Friday, December 19, 2014

ADFS : ADFS 3.0 and OpenID Connect / OAuth 2

This is for Server 2012 R2 and the documentation (to be polite) is somewhat lacking!

Came across a really neat tool for testing:

authnauthz

Also, Vittorio blogged some useful information:

Securing a Web API with Windows Server 2012 R2 ADFS and Katana

So let's put the pieces together.

In ADFS, create a RP as per Vittorio's instructions.

There's no certificate and no endpoints because you don't pick either SAML or WS-Fed.

Unlike my usual RP stuff, the identifier is not a URI.

I made the name and identifier simply "OAuth Test".

Then again following Vittorio,

Add-AdfsClient -Name "OAuth Test" -ClientId "112e0117-ef3d-44c4-a367-5b4bef313d8f" -RedirectUri "https://www.authnauthz.com/oauth/inboundauthenticationresponse" -Description "OAuth client"
The ClientID and RedirectURL are from the test tool.

So off to the test tool.

Under OAuth click "OIDC Authentication Request".

The authorisation endpoint is:

https://your adfs/adfs/oauth2/authorize

Response type: Ensure only code is ticked.

ADFS doesn't support anything else.

Set Resource to "OAuth Test"

Remove all Scope.

ADFS doesn't support any.

Click "Submit".

Off to ADFS, authenticate as per usual and you'll be be redirected to the Response page in the tool with an authorisation code.

Enjoy!




No comments: