Skip to main content

AE initiated SSO with ADFS using OpenID Connect

ADFS Identity Provider supports OpenID Connect and SAML protocols.

The topic demonstrates some key configurations to set up ADFS and fetch the required parameters for AutomationEdge SSO.

  • Identity Provider Issuer

  • Identity Provider Endpoints (Authorization, Token & End Session Endpoints)

  • Login redirect URIs

  • Client ID

  1. Open ADFS console and go to Application Group. Click Add Application Group.

    ADFS Open ID Connect

  2. Type a Name for a new Application Group. For example, Automationedge.

  3. Select Web browser accessing a web application as the Client-Server application template.

    Welcome tab

  4. The Add Application Group Wizard appears. The Welcome step automatically generates a new Client Identifier, which is used for Client ID in AutomationEdge SSO configuration.

    Note:

    You may change the Client ID, if required.

    Copy the Client Identifier.

  5. In the Redirect URI section, add all the URLs for AutomationEdge as the client application. Click Next.

    Redirect URI

  6. Permit everyone is selected in the Apply Access Control policy step, but you may choose as needed. Click Next.

    Access Control Policy

  7. Review settings in the Summary step and click Next. The Application Group has been successfully created message appears in the Complete step, and then click Close.

    Summary

  8. You can now see the ADFS console. The new Application Group lists in the Application Groups interface.

  9. Select the Application Group you want to configure and click on Properties.

    Open ID 4

  10. The newly created Application Group’s Properties window opens. The Application Group wizard has created the two Applications for Client Application and Server.

  11. Now select the ‘Automationedge’ Web Application as follows for additional configurations. Click Edit.

    Open ID 5

  12. Add Claims for the Access Token. Keep the Notes and Access control policy tab as they are.

  13. Go to the Issuance Transform Rules tab, which is empty! Once you see the windows like in the snapshot below, click the Add Rule button. Select the ‘Send LDAP Attributes as Claims’ and add the LDAP Attributes as follows:

    LDAP AttributeOutgoing Claims
    E-Mail-AddressesemailAddress
    SAM-Account-NameuniqueId
    Given-NamefirstName
    SurnamelastName
    Note:

    It is mandatory to map LDAP attributes to the three outgoing claim types: uniqueId, firstName, and lastName.

  14. Click Next.

    Open ID 6

  15. For AutomationEdge Web Application Configurations, finally click on Client Permissions. In our case, we have selected the following three scopes: OpenID Connect: request use of the OpenID Connect authorization protocol;

  16. After selecting Client Permissions, click OK.

  17. Next, add a user to the ADFS server Active Directory. Following are the steps for Adding a new user to the ADFS server Active Directory.

    In the ADFS console click on Active Directory Users and Computer and navigate to Organization -> User -> New -> User.

    Open ID 7_1

    Provide details of the user to be created.

    Open ID 7

  18. After user creation, to fetch the Identity Provider Endpoints (Authorization, Token and End Session Endpoints) in ADFS, complete the following steps:

  1. Open Windows Power Shell and type the command: Get-AdfsEndpoint

  2. Search for OpenID Connect Discovery.

    Open ID 8

  3. Copy the Full URL (e.g. https://xxxxx.com/adfs/.well-known/OpenID Connect-configuration)

  4. Open the URL to get the Endpoints text in JSON format, as seen in the following image:

    Open ID 8

The ADFS configurations and fetching desired parameters for AutomationEdge SSO is complete.

You may now create an AutomationEdge SSO user mapped to the newly created user in ADFS Windows Server Active Directory for AutomationEdge initiated Single Sign-On.

Last updated on