To be able to follow the steps below you'll need to have Windows Server 2016 or later with the "Active Directory Federation Services (ADFS)" feature enabled.

1. Open the "AD FS Management" tool located under the "Tools" menu at the top right of the Server Manager.
2. Select the "Application Groups" folder item in the left sidebar.
3. Click on "Add Application Group…" in the sidebar to the right.
4. Give the application group a name, for example "OpenID Connect"
5. Select the "Server application accessing a web API" list item and click next.
6. Copy and paste the Client Identifier to a text file for later use.
7. In the Redirect URI field, enter and add the address to your Blocks server followed by "/rest/auth/callback". For example "https://pixi.guide/rest/auth/callback". Click next.
8. Tick the "Generate a shared secret" box. Copy and paste the Secret to a text file for later use. Click next.
9. Paste and add the Client Identifier (from step 6) as the "Identifier". Click next.
10. Select the access control policy you'd like to use and click next.
11. Make sure the boxes next to "openid" and "allatclaims" are ticked. If the "allatclaims" scope is not present in the list, click the "New scope…" button to create it. This scope is needed for sending additional claims such as the user's groups as roles to Blocks after authentication.
12. Finish the wizard.

1. Open the "AD FS Management" tool located under the "Tools" menu at the top right of the Server Manager.
2. Select the "Application Groups" folder item in the left sidebar.
3. Double click on the group added earlier, then double click on the "Web API" application.
4. Select the tab named "Issuance Transform Rules".
5. Click the "Add Rule…" button at the bottom.
6. Select "Send LDAP Attributes as Claims" and click next.
7. Give the rule a name, for example "BlocksRoles".
8. Select "Active Directory" as the "Attribute Store".
9. In the table below, select "Token-Groups Unqualified Names" in the first column and type "roles" into the second column.

1. Open your Blocks configuration file on your Blocks server and add the "auth" section below to the already existing "server" section. Replace the values of [BLOCKS-DOMAIN-OR-IP], [PROTOCOL], [ADFS-SERVER], [CLIENT-ID] and [CLIENT-SECRET]. [CLIENT-ID] and [CLIENT-SECRET] is the items copied and saved from the Add a OpenID Connect configuration to ADFS section above.

   • server:
       type: pixilab_server
       auth:
         urlResolver: null
         ajaxRequestResolver: null
         callbackUrl: http://[BLOCKS-DOMAIN-OR-IP]/rest/auth/callback
         rolesOwner: attributes
         rolesPath: roles
         clients:
           - org.pac4j.oidc.client.OidcClient:
               configuration:
                 discoveryURI: [PROTOCOL]://[ADFS-SERVER]/adfs/.well-known/openid-configuration
                 clientId: [CLIENT-ID]
                 secret: [CLIENT-SECRET]
                 clientAuthenticationMethod: client_secret_basic
                 scope: openid
         servlet:
           security:
             - matchers: internalMatcher
               clients: OidcClient
               authorizers: isAuthenticated

2. Start Blocks and go to "/edit" for login.

Make sure you maintain all indentation as shown above, using only spaces for indentation. Here's more about Blocks' configuration file and it syntax.

Since the groups you've configured for your users in your windows server does not match the roles used by Blocks, you have to add role mappings to the Blocks configuration file. Do this by defining a server.auth.rolesMapping parameter where the keys are the group names of your windows server configuration and the values the roles Blocks know about. For example:

rolesMapping:
  SomeGroup1: Admin
  SomeGroup2: Manager
  SomeGroup3: Creator
  SomeGroup4: Editor
  SomeGroup5: Contributor
  SomeGroup6: Staff

In the section named Configure OpenID Connect to provide user groups to Blocks we add a configuration that will provide Blocks with all of the user's groups. This may not be wanted since there can be thousands of these in an already existing windows server configuration. In other cases there will exist groups that doesn't have anything to to with Blocks at all. To filter the groups provided to Blocks, follow the steps below.

1. Open the "AD FS Management" tool located under the "Tools" menu at the top right of the Server Manager.
2. Select the "Application Groups" folder item in the left sidebar.
3. Double click on the group added earlier, then double click on the "Web API" application.
4. Select the tab named "Issuance Transform Rules".
5. Remove any rules you may have already added.
6. Click the "Add Rule…" button at the bottom.
7. Select "Send Claims Using a Custom Rule" and click next.
8. Give the rule the name "StoreRoles" and paste the following into the "Custom rule" field:

   c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("roles"), query = ";tokenGroups;{0}", param = c.Value); 

9. Click finish and add yet another rule.
10. Again, select "Send Claims Using a Custom Rule" and click next.
11. Give this rule the name "IssueRoles" and paste the following into the "Custom rule" field:

    c:[Type == "roles", Value =~ "^Blocks.+"] => issue(claim = c);

12. The "^Blocks.+" part is a regular expression used to filter the windows groups sent to Blocks as roles. In this case we only accept the windows groups starting with "Blocks". Adjust this to meet your needs.
13. Click finish.