Skip to main content
Support

KB Article #183138

Using the OAuth 2.0 Authentication Plugin with the AD FS provider

Summary

This article provides information how to configure an Authorization Code flow in SecureTransport with AD FS as Identity Provider for user and administrator authentication.


Resolution

Configure the AD FS server

Login to the AD FS server and create a new Application Group.



Use the Server Application Accessing a Web API template and provide a name for the Application Group. Then click Next.



On the next screen, copy the ClientID string and save it for later; this will be needed in the configuration in ST. Type the address of your ST Server (or Edge, or Load Balancer) in the Redirect URI field; these will be the URLs where the users/administrators will be redirected to after successful authentication. Click Next.



Enable the Generate a shared secret box and then copy the secret string to the clipboard. Make sure to save the secret value in a safe place, as you will not be able to view it once the application group is created. Click on Next.



On the Configure the Web API screen, provide a name and add an identifier. The identifier can be used for additional redirects. Click Next.



On the Apply an Access Control Policy screen, select an appropriate policy and click Next.


On the Configure Application Permissions screen, choose openid for Permitted scope. Click Next.



Review the Application and click Next. The Application Group will be created.


Open the Active Directory Users and Computers tool and create a new user in the Users folder.


Configure SecureTransport

Install the OAuth Authentication plugin for SecureTransport as described in KB 180803.


Go to the Admin UI → Server Configuration page and set the HTTP daemon redirect, setting the following parameters:


Option Value
Http.AllowedAuthenticationParameters code
Http.AllowedAuthenticationParametersMaxSize 32768
Http.FdxAuthReply PREAUTH
Http.RedirectWhiteList (.*)
Http.Security.SameSite Lax


If administrators authentication will be used with AD FS, set the following parameters:


Option Value
Admin.Security.SameSite Lax
LoginSettings.Admin.PREAUTH true


Configure the OAuth Authentication plugin under the Admin UI → Server Configuration, setting the below parameters as shown. Keep in mind that all option names are prefixed with Plugins.Authentication.oauth-authentication-plugin..


Option Value
authorizationCodeParameter code
authorizationHeader AUTHORIZATION
authorizationUrl https://ADDRESS_OF_ADFS_SERVER/adfs/oauth2/authorize/
cipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
clientId <The clientID from the Server Application in ADFS>
clientSecret <The secret created and copied from the Server Application in ADFS>
connectTimeout 10000
introspectionEndpoint <empty> (you must clean the pre-existing string from this field)
keysUrl https://ADDRESS_OF_ADFS_SERVER/adfs/discovery/keys
oidcEnabled true
protocols TLSv1.2, TLSv1.3
redirectUri https://${plugin.localAddress}
revokeUrl https://ADDRESS_OF_ADFS_SERVER/adfs/oauth2/revoke
scope openid
signingKey <empty> (you must clean the pre-existing string from this field)
socketTimeout 10000
tokenUrl https://ADDRESS_OF_ADFS_SERVER/adfs/oauth2/token/
tokenVerificationMode jwt
userIdentityAttribute ${extract(plugin.attributes.upn[0],'@',1)}
useSecure true
validateTokenSignature true
verifyCertificate true


Create a user in ST, as described in KB 180803 and then test the login to ST with it.