KB Article #183138
Using the OAuth 2.0 Authentication Plugin with the AD FS provider
Summary
This article provides information how to configure an Authorization Code flow in SecureTransport with AD FS as Identity Provider for user and administrator authentication.
Resolution
Configure the AD FS server
Login to the AD FS server and create a new Application Group.
Use the Server Application Accessing a Web API template and provide a name for the Application Group. Then click Next.
On the next screen, copy the ClientID string and save it for later; this will be needed in the configuration in ST. Type the address of your ST Server (or Edge, or Load Balancer) in the Redirect URI field; these will be the URLs where the users/administrators will be redirected to after successful authentication. Click Next.
Enable the Generate a shared secret box and then copy the secret string to the clipboard. Make sure to save the secret value in a safe place, as you will not be able to view it once the application group is created. Click on Next.
On the Configure the Web API screen, provide a name and add an identifier. The identifier can be used for additional redirects. Click Next.
On the Apply an Access Control Policy screen, select an appropriate policy and click Next.
On the Configure Application Permissions screen, choose openid for Permitted scope. Click Next.
Review the Application and click Next. The Application Group will be created.
Open the Active Directory Users and Computers tool and create a new user in the Users folder.
Configure SecureTransport
Install the OAuth Authentication plugin for SecureTransport as described in KB 180803.
Go to the Admin UI → Server Configuration page and set the HTTP daemon redirect, setting the following parameters:
Option | Value |
Http.AllowedAuthenticationParameters | code
|
Http.AllowedAuthenticationParametersMaxSize | 32768
|
Http.FdxAuthReply | PREAUTH
|
Http.RedirectWhiteList | (.*)
|
Http.Security.SameSite | Lax
|
If administrators authentication will be used with AD FS, set the following parameters:
Option | Value |
Admin.Security.SameSite | Lax
|
LoginSettings.Admin.PREAUTH | true
|
Configure the OAuth Authentication plugin under the Admin UI → Server Configuration, setting the below parameters as shown. Keep in mind that all option names are prefixed with Plugins.Authentication.oauth-authentication-plugin..
Option | Value |
authorizationCodeParameter | code
|
authorizationHeader | AUTHORIZATION
|
authorizationUrl | https://ADDRESS_OF_ADFS_SERVER/adfs/oauth2/authorize/
|
cipherSuites | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
clientId | <The clientID from the Server Application in ADFS>
|
clientSecret | <The secret created and copied from the Server Application in ADFS>
|
connectTimeout | 10000
|
introspectionEndpoint | <empty> (you must clean the pre-existing string from this field)
|
keysUrl | https://ADDRESS_OF_ADFS_SERVER/adfs/discovery/keys
|
oidcEnabled | true
|
protocols | TLSv1.2, TLSv1.3
|
redirectUri | https://${plugin.localAddress}
|
revokeUrl | https://ADDRESS_OF_ADFS_SERVER/adfs/oauth2/revoke
|
scope | openid
|
signingKey | <empty> (you must clean the pre-existing string from this field)
|
socketTimeout | 10000
|
tokenUrl | https://ADDRESS_OF_ADFS_SERVER/adfs/oauth2/token/
|
tokenVerificationMode | jwt
|
userIdentityAttribute | ${extract(plugin.attributes.upn[0],'@',1)}
|
useSecure | true
|
validateTokenSignature | true
|
verifyCertificate | true
|
Create a user in ST, as described in KB 180803 and then test the login to ST with it.