Set Up Active Directory Federation Services (ADFS) Authentication for App Studio or Appkit
The Active Directory Federation Services (ADFS) security provider is available in Appkit.
| OAuth based authentication against ADFS requires ADFS 3 (or newer) which is available from Windows Server 2012 R2 onwards. |
To authenticate against ADFS, perform the steps in this article.
1 Add the security provider dependency
To add ADFS as a security provider in the Oauth Security module:
-
Remove any existing security provider dependency from the
pom.xmlunder the root of the project. -
Add a security provider dependency for ADFS to the
dependenciestag inpom.xml:<dependency> <groupId>twigkit</groupId> <artifactId>twigkit.security.provider.oauth.adfs3</artifactId> <version>${project.parent.version}</version> </dependency> -
Configure Appkit to invoke the Oauth Security module on startup. Change the
security.conffile insrc/main/resources/conf/security/to contain:type: oauth
You must remove any existing spring-security.xmlfile because this module encapsulates all Spring configuration automatically.
2 Set up the application (relying party trust) in ADFS
-
Add a new relying party in ADFS management. The identifier is usually set to the URL of the Appkit application itself.
-
Edit the Claim Rules to pass through the credentials as shown in the screenshot. It is important the configuration is as shown in the screenshots here. The User Principal Name is passed through as the 'UPN' claim and the Token-Groups Unqualified Name is passed through as the 'Role' claim.
-
Open a PowerShell session to create the OAuth ADFS 'client' for the Appkit application:
Add-ADFSClient -Name "Appkit OAuth" -ClientId "1234567890-ABCDEF" -RedirectUri="http://localhost:8080/oauthLogin"
The ClientId should be a GUID and the RedirectUri must point to the Appkit application URL, with /oauthLogin appended. Here, localhost is used for testing an Appkit application running on the local development machine.
3 Configure the OAuth module for the application setup in ADFS
Create a new configuration file in conf/security/oauth.conf.
oauth.conf
client-id: 168f3ee4-63fc-4723-a61a-6473f6cb515d
adfs-url: https://your-adfs-server/adfs
resource: http://localhost:8080
high-trust: falseHere, you must change the client-id, adfs-url and resource parameters for the environment in question.
The client-id is the ID that was set up against ADFS using the Add-ADFSClient PowerShell command.
The adfs-url is the URL of the ADFS server with the /adfs context appended.
The resource is the relying party trust identifier set up in ADFS management.
The `high-trust' parameter is only required when integrating the ADFS and SharePoint modules. This article is only concerned with authentication against ADFS.
3 Add the Spring filter to the web.xml
Add this to the web.xml file of the project:
<!-- Spring Security -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring-security.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>
org.springframework.web.context.request.RequestContextListener
</listener-class>
</listener>
<!-- Spring Security Ends -->Inclusion of a 'RequestContextListener' is not required in a standard Appkit-plus-Spring Security application.
4 Test the authentication
If a user is not logged via ADFS prior to visiting the application they will be redirected to the ADFS OAuth login page. The user experience is a typical login page.
After the user logs in, the user will be returned to the application as an authenticated user.
The Appkit user’s details will also be populated with any basic information available from the decoded OAuth token such as roles and the user principal name.