Integration
      Back to home
      1. Knowledge Base
      2. Installation and System Setup
      3. Integration

      Configuring ADFS with OIDC Support

      Active Directory Federation Services (ADFS) provides enterprise-level identity and authentication services, including support for OAuth2 and OpenID Connect (OIDC) authentication flows. 

      This document outlines the step-by-step process to create and configure an ADFS Application Group that supports the Authorization Code flow. Additionally, it covers user creation, application group setup, and application server configuration.

      Prerequisites

      1. Access to an ADFS server.
      2. Administrative rights to manage Active Directory (AD) and ADFS.
      3. Access to the OvalEdge application server.
      4. Knowledge of the OvalEdge domain name.

      Steps to Configure ADFS with OIDC Support

      Step#1: User Creation in Active Directory

      1. Log in to the ADFS Server:
        • Open the Windows search bar, type "Active Directory Users and Computers," and launch the application
      2. Create a New User: 
        • Navigate to the "Users" section.
        • Right-click and select "New > User."
        • Fill in the user details in the displayed dialog box and click Next.
        • Set a password for the user and click Next.
        • Review the details on the confirmation page and click Finish.
      3. Create a Group:
        • Navigate to the "Builtindomain" folder. 
        • If a group does not exist, create a new one by right-clicking and selecting "New > Group." 
        • Enter the Group details and click on the Ok Button.
      4. Assign User to Group: 
        • Locate the newly created user, right-click, and select "Properties."
        • In the General tab, add the user's email address. 
        • In the MemberOf tab, add the user to the appropriate group.
        • Click Apply and OK.

      Step#2: Create & Configure an ADFS App Group

      Users must associate an application group with every native or web app OAuth client or web API resource configured with ADFS. Users must configure the clients in an application group to access the resources in the same group. An application group can have multiple clients and resources.

      1. Create an Application Group:
        • Open the ADFS Management Console.
        • Select "Application Groups" and click "Add Application Group."
        • In the Server application, provide a name for the application group, choose the Template as ”Server application accessing a web API,” and click the Next button.
      2. Add Server Application URL:
        • In the Server Application, copy the Client Identifier for future reference and enter the Redirect URL: https://<Domain_Name>/oauth2/code/adfs or replace <Domain_Name> with the OvalEdge application URL.
      3. Copy Identifiers and Generate Secrets:
        • In the Configure Application Credentials section, generate a shared client secret, then click 'Copy to clipboard' and save it securely.
      4. Configure Client Identifier:
        • Paste the previously copied client identifier.
      5. Choose Access Control Policy:
        • Select an appropriate access control policy.
      6. Configure Application Permissions:
        • Add the following scopes: allatclaims, openid, and profile.
        • Review the following summary and click on the Next button.
      7. Add Claims:
        • Double-click the newly created application group.
        • Edit the "OE_API-Web API" configuration.
        • Navigate to "Issuance Transform Rules" and click Add Rule.
        • On the "Add Transform Claim Rule wizard”, select "Send LDAP Attributes as Claims" and click on the Next button. 
        • Now, Click on the finish button.
        • In the Edit Rule - OvalEdge Claims window, configure the claim rule name as follows:
          • Attribute Store: Active Directory. 
          • Mapping of LDAP attributes to outgoing claim types: Add the required mappings, such as E-Mail Address, Given Name etc. 
        • Click OK to save changes. 

      Step#3: Configure the OvalEdge Application Server

      1. Edit oasis.properties File:
        • Navigate to the oasis.properties file located in the extprop folder.
        • Update the following properties: 

          Change spring.security.oauth2.client.registration.client-id value with the client identifier that was copied earlier. 

          Change spring.security.oauth2.client.registration.client-secret value with the client secret that was copied earlier.

          Change spring.security.oauth2.client.registration.provider value to ADFS

          Change spring.security.oauth2.base-url value with the endpoint in the ADFS OIDC configuration, which is available at:https://{ADFS_HOST_NAME}/adfs/.well-known/openid-configuration as the issuer. 

          Define the required scopes spring.security.oauth2.client.registration.scopes=openid,profile,email

          Set the user attribute spring.security.oauth2.client.registration.name-attribute=upn

          Example:

          # OAuth2 Client ID spring.security.oauth2.client.registration.client-id=<CLIENT_IDENTIFIER> # Replace with the copied client identifier 

          # OAuth2 Client Secret spring.security.oauth2.client.registration.client-secret=<CLIENT_SECRET> # Replace with the copied client secret 

          # OAuth2 Provider spring.security.oauth2.client.registration.provider=ADFS # Set the provider to ADFS 

          # OAuth2 Base URL spring.security.oauth2.base-url=<ADFS_ISSUER_URL> # Replace with the issuer URL from ADFS OIDC configuration, available at # https://{ADFS_HOST_NAME}/adfs/.well-known/openid-configuration 

          # OAuth2 Scopes spring.security.oauth2.client.registration.scopes=openid,profile,email # Define the required scopes 

          # OAuth2 User Attribute Mapping spring.security.oauth2.client.registration.name-attribute=upn # Set the user attribute to 'upn'  
      2. Edit setenv.sh File: 
        • Navigate to the Tomcat bin directory and open setenv.sh. 
        • If the CATALINA_OPTS already exists, then append this (-DOVALEDGE_SECURITY_TYPE=oauth2) at the end of the value inside double quotes. 
          export CATALINA_OPTS="-DOVALEDGE_SECURITY_TYPE=oauth2" 
      3. Restart the Tomcat Application: 
        • Run the following commands: 

          sudo systemctl restart tomcatui 

          sudo systemctl restart tomcatjob 

      Step#4: Verify Configuration

      1. Wait for 2 minutes after restarting the Tomcat services. 
      2. Open the OvalEdge application. 
      3. Verify that the login page includes the option "Continue with ADFS." 
        Displaying image.png
      4. Test the login functionality to ensure it works as expected. 

      Conclusion

      This document provides a comprehensive guide to configuring ADFS with OIDC support. Organizations can enable secure application authentication using ADFS and OAuth2/OIDC protocols by following these steps.