How to setup SSO for Windows 2016 - ADFS 4.0

Step 1 - Configuring an Application Group

From the AD FS Management screen, go to AD FS ➜ Application Groups and click Add Application Group…

_images/01_add_app_group.png

Fill in a name for the application group, select Web browser accessing a web application and click Next.

Make note of the Client Identifier value.

The Redirect URI value must match with your domain where your BucketlistRewards application is located. This should be something like https://<company-name>.bucketlist.org/adfs-oauth2/callback.

Note that if your platform is on bucketlistrewards.ca instead of bucketlist.org, you would use https://<company-name>.bucketlistrewards.ca/adfs-oauth2/callback

Select Permit everyone and click Next.

_images/04_native_app_access_policy.png

Review the settings and click Next.

Note that you will need to communicate us these values:

  • The Client ID
  • The Relying Party ID

While they both are the same in this screenshot, they can be changed independently from one another afterwards.

Close the wizard by clicking Close.

_images/06_wizard_end.png

Step 2 - Configuring Claims

Open the properties for the application group we just created. Select the Web application entry and click Edit

On the Issuance Transform Rules tab, click the Add Rule button

Select Send LDAP Attributes as Claims and click Next

Give the rule a name and select Active Directory as the attribute store. Then configure the below claims.

LDAP Attribute Outgoing Claim Type
E-Mail-Addresses E-Mail Address
Given-Name Given Name
Surname Surname
Token-Groups - Unqualified Names Group
SAM-Account-Name Windows Account Name

_images/08_add_ldap_attributes_part2.pngClick Finish to save the settings

You should now see the rule added. Click OK a couple of times to save the settings.

Once everything is configured, you can use the below PowerShell commands to determine the value for the settings you will need to provide to us:

  • Client id
  • Server
  • Relying party ID and Audience
PS C:\Users\Administrator> Get-AdfsNativeClientApplication

Name : BucketlistRewards - Native application
Identifier : 487d8ff7-80a8-4f62-b926-c2852ab06e94 <<< CLIENT_ID <<<
ApplicationGroupIdentifier : BucketlistRewards
Description :
Enabled : True
RedirectUri : {http://web.example.com:8000/oauth2/callback}
LogoutUri :

PS C:\Users\Administrator> Get-AdfsProperties | select HostName | Format-List

HostName : adfs.example.com <<< SERVER <<<

PS C:\Users\Administrator> Get-AdfsWebApiApplication | select Identifier | Format-List

Identifier : {web.example.com} <<< RELYING_PARTY_ID and AUDIENCE <<<

Enabling SSO for other browsers

By default, ADFS only supports seamless single sign-on for Internet Explorer. In other browsers, users will always be prompted for their username and password.

To enable SSO also for other browsers like Chrome and Firefox, execute the following PowerShell command:

[System.Collections.ArrayList]$UserAgents = Get-AdfsProperties | select -ExpandProperty WIASupportedUserAgents
$UserAgents.Add("Mozilla/5.0")
Set-ADFSProperties -WIASupportedUserAgents $UserAgents

After that, restart the ADFS service on every server in the ADFS farm.

For firefox, you’ll also have to change it’s network.automatic-ntlm-auth.trusted-uris setting to include the URI of your ADFS server.

Note: when testing after a config change is made, please test in new incognito window each time if things don’t appear to work