PIXILAB Wiki

ADFS

Prerequisites

To be able to follow the steps below you'll need to have Windows Server 2016 or later with the "Active Directory Federation Services (ADFS)" feature enabled.

Add an OpenID Connect configuration to ADFS

  1. Open the "AD FS Management" tool located under the "Tools" menu at the top right of the Server Manager.
  2. Select the "Application Groups" folder item in the left sidebar.
  3. Click on "Add Application Group…" in the sidebar to the right.
  4. Give the application group a name, for example "OpenID Connect"
  5. Select the "Server application accessing a web API" list item and click next.
  6. Copy and paste the Client Identifier to a text file for later use.
  7. In the Redirect URI field, enter and add the address to your Blocks server followed by "/rest/auth/callback". For example "https://pixi.guide/rest/auth/callback". Click next.
  8. Tick the "Generate a shared secret" box. Copy and paste the Secret to a text file for later use. Click next.
  9. Paste and add the Client Identifier (from step 6) as the "Identifier". Click next.
  10. Select the access control policy you'd like to use and click next.
  11. Make sure the box next to "openid" is ticked.
  12. Click the "New scope…" button in the bottom and and give it the name "allatclaims", click OK. This scope is needed for sending additional claims such as the user's groups as roles to Blocks after authentication.
  13. Finish the wizard.

Configure OpenID Connect to provide user groups to Blocks

  1. Open the "AD FS Management" tool located under the "Tools" menu at the top right of the Server Manager.
  2. Select the "Application Groups" folder item in the left sidebar.
  3. Double click on the group added earlier, then double click on the "Web API" application.
  4. Select the tab named "Issuance Transform Rules".
  5. Click the "Add Rule…" button at the bottom.
  6. Select "Send LDAP Attributes as Claims" and click next.
  7. Give the rule a name, for example "BlocksRoles".
  8. Select "Active Directory" as the "Attribute Store".
  9. In the table below, select "Token-Groups Unqualified Names" in the first column and type "roles" into the second column.

Blocks specific steps

  1. Open your Blocks configuration file on your Blocks server and add the "auth" section below to the already existing "server" section. Replace the values of [BLOCKS-DOMAIN-OR-IP], [PROTOCOL], [ADFS-SERVER], [CLIENT-ID] and [CLIENT-SECRET]. [CLIENT-ID] and [CLIENT-SECRET] is the items copied and saved from the Add a OpenID Connect configuration to ADFS section above.
    • server:
  type: pixilab_server
  auth:
    urlResolver: null
    ajaxRequestResolver: null
    callbackUrl: http://[BLOCKS-DOMAIN-OR-IP]/rest/auth/callback
    rolesOwner: attributes
    rolesPath: roles
    clients:
      - org.pac4j.oidc.client.OidcClient:
          configuration:
            discoveryURI: [PROTOCOL]://[ADFS-SERVER]/adfs/.well-known/openid-configuration
            clientId: [CLIENT-ID]
            secret: [CLIENT-SECRET]
            clientAuthenticationMethod: client_secret_basic
            scope: openid
    servlet:
      security:
        - matchers: internalMatcher
          clients: OidcClient
          authorizers: isAuthenticated
  2. Start Blocks and go to "/edit" for login.

:!: Make sure you maintain all indentation as shown above, using only spaces for indentation. Here's more about Blocks' configuration file and it syntax.

Role Mapping

Since the groups you've configured for your users in your windows server does not match the roles used by Blocks, you have to add role mappings to the Blocks configuration file. Do this by defining a server.auth.rolesMapping parameter where the keys are the group names of your windows server configuration and the values the roles Blocks know about. For example: 

rolesMapping:
  SomeGroup1: Admin
  SomeGroup2: Manager
  SomeGroup3: Creator
  SomeGroup4: Editor
  SomeGroup5: Contributor
  SomeGroup6: Staff

Filter the groups provided to Blocks

In the section named Configure OpenID Connect to provide user groups to Blocks we add a configuration that will provide Blocks with all of the user's groups. This may not be wanted since there can be thousands of these in an already existing windows server configuration. In other cases there will exist groups that doesn't have anything to to with Blocks at all. To filter the groups provided to Blocks, follow the steps below.

Configure OpenID Connect to provide user groups to Blocks

  1. Open the "AD FS Management" tool located under the "Tools" menu at the top right of the Server Manager.
  2. Select the "Application Groups" folder item in the left sidebar.
  3. Double click on the group added earlier, then double click on the "Web API" application.
  4. Select the tab named "Issuance Transform Rules".
  5. Remove any rules you may have already added.
  6. Click the "Add Rule…" button at the bottom.
  7. Select "Send Claims Using a Custom Rule" and click next.
  8. Give the rule the name "StoreRoles" and paste the following into the "Custom rule" field: 
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("roles"), query = ";tokenGroups;{0}", param = c.Value);
  9. Click finish and add yet another rule.
  10. Again, select "Send Claims Using a Custom Rule" and click next.
  11. Give this rule the name "IssueRoles" and paste the following into the "Custom rule" field: 
    c:[Type == "roles", Value =~ "^Blocks.+"] => issue(claim = c);
  12. The "^Blocks.+" part is a regular expression used to filter the windows groups sent to Blocks as roles. In this case we only accept the windows groups starting with "Blocks". Adjust this to meet your needs.
  13. Click finish.