ADFS – OpenID Connect Configuration
Create a new application group in ADFS with the following configuration :
Standalone application > Server application
Set a name that will define your application
Hit next and copy the client identifier to a notepad, you will need it later.
The redirect URI is the server local URI you will use to test your application using Visual Studio.
You can use https://localhost:44320 or any local port for the tests.
The redirect uri is where the client will be send to after the account authorization is successful.
Hit next and select a shared secret, copy the information.
Click add application > WEB API
Set a name and create an uri identifier.
The URI Identifier or relying party identifiers identify either a network addresses or a URN ( configuration objects).
In this case we choose to use : https://domain.com/identifier/myapp which is a URL.
This identifier is used to identify the relying party to the Federation service. It is used when issuing claims to the relying party.
For the Client permissions, we specify: AllatClaims, OpenID and User_impersonalisation.
The issuance transform rules are set to validate the UPN as a claim and also security groups part of the Active Directory.
Those are claims that will be used when the user try to authenticate against the relying party identifiers.
The UPN is excepted to be received in a Active Directory format (User-Principal-Name) and issue a claim to the API with a UPN format.
The rest of the SG-groups rules are to validate if the user if part of a certain group.
Within Active Directory, the user will be validate if its part of mydomain\sg-ActiveDirectory group and will issue a claim to the API with the sg-ActiveDirectory value.
#Allow seamless sign in for ADFS2016
Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome” + “Mozilla/5.0” + “Edge/12”)
Register the application in Azure
Select Azure Active Directory
Click App Registration
New App Registration
- Application name = Myapp
- Application type = Web API
- Sign-on URL : Set https://domain.com/identifier/myapp for the time being. This might change
- Once created click on Settings > Required Permissions
- Add Microsoft Graph
- Select Read Directory Data (Directory.Read.All)
- Select Read all users’ full profiles (User.Read.All)
- Click Grant permissions and return back
- Click keys, generate one and copy it
- Provide the necessary information to the dev (Application ID, password set for the Key and the TenantID of the directory).