Skip to content

Configuring Windows ADFS as a Brokered Identity Provider in IFS IAM

IFS IAM authenticates with OpenID Connect External Identity Providers as Identity Brokering. This helps to provide a user-centric, centralized way to manage identities for security domains.

This document describes how to Configure Windows ADFS as a Brokered Identity Provider in IFS IAM.

Prerequisites

  • Microsoft Windows Server Manager AD FS.
  • If using a self-signed certificate, import the certificate to ifsapp-iam.
  • If hosted internally, use the internal DNS in Kubernetes.

1. Add Application Group

To set up ADFS first, you will need the redirect-url from the IFS IdP.

Navigate to Solution Manager > Users and Permissions > Identity and Access Manager > IAM Identity Providers > IAM Identity Providers

Create a new Identity Provider.
Give the IdP an ID and a name.(The ID should not contain spaces. You may choose any name but it should be a descriptive one.) Copy the Redirect URI and head over to your ADFS server.

On the ADFS Server open the ADFS Management tool. Right click on Application Groups and select Add Application Group.

Set a name, which can be any name of choice and select Server Application.

Copy and store the Client Identifier. You will need it later, and add the Redirect URI copied earlier.

Generate a shared secret and store it somewhere, as this will also be needed later.

Review the summary and press Next and close the wizard.

2. Add Web API

Double click the newly created application group.

Click Add application.

Select Web API.

Permit Everyone.

Select allatclaim and openid (Scopes decides what claims will be available).

Review the summary.

There should now be two applications.

3. Add Claims

Select the Web API, click Edit and navigate to Issuance Transform Rules.

Click Add Rule and select Send LDAP Attributes As Claims.

Select User Attributes as Claim rule name and Active Directory as Attribute Store. Set LDAP Attribute to UserPrincipalName and the outgoing claim to UPN (more on this will follow later in this guide)

This concludes the setup needed on the ADFS side.

4. Well known document

The well known document returns the OpenID Connect configuration values from the provider's Well-Known Configuration Endpoint.

For ADFS it can be found on https://:/adfs/.well-known/openid-configuration

For IFS Cloud it can be found on https://:/auth/realms//.well-known/openid-configuration

5. Create a new Identity Provider in IFS Cloud

Create a new Identity Provider in IFS Cloud.

Go back to Back to Aurena and find now that the abandoned create form be equipped with some more information. - Set the sync mode to the desired value. - Add authorization endpoint. - Add token endpoint. - Both endpoints are found in the ADFS well known document (Go back to step 4 if you skipped that.) - Set Client Auth Method to Client Secret Post. - Paste the client ID (acquired during the previous steps). - Paste the client secret (also acquired during the previous steps. The secret cannot be obtained again, so if you have lost it, you can generate a new one).

Press OK when done.

6. Create an Attribute Mapper

  • Navigate to IdP Attribute Mapper.
  • Create a new mapper.

The name can be anything. The claim must be set to upn

7. Login

The necessary configuration is now done. Make sure you have a user ready and the Directory ID matches the UPN.