Product Selector

Fusion 5.11
    Fusion 5.11

    Set Up Active Directory Federation Services (ADFS) Authentication for App Studio or Appkit

    The Active Directory Federation Services (ADFS) security provider is available in Appkit.

    OAuth based authentication against ADFS requires ADFS 3 (or newer) which is available from Windows Server 2012 R2 onwards.

    To authenticate against ADFS, perform the steps in this article.

    1 Add the security provider dependency

    To add ADFS as a security provider in the Oauth Security module:

    1. Remove any existing security provider dependency from the pom.xml under the root of the project.

    2. Add a security provider dependency for ADFS to the dependencies tag in pom.xml:

      <dependency>
          <groupId>twigkit</groupId>
          <artifactId>twigkit.security.provider.oauth.adfs3</artifactId>
          <version>${project.parent.version}</version>
      </dependency>
    3. Configure Appkit to invoke the Oauth Security module on startup. Change the security.conf file in src/main/resources/conf/security/ to contain:

      type: oauth
      You must remove any existing spring-security.xml file because this module encapsulates all Spring configuration automatically.

    2 Set up the application (relying party trust) in ADFS

    adfs-relying-party-1 adfs-relying-party-2

    1. Add a new relying party in ADFS management. The identifier is usually set to the URL of the Appkit application itself.

      adfs-relying-party-3 adfs-relying-party-4

    2. Edit the Claim Rules to pass through the credentials as shown in the screenshot. It is important the configuration is as shown in the screenshots here. The User Principal Name is passed through as the 'UPN' claim and the Token-Groups Unqualified Name is passed through as the 'Role' claim.

      adfs-principal-roles-claim-rule

    3. Open a PowerShell session to create the OAuth ADFS 'client' for the Appkit application:

      Add-ADFSClient -Name "Appkit OAuth" -ClientId "1234567890-ABCDEF" -RedirectUri="http://localhost:8080/oauthLogin"

    The ClientId should be a GUID and the RedirectUri must point to the Appkit application URL, with /oauthLogin appended. Here, localhost is used for testing an Appkit application running on the local development machine.

    3 Configure the OAuth module for the application setup in ADFS

    Create a new configuration file in conf/security/oauth.conf.

    oauth.conf

    client-id: 168f3ee4-63fc-4723-a61a-6473f6cb515d
    adfs-url: https://your-adfs-server/adfs
    resource: http://localhost:8080
    high-trust: false

    Here, you must change the client-id, adfs-url and resource parameters for the environment in question.

    The client-id is the ID that was set up against ADFS using the Add-ADFSClient PowerShell command.

    The adfs-url is the URL of the ADFS server with the /adfs context appended.

    The resource is the relying party trust identifier set up in ADFS management.

    The `high-trust' parameter is only required when integrating the ADFS and SharePoint modules. This article is only concerned with authentication against ADFS.

    3 Add the Spring filter to the web.xml

    Add this to the web.xml file of the project:

    <!-- Spring Security -->
        <context-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>classpath:spring-security.xml</param-value>
        </context-param>
    
        <listener>
            <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
        </listener>
    
        <filter>
            <filter-name>springSecurityFilterChain</filter-name>
            <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        </filter>
    
        <filter-mapping>
            <filter-name>springSecurityFilterChain</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>
    
        <listener>
          <listener-class>
            org.springframework.web.context.request.RequestContextListener
          </listener-class>
        </listener>
    <!-- Spring Security Ends -->

    Inclusion of a 'RequestContextListener' is not required in a standard Appkit-plus-Spring Security application.

    4 Test the authentication

    If a user is not logged via ADFS prior to visiting the application they will be redirected to the ADFS OAuth login page. The user experience is a typical login page.

    After the user logs in, the user will be returned to the application as an authenticated user.

    The Appkit user’s details will also be populated with any basic information available from the decoded OAuth token such as roles and the user principal name.