AcademyCustomer Portal

ADFS With OIDC Support

Active Directory Federation Services (ADFS) provides enterprise-level identity and authentication services, including support for OAuth2 and OpenID Connect (OIDC) authentication flows.

This article outlines the step-by-step process to create and configure an ADFS Application Group that supports the Authorization Code flow. Additionally, it covers user creation, application group setup, and application server configuration.

Prerequisites

  • Access to an ADFS server.

  • Administrative rights to manage Active Directory (AD) and ADFS.

  • Access to the OvalEdge application server.

  • Knowledge of the OvalEdge domain name.

Steps

User Creation in Active Directory

  • Log in to the ADFS Server.

    • Open the Windows search bar, type Active Directory Users and Computers, and launch the application.

  • Create a new user.

    • Navigate to the Users section.

    • Right-click and select New > User.

    • Fill in the user details in the displayed dialog box and click Next.

    • Set a password for the user and click Next.

    • Review the details on the confirmation page and click Finish.

  • Create a group.

    • Navigate to the Builtindomain folder.

    • If a group does not exist, create a new one by right-clicking and selecting New > Group.

    • Enter the group details and click OK.

  • Assign user to group.

    • Locate the newly created user, right-click, and select Properties.

    • In the General tab, add the user's email address.

    • In the MemberOf tab, add the user to the appropriate group.

    • Click Apply and OK.

ADFS OIDC Flow Diagram

Create and Configure an ADFS Application Group

Every native or web app OAuth client or web API resource configured with ADFS must be associated with an application group. Clients in an application group are configured to access resources within the same group. An application group can include multiple clients and resources.

  • Create an Application Group

    • Open the ADFS Management Console.

    • Select Application Groups and click Add Application Group.

    • In the server application, provide a name for the application group, choose the template Server application accessing a web API, and click Next.

  • Add server application URL.

    • Copy the Client Identifier for future reference.

    • Enter the redirect URL: https://<Domain_Name>/oauth2/code/adfs (replace <Domain_Name> with the OvalEdge application URL).

  • Copy identifiers and generate secrets.

    • In the Configure Application Credentials section, generate a shared client secret.

    • Click Copy to clipboard and save it securely.

  • Configure client identifier.

    • Paste the previously copied client identifier.

  • Choose an access control policy.

  • Configure application permissions.

    • Add the following scopes: allatclaims, openid, profile.

    • Review the summary and click Next.

  • Add claims

    • Double-click the newly created application group.

    • Edit the OE_API-Web API configuration.

    • Navigate to Issuance Transform Rules and click Add Rule.

    • In the wizard, select Send LDAP Attributes as Claims and click Next.

    • Click Finish.

    • In the Edit Rule – OvalEdge Claims window, configure the claim rule name:

      • Attribute Store: Active Directory.

      • Map LDAP attributes to outgoing claim types (e.g., Email Address, Given Name).

    • Click OK to save changes.

Configure the OvalEdge Application Server

  • Edit oasis.properties.

    • Navigate to the oasis.properties file located in the extprop folder.

    • Update the following properties:

      # OAuth2 Client ID
spring.security.oauth2.client.registration.client-id=<CLIENT_IDENTIFIER>  

# OAuth2 Client Secret
spring.security.oauth2.client.registration.client-secret=<CLIENT_SECRET>  

# OAuth2 Provider
spring.security.oauth2.client.registration.provider=ADFS  

# OAuth2 Base URL
spring.security.oauth2.base-url=<ADFS_ISSUER_URL>  
# Example: https://{ADFS_HOST_NAME}/adfs/.well-known/openid-configuration  

# OAuth2 Scopes
spring.security.oauth2.client.registration.scopes=openid,profile,email  

# OAuth2 User Attribute Mapping
spring.security.oauth2.client.registration.name-attribute=upn

# Set the user attribute 
spring.security.oauth2.client.registration.name.attribute=upn

  • Edit setenv.sh.

    • Navigate to the Tomcat bin directory and open setenv.sh.

    • If CATALINA_OPTS already exists, append this parameter inside the double quotes:

      -DOVALEDGE_SECURITY_TYPE=oauth2

    • Example:

      export CATALINA_OPTS="-DOVALEDGE_SECURITY_TYPE=oauth2"

  • Restart the Tomcat application.

    sudo systemctl restart tomcatui
sudo systemctl restart tomcatjob

Verify Configuration

  • Wait for 2 minutes after restarting the Tomcat services.

  • Open the OvalEdge application.

  • Verify that the login page includes the option Continue with ADFS.

  • Test the login functionality to ensure it works as expected.

Copyright © 2025, OvalEdge LLC, Peachtree Corners, GA, USA.

PreviousKeycloak Using OIDCNextOvalEdge Open Authorization (OAuth2) Setup Guide

Last updated

Was this helpful?