PIXILAB Wiki

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
blocks:sso:adfs [2019-04-08 08:45]
max 		blocks:sso:adfs [2024-08-20 09:11] (current)
melvin Update for Windows Server 2022
Line 3: Line 3:
 ===Prerequisites=== ===Prerequisites===
  
-To be able to follow the steps below you'll need to have Windows Server 2016 or later with the "Active Directory Federation Services(ADFS) feature enabled.+To be able to follow the steps below you'll need to have Windows Server 2016 or later with the "Active Directory Federation Services (ADFS)feature enabled. 
  
-===Add OpenID Connect configuration to ADFS===+===Add an OpenID Connect configuration to ADFS===
  
   - Open the "AD FS Management" tool located under the "Tools" menu at the top right of the Server Manager.   - Open the "AD FS Management" tool located under the "Tools" menu at the top right of the Server Manager.
Line 17: Line 17:
   - Paste and add the **Client Identifier** (from step 6) as the "Identifier". Click next.   - Paste and add the **Client Identifier** (from step 6) as the "Identifier". Click next.
   - Select the access control policy you'd like to use and click next.   - Select the access control policy you'd like to use and click next.
-  - Make sure the box next to "openid" is ticked.+  - Make sure the boxes next to "openid" and "allatclaims" are ticked. If the "allatclaims" scope is not present in the list, click the "New scope..." button to create it. This scope is needed for sending additional claims such as the user's groups as roles to Blocks after authentication
   - Finish the wizard.   - Finish the wizard.
  
Line 34: Line 34:
 ====Blocks specific steps==== ====Blocks specific steps====
  
-  - Open your Blocks configuration file on your Blocks server and add the "auth" section below to the already existing "server" section. Replace the values of [BLOCKS-IP], [WINDOWS-SERVER-IP], [CLIENT-ID] and [CLIENT-SECRET]. [CLIENT-ID] and [CLIENT-SECRET] is the items copied and saved from the **Add a OpenID Connect configuration to ADFS** section above.+  - Open your Blocks configuration file on your Blocks server and add the "auth" section below to the already existing "server" section. Replace the values of [BLOCKS-DOMAIN-OR-IP], [PROTOCOL], [ADFS-SERVER], [CLIENT-ID] and [CLIENT-SECRET]. [CLIENT-ID] and [CLIENT-SECRET] is the items copied and saved from the **Add a OpenID Connect configuration to ADFS** section above.
     * <code>     * <code>
 server: server:
 +  type: pixilab_server
   auth:   auth:
     urlResolver: null     urlResolver: null
     ajaxRequestResolver: null     ajaxRequestResolver: null
-    callbackUrl: https://[BLOCKS-IP]/rest/auth/callback +    callbackUrl: http://[BLOCKS-DOMAIN-OR-IP]/rest/auth/callback 
-    rolesOwner: claims +    rolesOwner: attributes 
-    rolesPath: realm_access.roles+    rolesPath: roles
     clients:     clients:
       - org.pac4j.oidc.client.OidcClient:       - org.pac4j.oidc.client.OidcClient:
           configuration:           configuration:
-            discoveryURI: [WINDOWS-SERVER-IP]/adfs/.well-known/openid-configuration+            discoveryURI: [PROTOCOL]://[ADFS-SERVER]/adfs/.well-known/openid-configuration
             clientId: [CLIENT-ID]             clientId: [CLIENT-ID]
             secret: [CLIENT-SECRET]             secret: [CLIENT-SECRET]
Line 54: Line 55:
       security:       security:
         - matchers: internalMatcher         - matchers: internalMatcher
-        clients: OidcClient +          clients: OidcClient 
-        authorizers: isAuthenticated+          authorizers: isAuthenticated
 </code> </code>
   - Start Blocks and go to "/edit" for login.   - Start Blocks and go to "/edit" for login.
 +
 +:!: Make sure you maintain all indentation as shown above, using only spaces for indentation. Here's more about [[blocks:server_configuration_file|Blocks' configuration file]] and it syntax.
  
 ===Role Mapping=== ===Role Mapping===
  
-Since the groups you've configured for your users in your windows server does not match the roles used by Blocks, you must add role mappings to the Blocks configuration file. You do this by defining a server.auth.rolesMapping parameter where the keys are the group names of your windows server configuration and the values the roles Blocks know about. For example:+Since the groups you've configured for your users in your windows server does not match the roles used by Blocks, you have to add role mappings to the Blocks configuration file. Do this by defining a server.auth.rolesMapping parameter where the keys are the group names of your windows server configuration and the values the roles Blocks know about. For example:
 <code> <code>
 rolesMapping: rolesMapping:
-  Administrator: Admin +  SomeGroup1: Admin 
-  SomeManageGroup1: Manager +  SomeGroup2: Manager 
-  SomeManageGroup2: Creator +  SomeGroup3: Creator 
-  SomeManageGroup3: Editor +  SomeGroup4: Editor 
-  SomeManageGroup4: Contributor +  SomeGroup5: Contributor 
-  SomeManageGroup5: Staff+  SomeGroup6: Staff
 </code> </code>
  
Line 75: Line 78:
 ====Filter the groups provided to Blocks==== ====Filter the groups provided to Blocks====
  
-In the section named **Configure OpenID Connect to provide user groups to Blocks** we add a configuration that will provide Blocks with all of the user's groups. This may not be wanted since there can be thousand of theses in an already existing windows server configuration. In other cases there will exist groups that doesn't have anything to to with Blocks at all. To filter the groups provided to Blocks, follow the steps below.+In the section named **Configure OpenID Connect to provide user groups to Blocks** we add a configuration that will provide Blocks with all of the user's groups. This may not be wanted since there can be thousands of these in an already existing windows server configuration. In other cases there will exist groups that doesn't have anything to to with Blocks at all. To filter the groups provided to Blocks, follow the steps below.
  
 ===Configure OpenID Connect to provide user groups to Blocks=== ===Configure OpenID Connect to provide user groups to Blocks===
Line 86: Line 89:
   - Click the "Add Rule..." button at the bottom.   - Click the "Add Rule..." button at the bottom.
   - Select "Send Claims Using a Custom Rule" and click next.   - Select "Send Claims Using a Custom Rule" and click next.
-  - Give the rule the name "StoreRoles" and paste the following into the "Custom rule" field: +  - Give the rule the name "StoreRoles" and paste the following into the "Custom rule" field: <code>c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("roles"), query = ";tokenGroups;{0}", param = c.Value); </code>
-    * c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("roles"), query = ";tokenGroups;{0}", param = c.Value);+
   - Click finish and add yet another rule.   - Click finish and add yet another rule.
   - Again, select "Send Claims Using a Custom Rule" and click next.   - Again, select "Send Claims Using a Custom Rule" and click next.
-  - Give this rule the name "IssueRoles" and paste the following into the "Custom rule" field: +  - Give this rule the name "IssueRoles" and paste the following into the "Custom rule" field: <code>c:[Type == "roles", Value =~ "^Blocks.+"] => issue(claim = c);</code> 
-    * c:[Type == "roles", Value =~ "^Blocks.+"] => issue(claim = c); +  - The "^Blocks.+" part is a [[https://en.wikipedia.org/wiki/Regular_expression|regular expression]] used to filter the windows groups sent to Blocks as roles. In this case we only accept the windows groups starting with "Blocks". Adjust this to meet your needs.
-  - The part containing  //**"^Blocks.+"**//  is a regex expression used to filter the windows groups sent to Blocks as roles. In this case we only accept the windows groups starting with "Blocks".+
   - Click finish.   - Click finish.