ADFS – OpenID Connect Configuration

by Jessica Lavoie, posted in Active Directory Federation Services, Azure, OpenIDConnect, Webapi, Windows

Create a new application group in ADFS with the following configuration :

Standalone application > Server application

Set a name that will define your application

Hit next and copy the client identifier to a notepad, you will need it later.

The redirect URI is the server local URI you will use to test your application using Visual Studio.

You can use https://localhost:44320 or any local port for the tests.

The redirect uri is where the client will be send to after the account authorization is successful.

Hit next and select a shared secret, copy the information.

image

Click add application > WEB API

Set a name and create an uri identifier.

The URI Identifier or relying party identifiers identify either a network addresses or a URN ( configuration objects).

In this case we choose to use : https://domain.com/identifier/myapp which is a URL.

This identifier is used to identify the relying party to the Federation service. It is used when issuing claims to the relying party.

image1

For the Client permissions, we specify:  AllatClaims, OpenID and User_impersonalisation.

image2.png

The issuance transform rules are set to validate the UPN as a claim and also security groups part of the Active Directory.

image3

Those are claims that will be used when the user try to authenticate against the relying party identifiers.

The UPN is excepted to be received in a Active Directory format (User-Principal-Name) and issue a claim to the API with a UPN format.

image4.png

The rest of the SG-groups rules are to validate if the user if part of a certain group.

Within Active Directory, the user will be validate if its part of  mydomain\sg-ActiveDirectory group and will issue a claim to the API with the sg-ActiveDirectory value.

image5.png

#Allow seamless sign in for ADFS2016
Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome” + “Mozilla/5.0” + “Edge/12”)
https://itrambling.wordpress.com/2017/08/18/windows-server-2016-adfs-sso-with-chrome-firefox-and-other-user-agents/

Register the application in Azure

Select Azure Active Directory

Click App Registration

New App Registration

    • Once created click on Settings > Required Permissions
    • Add Microsoft Graph
      • Select Read Directory Data (Directory.Read.All)
      • Select Read all users’ full profiles (User.Read.All)
      • Click Grant permissions and return back
    • Click keys, generate one and copy it
    • Provide the necessary information to the dev (Application ID, password set for the Key and the TenantID of the directory).

image6

 

Reference : https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/enabling-openid-connect-with-ad-fs

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-scenarios-for-developers

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s