Skip to content

Microsoft ADFS OIDC Configuration

Pro only

Configuration in Microsoft ADFS

  1. Open the ADFS Management tool.

  2. Register an application group:

    • Go to "Application Groups" (1)
    • Add a new Application Group (2)
    • Enter an Application Group Name (3)
    • Select the Template "Server application accessing a web API" (4)
    • Click "Next"

    Register application group

  3. Register a server application:

    Register server application

  4. Configure Application credentials:

    • Select "Generate a shared secret"
    • As mentioned, copy and save the secret for later.
    • Click "Next"

    Register server application

  5. Configure Web API:

    • Copy the client identifier from the point 3. in the Identifier field.
    • Click "Next"

    Register server application

  6. Configure Access Control Policy:

    • Here we will allow a specific group only and require MFA for users (1)
    • Click the parameter link in the Policy field (2)
    • Add the AD Group you want to add (3 and 4)
    • Click "OK" and "Next"

    Register server application

  7. Configure Application Permissions:

    • In the permitted scope check allatclaims, email, openid and profile.
    • Click "Next"

    Register server application

  8. Configure Claim Rules:

    • After creating your application group successfully, right click on your application and click on Properties
    • Then Select the "Web API" (1) and click "Edit" (2)
    • In the new window, select the "Issuance Transform Rules" tab (3) and click "Add Rule" (4)
    • Select the rule template "Send LDAP Attributes as Claims"
    • Finally, add a rule named "email" which maps the "E-Mail-Addresses" LDAP Attribute to the claim type "email".

    Register server application Register server application Register server application

You should now have the following values:

  • Client ID
  • Client secret

Cloud Setup

Cloud

You are lucky. Just send the values from the previous steps to us and we'll take care 🥰

Self-Hosted Setup

Self-Hosted

Create your OIDC configuration for SysReptor...

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
{
    "adfs": {
        "label": "ADFS",
        "client_id": "<your client_id>",
        "client_secret": "<your_client_secret>",
        "server_metadata_url": "https://adfs.your.domain/adfs/.well-known/openid-configuration",
        "client_kwargs": {
            "scope": "openid profile email",
            "code_challenge_method": "S256"
        },
        "reauth_supported": false
    }
}


1
OIDC_AUTHLIB_OAUTH_CLIENTS='{"adfs": {"label": "ADFS",...}}'
The OIDC client needs to be able to establish a network connection to Microsoft ADFS. Make sure to not block outgoing traffic.

Restart the docker container by going to sysreptor/deploy and:

1
docker compose up -d
Edit / View on GitHub