hydden.docs

#

How to Configure an OpenID Provider for AD FS

This topic details how to setup an OpenID Connect Configuration for an on-prem server without an option to utilize internet connected SaaS authentication services.

Prerequisites

  1. Refer to the hardware requirements for the server deployment: Getting Started
  2. During the Bootstrap process, use the Custom option for this AD FS setup.
  3. Verify that you have AD FS installed and configured: In your server manager, navigate to Server Rules and check that Active Directory Federation Services (Installed) is checked.

Configuring an AD FS Authentication Application

  1. In your Server Manager, select Tools > AD FS Management.
  2. Under Application Groups, select Add Application Group.

  3. Select Server application accessing a web API.

    img

  4. Under Welcome, give it a Name and Description, click Next.
  5. Under Server application, from the Client Identifier field copy the ID and paste it into a notepad file or other location for later use.
  6. For Redirect URI, enter your Hydden platform’s redirect URL, for example something like: https://my-new-hydden-server.demo.lab:22101/auth/oidc/callback. You can copy this from the Add OpenID Connect Configuration or Edit OpenID Connect Configuration modal in Hydden.
  7. Click Add and Next.
  8. Under Configure Application Credentials, select Generate a shared secret, and copy the secret to the clipboard. You might want to store it with the previously saved Client Identifier.
  9. Under Configure Web API, into the Identifier field, paste the previously saved Client Identifier.
  10. Click Add and Next.
  11. Under Apply Access Control Policy, you may first opt for Permit everyone amd adjust those permissions later.
  12. Click Next.
  13. Under Configure Application Permissions > Permitted scopes, add allatclaims, email, openID, and profile.
  14. Click Next.
  15. Review the Summary and click Next.
  16. Click Close.

  17. You may now review the properties for your application, which will look something like this:

    img

    Next you need to add Issuance Transform Rules.

  18. Select the Hydden - Web API app.
  19. Navigate to the Issuance Transform Rules tab.
  20. Click on Add Rule.
  21. For Choose Rule Type, select Send LDAP Attributes as Claims and click Next.

  22. Enter a name, for example, Hydden Attributes.

    img

  23. Select Active Directory for the Attribute Store.

  24. Add the five mapping rules as shown in the image above: E-Mail_Addresses, Company, Telephone-Number, Given-Name, Surname.

    [!note] For AD FS users to register and/or authenticate with Hydden, they must have a valid email address and First and Last Name configured in AD, the company association is optional.

Further editing or retrieval of application specifics is always available via the properties dialog.

Configuring the OpenID Provider

  1. In Hydden, navigate to Configuration > Tenant and select the OpenID Provider tab.
  2. Click + Add Provider.
  3. From the Provider drop-down, select Custom.
  4. Give your provider a name, for example, Active Directory (AD FS).
  5. Under Client ID, enter the previously saved Client Identifier string.
  6. Under Client Secret, enter the previously saved Shared Secret string.
  7. Under Issuer, enter the name of your AD FS server on which your created the server application and add /adfs to the address. For example, https://{yourADFSServerName}/adfs.

  8. Under Switch Prompt, select login.

    img

  9. Click Add.

You should now see an AD FS login prompt:

img