Skip to main content

On-prem requirements - AD FS Server

Tommie Björnström
Updated

This article describes how to prepare an existing AD FS Server to be used as the Identity Provider integration in the Flowscape Solution. This document will not include any instructions on how to setup a new AD FS Server.

AD FS Server

For AD FS, the /userinfo endpoint does not support provisioning any claims other than subject ID. For this reason, the name and email of the user have to be fetched with the ID token.

Customizing the ID token to return the correct format for given_name, family_name and email, you have to follow the steps below.

Setup the Application Group

On the AD FS server, open the desktop app AD FS Management and select the folder Application Groups.

Create a new Application Group named “Flowscape” and select Server application.

If it is not already auto generated, add a Name and Client identifier (GUID). Make sure to copy the Client identifier, it will be used later.

Add the Redirect URI, if you have not received the URI from the Flowscape team, ask your Flowscape contact person to provide it to you.

https://<FQDN>/concierge/auth/openid/auth-code

example

https://flowscape.customer.com/concierge/auth/openid/auth-code

Enable Generate a shared secret. Make sure to copy the Secret, it will be used later.

Open the Application GroupFlowscape” that you just created and click on Add application…
Select Web API
Add the Identifier, this is the Client identifier for the Server ApplicationFlowscape - Server application” that you created in the previous steps.
Make sure that Access control policy is set to Permit everyone

For the Permitted scopes, enable allatclaims and openid

Open the Application GroupFlowscape”, select the Web API “Flowscape - Web API” and click on Edit…

Go to the Issuance Transform Rules tab and click Add Rule…

Keep the Claim rule template set to Send LDAP Attribute Claims

Add the following information

  • Claim rule name: Flowscape - Claim Rules

  • Attribute store: Active Directory

  • Mappings:

    • Given-Name => given_name

    • Surname => family_name

    • E-Mail-Addresses => email

Click Apply and OK

From the steps above, the following values should have been generated.

  • Client identifier (Example: “69c5d898-8e49-487d-8801-65261c3b7966“)

  • Secret (Example: “hva6vwcLRZZwZU-9KrKq8jqqVLCp-kCKhA9vvRB6“)

Make sure to store the values somewhere safe since they will be used when setting up the Directory integration in the Flowscape Solution.

Get the hostname

We will also need the hostname of the AD FS server to setup the endpoints.

If you have successfully completed the tasks above, you should now be able to provide the information below. This information will be required when installing the Flowscape Solution. Fill in the information and send it to your Flowscape contact person:

  • Application Group Client Identifier

  • Application Group Secret

  • AD FS Server Hostname

Related articles

Comments

0 comments

Please sign in to leave a comment.