AD FS | OIDC

Verify the version of Windows Server

Verify that AD FS is running on Windows Server 2016 TP4 or later. Please use SAML for older versions that do not support OIDC.

1. Display name

Choose a name for your identity provider. This is the user-facing name, so choose a name your users will recognize. This value can be changed later.

2. Redirect Mode

Select how the user will be redirected to the identity provider. Available options are: Automatic, instant and No redirect. You may configure more redirect modes after completing the setup.

3. Prepare IDP

Copy the Callback URL. You will need this when configuring AD FS

 

Configure AD FS

external

On your Windows Server 2016 TP4 or later server, Open the AD FS Management console on the AD FS server. Select Add Application Group.

If you are using SCIM with your provider, make sure to check out the documentation for configuring this before proceeding. It might be that you need to configure this first or at the same time as setting up OIDC.

If you are using SCIM with your provider, make sure to check out the documentation for configuring this before proceeding. It might be that you need to configure this first or at the same time as setting up SAML.

Give the app a name and select the Server application accessing a web API.

Copy the Client Identifier value. You will need this id later.

Add the Callback URL from the Kantega SSO wizard into the list of Redirect URIs.

Select Configure Application Credentials and generate a shared secret. Copy the shared secret, you will make use of it later.

Add your site’s URL in the Identifier list (in our example https://jira-test.example.com/).

Select Permit everyone in Choose an access control policy.

Let openid be the Permitted scopes as is the default.

Verify everything looks correct on the summary screen.

 

Go back to the Kantega SSO setup wizard.

4. Metadata

In the Metadata step you enter the ADFS host to complete the Discovery URL.

 

5. Scopes

These are the scopes we were able to fetch from the metadata. You can add scope values from a list, start typing to add your own or unselect them. A minimum of one scope value is required.

 

6. Credentials

Paste the Client Identifier and Client Secret you copied from AD FS Management console into the respective fields.

 

7. Summary

Check that everything looks good and submit your setup

 

Test

Test that logging in with AD FS works as expected. This will help identify if there are any issues with the configuration. Follow the steps to perform the login test.