endpoint. The following diagram illustrates the complete integration that now allows our customers to simply click on a button or link in their intranet and immediately be connected to either Canto Cumulus Sites or Canto Cumulus Web Client without having to log in again.

This SSO integration is highly secure, as it validates the user details twice, once customer-side and a second time between Cumulus/AWS and PingOne. Furthermore, it still allows all other, regular Cumulus authentication options to be employed in parallel. That includes built-in users and AD-authenticated users, as the custom SSO Authenticator module is simply added as another Cumulus authentication module, but does not replace the existing Cumulus authentication modules. This gives customers a lot of flexibility to create mixed authentication scenarios. In fact, our particular customer uses all three authentication options:

1.      Internal users connect via SSO

2.      External agencies (not pictured in the diagram) connect via an AWS-hosted AD

3.      Certain technical Cumulus users (like RoboFlow) connect as built-in users

So how does this SSO integration work?

1.      A SAML token generated by our client’s federated service includes a re-direct URL.

2.      Upon authentication completion, the return token (incl. all user metadata needed to verify the SAML token) is re-directed to the respective Cumulus web interface.

3.      This data is transferred to the Cumulus Web Server as part of the login data.

4.      The Cumulus Web Server connects to the PingOne server to verify the token.

5.      Once verified, PingOne returns a SAML token with details (valid/not valid).

6.      The Cumulus Web Server does a “Connect to Cumulus App Server” and posts a XML/JSON structure that the Cumulus App Server parses to authorize the user.

7.      The Cumulus Server assigns user metadata and matches groups with roles based on the posted XML/JSON.

This only required very few integration parts which can easily be updated to any future release of Cumulus, including:

1.      A Cumulus Web Server “Token Handling Customization” that can be used to trigger a “Connect to Cumulus App Server” with PingOne’s SAML token handling.

2.      A Cumulus App Server “Authenticator Customization” that will understand the XML/JSON structure posted by the Cumulus Web Server. 

This integration is extremely flexible and can be adapted to fit additional requirements. If you are interested in this or other DAM customizations and/or integrations, please get in touch with Nextware Professional Services at contact@nextwaretech.com today.

Automated Agency Upload WorkFlow

Uploading large sets of data over HTTP/HTPPS to your web-based DAM system can pose a couple of challenges:

1.     Lack of support for large uploads.

2.     Folder structures are not maintained.

3.     They can be cumbersome and time-consuming, as files might have to be dragged into an upload dialog one by one.

4.     Certain file formats might not be supported.

5.     Interrupted uploads have to be restarted from the beginning and it might not be clear what files might have already been uploaded.

6.     Detailed upload reports might not be available for later analysis.

7.     Upload dialogs written in Flash or Java might not be supported in all browsers and/or on all platforms or devices.

One of our recent customers was faced with the following challenges:

·       Multiple external agencies spread all over the U.S. and Canada provide the content for our customer’s marketing operations (packaged InDesign projects and output PDFs).

·       Complex folder structures have to be maintained during uploads.

·       Uploaded projects can routinely be more than 2 GB in size.

·       Uploaded projects need to be auto-cataloged into the DAM system without agency users having the ability/permission to catalog.

·       Folder structures need to be mirrored into the taxonomy’s category tree.

·       Detailed reporting and notification on uploads is required.

·       Access to the system is restricted to HTTPS/443 and SFTP/22.

·       All access has to be controlled centrally through a dedicated Active Directory.

·       The solution has to be 100% cloud-based.

·       Agencies need to be able to provide project-specific, custom metadata through a web-based interface.

Based on these needs and built around Canto Cumulus, Nextware implemented a sophisticated and automated upload workflow solution using WS_FTP Corporate Server, one of the leading FTP Server solutions, as well as Canto’s “RoboFlow” add-on. Our customer can now ask their agencies’ users to simply upload their packaged projects and PDFs via an FTP client. In some cases, this may be all an agency user has to do. In addition and if required by our customer, agencies can also add custom metadata to their uploaded jobs.

 In detail, their workflow looks as follows:

 

1.     Designers create InDesign jobs, package and zip them and combine them with the corresponding output PDFs into complex project folder structures. Often, one project can consist of 20 to 30 packaged InDesign jobs and 50-100 PDFs.

2.     They then connect to the DAM system via FTP. Access is controlled via an Active Directory. These users are maintained by administrators on our customer’s team, so that agency users can be added, deactivated or even deleted at any time.

3.     Server-side, WS_FTP organizes the uploaded projects into subfolders for each user inside a DropBox folder. The projects’ subfolder structure is maintained at all times.

4.     Canto RoboFlow monitors this DropBox in a 1-minute interval. New projects are automatically moved into the Cumulus Vault (= central asset repository) server-side. At the same time, RoboFlow creates corresponding record entries in the respective catalog and reflects the folder and subfolder structure in the category tree. No user interaction whatsoever is required.

5.     From that point on, either uploading users at the external agency side or the marketing users on the customer side can log into Cumulus via Web Client and further categorize and tag the projects’ records. User access is controlled through the same Active Directory as the FTP access. In other words: agency users use one and the same user name and password for all system access.

6.     Furthermore, our customer’s marketing users can approve or reject projects, delete them, find existing projects based on custom metadata searches, download partial or complete projects or share them via URL.

 

 

This workflow is extremely flexible and can be adapted to fit many other requirements. If you are interested in this or other DAM or workflow solutions, please get in touch with Nextware Professional Services at contact@nextwaretech.com today.

Hosting Canto Cumulus in the Cloud

Most Canto Cumulus solutions are still hosted in-house for apparent reasons: better performance, tighter control over cost, data and infrastructure and simply the fact that Cumulus - by design - is not a cloud solution. However, in 2013, a large corporate customer in the financial industry tasked Nextware with providing:

·       a hosted and easily scalable DAM solution,

·       based on Canto Cumulus,

·       divided into database, asset and web servers for better load-balancing and security,

·       with extremely stringent security, testing and backup requirements,

·       without any customer-side server IT support nor maintenance,

·       to end users within and outside the organization,

·       with zero customer-side footprint,

·       and world-wide web-based access.

These requirements meant a new road traveled, away from typical Canto Cumulus installations. The logical choice was using Amazon Web Services (AWS), in particular the following services:

 

·       Elastic Compute Cloud (EC2): resizable compute capacity in the cloud,

·       Elastic Block Storage (EBS): persistent block storage for use with EC2 instances,

·       Virtual Private Cloud (VPC):  isolated, virtual networking environment, including private and public subnets,

·       Simple Storage Service (S3): scalable, inexpensive backup storage,

·       and Route 53: cloud domain name service

 

Working with a project team based in Canada, the United States, India and Europe, Nextware fulfilled all these requirements. Six months later, after rigorous testing, our customer is now running a web-based DAM solution accessible only via secured ports 443 (HTTPS) and 22 (SFTP) with zero footprint on the customer side. Nextware maintains this solution 24/7 and provides technical support to all system users.

With this solution, the customer as well as external users – all controlled via Active Directory - can upload assets in batch via FTP. Server-side, Canto RoboFlow picks up new files, catalogs them and reflects the folder structure in their category tree. They can access their catalogs and records via Cumulus Sites and Web Client. Web Client is used to categorize and tag assets, whereas Sites is used to find and download assets.

If necessary, customer-side admins can still use the Cumulus rich client within a locked-down remote desktop session. Nextware Professional Services realized such access through Remote Desktop Web Access and Remote Desktop Gateway Server.

Below diagram illustrates our highly simplified system architecture. all proprietary details have been removed.

  

If you are planning to migrate your existing DAM solution to the cloud or if you are interested in setting up a new, cloud-based DAM solution, get in touch with Nextware Professional Services at contact@nextwaretech.com today.