# ADFS With OIDC Support Active Directory Federation Services (ADFS) provides enterprise-level identity and authentication services, including support for OAuth2 and OpenID Connect (OIDC) authentication flows. This article outlines the step-by-step process to create and configure an ADFS Application Group that supports the Authorization Code flow. Additionally, it covers user creation, application group setup, and application server configuration. ### **Prerequisites** * Access to an ADFS server. * Administrative rights to manage Active Directory (AD) and ADFS. * Access to the OvalEdge application server. * Knowledge of the OvalEdge domain name. ## Steps ### **User Creation in Active Directory** * Log in to the ADFS Server. * Open the Windows search bar, type **Active Directory Users and Computers**, and launch the application.

* Create a new user. * Navigate to the **Users** section.

* Right-click and select **New > User**.

* Fill in the user details in the displayed dialog box and click **Next**.

* Set a password for the user and click **Next**.

* Review the details on the confirmation page and click **Finish**.

* Create a group. * Navigate to the **Builtindomain** folder. * If a group does not exist, create a new one by right-clicking and selecting **New > Group**.

* Enter the group details and click **OK**.

* Assign user to group. * Locate the newly created user, right-click, and select **Properties**.

* In the **General** tab, add the user's email address.

* In the **MemberOf** tab, add the user to the appropriate group.

* Click **Apply** and **OK**.

## *ADFS OIDC Flow Diagram*

### **Create and Configure an ADFS Application Group** Every native or web app OAuth client or web API resource configured with ADFS must be associated with an application group. Clients in an application group are configured to access resources within the same group. An application group can include multiple clients and resources. * **Create an Application Group** * Open the ADFS Management Console. * Select **Application Groups** and click **Add Application Group**. * In the server application, provide a name for the application group, choose the template **Server application accessing a web API**, and click **Next**.

* **Add server application URL.** * Copy the Client Identifier for future reference. * Enter the redirect URL: `https:///oauth2/code/adfs` (replace `` with the OvalEdge application URL).

* Copy identifiers and generate secrets. * In the **Configure Application Credentials** section, generate a shared client secret. * Click **Copy to clipboard** and save it securely.

* Configure client identifier. * Paste the previously copied client identifier.

* Choose an access control policy.

* Configure application permissions. * Add the following scopes: `allatclaims`, `openid`, `profile`.

* Review the summary and click **Next**.

* **Add claims** * Double-click the newly created application group.

* Edit the **OE\_API-Web API** configuration.

* Navigate to **Issuance Transform Rules** and click **Add Rule**.

* In the wizard, select **Send LDAP Attributes as Claims** and click **Next**.

* Click **Finish**.

* In the **Edit Rule – OvalEdge Claims** window, configure the claim rule name: * Attribute Store: **Active Directory**. * Map LDAP attributes to outgoing claim types (e.g., Email Address, Given Name). * Click **OK** to save changes.

### **Configure the OvalEdge Application Server** * Edit `oasis.properties`. * Navigate to the `oasis.properties` file located in the `extprop` folder. * Update the following properties: ```properties # OAuth2 Client ID spring.security.oauth2.client.registration.client-id= # OAuth2 Client Secret spring.security.oauth2.client.registration.client-secret= # OAuth2 Provider spring.security.oauth2.client.registration.provider=ADFS # OAuth2 Base URL spring.security.oauth2.base-url= # Example: https://{ADFS_HOST_NAME}/adfs/.well-known/openid-configuration # OAuth2 Scopes spring.security.oauth2.client.registration.scopes=openid,profile,email # OAuth2 User Attribute Mapping spring.security.oauth2.client.registration.name-attribute=upn # Set the user attribute spring.security.oauth2.client.registration.name.attribute=upn ``` * Edit `setenv.sh`. * Navigate to the Tomcat **bin** directory and open `setenv.sh`. * If `CATALINA_OPTS` already exists, append this parameter inside the double quotes: ```bash -DOVALEDGE_SECURITY_TYPE=oauth2 ``` * Example: ```bash export CATALINA_OPTS="-DOVALEDGE_SECURITY_TYPE=oauth2" ``` * Restart the Tomcat application. ```bash sudo systemctl restart tomcatui sudo systemctl restart tomcatjob ``` **Verify Configuration** * Wait for 2 minutes after restarting the Tomcat services. * Open the OvalEdge application. * Verify that the login page includes the option **Continue with ADFS**.

* Test the login functionality to ensure it works as expected. *** Copyright © 2025, OvalEdge LLC, Peachtree Corners, GA, USA. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.ovaledge.com/deployment-and-maintenance/authentication-setup/adfs-with-oidc-support.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.