Configure Active Directory Federation Services for Windows 2016 as OpenId Provider

Contents

• Adding IFS Appilcations to ADFS for Windows 2016
• IFS Admin Console configurations
• Mapping the AD user to Foundation1 user

Related documents

• Configuring Touch Apps for OpenID Connect

Adding IFS Applications to ADFS for Windows 2016

The applications that need to be authenticated using Active Directory Federation Services have to be registered and configured in ADFS for Windows 2016. This is performed using the tools provided by ADFS.

NOTE: How to configure the Active Directory user registry and how to enable and configure Active Directory Federation Services for the AD is outside the scope of this documentation. 

Aurena Default Application

• Login to the Windows 2016 server where the ADFS is installed. Launch AD FS Management tool. Click on "Application Groups". Click "Add Application Group...".

• Give a name to your application group and select "Server application". Click "Next".

• Note down the value given in the field "Client Identifier". This is required later when authentication configuration is completed using IFS Admin Console. Add the following Redirect URIs for Aurena Application.

https://<fully_qualified_domain_name_of_the_app_server:port>main/ifsapplications/projection/oauth2/callback/
https://<fully_qualified_domain_name_of_the_app_server:port>/main/ifsapplications/web/oauth2/callback/

E:g:

https://lkppdeTest888.corpnet.ifsworld.com:58080/main/ifsapplications/projection/oauth2/callback/
https://lkppdeTest888.corpnet.ifsworld.com:58080/main/ifsapplications/web/oauth2/callback/

• Click "Next". Select check box "Generate a shared secret". Copy the value given in the field "Secret". This is required when authentication configuration is completed using the IFS Admin Console.

• Click "Next" and finish the configuration.
• From the application groups select the application group just created. click "Add application..".

• Select "Web API"

• Give an Identifier. For documentation purposes giving the application server URL as the identiffier is a good idea.
• Press next and leave "Permit everyone" as the selection.
• Press next and make sure the selection is "openid".

• Press next and finish the configuration.

Aurena B2B Application

• To authenticate user login for B2B client follow the above procedure and create a seperate application gropup. Add the following Redirect URIs. If a seperate application group is not required the same application group as Areana can be used with the following set of Redirect URIs added.

https//:<fully_qualified_domain_name_of_the_app_server:port>/b2b/ifsapplications/projection/oauth2/callback/
https://<fully_qualified_domain_name_of_the_app_server:port>/b2b/ifsapplications/web/oauth2/callback/

E.g:

https://lkppdeTest888.corpnet.ifsworld.com:58080/b2b/ifsapplications/projection/oauth2/callback/      https://lkppdeTest888.corpnet.ifsworld.com:58080/b2b/ifsapplications/web/oauth2/callback/

• If a seperate application group is created take a note of the Application ID and the Secret key of the B2B application as this is required later to finish configuring authentication for IFS Applications using the IFS Admin Console.

IFS Enterprise Explorer and Touch Apps

IFS Enterprise Explorer

• To authenticate user logins for IFS Enterprise Explorer add the following application group in ADFS.
• Go to "Add Application Group.." give a name and select "Native application"

• Note down the Client Identifier as this is required later when authentication configuration is completed using the IFS Admin Console. Enter the following redirect URIs.

<https://fully_qualified_domain_name_of_the_app_server:port>/int/default/plsqlgateway/oauth2/callback/
<https://fully_qualified_domain_name_of_the_app_server:port>/int/default/clientgateway/oauth2/callback/
<https://fully_qualified_domain_name_of_the_app_server:port>/main/default/plsqlgateway/oauth2/callback/
<https://fully_qualified_domain_name_of_the_app_server:port>/main/default/clientgateway/oauth2/callback/

E:g:
https://lkppdeTest888.corpnet.ifsworld.com:58080/int/default/plsqlgateway/oauth2/callback/
https://lkppdeTest888.corpnet.ifsworld.com::58080/int/default/clientgateway/oauth2/callback/
https://lkppdeTest888.corpnet.ifsworld.com::58080/main/default/plsqlgateway/oauth2/callback/
https://lkppdeTest888.corpnet.ifsworld.com:58080/main/default/clientgateway/oauth2/callback/

• Press next and finish application configuration.
• Select the newly created application group and click on "Add application". Select the "Web API".

• Press next. In the Identifier field enter the following: api://<INSTANCE_NAME>. Make sure to follow this exact format as this is the accepted format of the resource id that is required. The INSTANCE_NAME here is the instance name given for the IFS Application instance.

E.g: api://PROD_INSTANCE

• Press next and select "Permit everyone".
• Press next and select both "openid" and "user_impersonation" scopes.

• Press next and finish application configuration.
• Select the newly created web application from the application group and press "Edit".

• Select the tab "Issuance Transform Rules". Select "Add Rule". From the drop down select "Send claims Using a Custom Rule" and press next.

• Add the following claims:

NOTE: Re-authenitcation behavior: When the user logs in and work in IFS Enterprise Explorer client the client session is refreshed based on the session timeout (Default 10 minutes). When the current session times out the Access Token given by the ADFS server is used to refresh the client session. The Access Token is has a lifetime of about 1 hour by default. Once the Access Token is expired the Refresh token given by the ADFS server is used to obtain a new Access Token. This Refresh token has a lifetime of about 7 days according to ADFS documentation. Once the Refresh token is expired it will not be possible to get any new Access Tokens. So re-authentcation will fail and the user will be prompted for credentials.

 Touch Apps Server and Touch Apps

The Touch apps Server and the Touch Apps are also accessed through the Native application that was created for IFS Enterprise Explorer above. Redirect URIs must be added for the Touch Apps Server and for each individual Touch App to this same native application.

IFS Middleware Server Admin Console configurations

• After the applications are added to ADFS as explained in the above section some configurations are needed in IFS Middleware Server Admin Console to finish setting up the IFS Application to use ADFS as the Open Identity Provider.
• Login to IFS Admin Console. Go to "Common > Security".
• The DEFAULT tab holds the Open ID provider configuration details for Aurena client. Select "ADFS (Windows Server 2016)" as the Identity Provider. Fill in the details as show below.

Parameter	Value
Identity Provider	ADFS (Windows Server 2016)
Identity Provider URL	ADFS Service URL. E.g: https://adfs.devsys.local/adfs/ Note: In order to find the URL to use here open a power shell in the server where ADFS is installed and type  Get-ADFSProperties. HostName and HttpsPort properties are the values that should be used to construct this URL.
Acceptable Clock Skew (seconds)	This will be the torelated amount of clock skew when the validity of the token is calculated. E.g: 60s
Client ID (web)	Client Identifier taken from ADFS application registration when Aurena Web application was registered.
Client Secret (web):	Security Key generated when Aurena Web application was registered in ADFS
Client ID (native):	Client Identifier taken from ADFS application registration when IFS Enterprise Explorer and Toch apps were registered as a Native application.

• The B2B tab holds the Open ID provider configuration details for B2B client. Select "ADFS (Windows Server 2016)" as the Identity Provider. Fill in the details as show below.

Parameter	Value
Identity Provider	ADFS (Windows Server 2016)"
Identity Provider URL	ADFS Service URL. E.g: https://adfs.devsys.local/adfs/ Note: In order to find the URL to use here open a power shell in the server where ADFS is installed and type  Get-ADFSProperties. HostName and HttpsPort properties are the values that should be used to construct this URL.
Acceptable Clock Skew (seconds)	This will be the torelated amount of clock skew when the validity of the token is calculated. E.g: 60s
Client ID (web)	Client Identifier taken from ADFS application registration when  B2B Web application was registered. If a seperate application was registered for B2B use that Client Identifier. Otherwise same client ID as the Aurena application must be entered.
Client Secret (web):	Security Key generated when B2B Web application was registered in ADFS. Use the same Client secret as Aurena if the same web application registration is used.
Client ID (native):	Leave this blank as there is no native application for B2B.

Mapping the ADFS user to Foundation1 user

IFS Applications have a user registry of its own in the Oracle Database. These users are know as Foundatoin1 Users. A user authenticated from an External Identity Provider such as ADFS needs to be mapped to a Foundation1 user for him to get access (authorization) to the application. The Foundation1 users are listed in the table FND_USER_TAB. The DIRECTORY_ID field of this table is used for the mapping between the external user identity and the Foundation1 user identity.

When ADFS is used as the user repository the UserPrincipleName of the Active Directory user must be the value that should be entered as the value for DIRECTORY_ID field. 

Ii is possible to use Active Directory Synchronization to map the AD users to Foundation1 users.

Links

• How to achieve Single Sign On with ADFS.
• How to configure compatibility AD Athenticator.