Differences

This shows you the differences between two versions of the page.

--- blocks:sso:adfs [2019-04-10 09:18] – max
+++ blocks:sso:adfs [2024-08-20 09:11] (current) – Update for Windows Server 2022 melvin
@@ Line 3: / Line 3: @@
 ===Prerequisites===
 To be able to follow the steps below you'll need to have Windows Server 2016 or later with the "Active Directory Federation Services (ADFS)" feature enabled.
 ===Add an OpenID Connect configuration to ADFS===
@@ Line 17: / Line 17: @@
   - Paste and add the **Client Identifier** (from step 6) as the "Identifier". Click next.
   - Select the access control policy you'd like to use and click next.
-  - Make sure the box next to "openid" is ticked.
+  - Make sure the boxes next to "openid" and "allatclaims" are ticked. If the "allatclaims" scope is not present in the list, click the "New scope..." button to create it. This scope is needed for sending additional claims such as the user's groups as roles to Blocks after authentication.
-  - Click the "New scope..." button in the bottom and and give it the name "allatclaims", click OK. This scope is needed for sending additional claims such as the user's groups as roles to Blocks after authentication.
   - Finish the wizard.
@@ Line 35: / Line 34: @@
 ====Blocks specific steps====
-  - Open your Blocks configuration file on your Blocks server and add the "auth" section below to the already existing "server" section. Replace the values of [BLOCKS-IP], [WINDOWS-SERVER-IP], [CLIENT-ID] and [CLIENT-SECRET]. [CLIENT-ID] and [CLIENT-SECRET] is the items copied and saved from the **Add a OpenID Connect configuration to ADFS** section above.
+  - Open your Blocks configuration file on your Blocks server and add the "auth" section below to the already existing "server" section. Replace the values of [BLOCKS-DOMAIN-OR-IP], [PROTOCOL], [ADFS-SERVER], [CLIENT-ID] and [CLIENT-SECRET]. [CLIENT-ID] and [CLIENT-SECRET] is the items copied and saved from the **Add a OpenID Connect configuration to ADFS** section above.
     * <code>
 server:
+  type: pixilab_server
   auth:
     urlResolver: null
     ajaxRequestResolver: null
-    callbackUrl: https://[BLOCKS-IP]/rest/auth/callback
+    callbackUrl: http://[BLOCKS-DOMAIN-OR-IP]/rest/auth/callback
     rolesOwner: attributes
     rolesPath: roles
@@ Line 47: / Line 47: @@
       - org.pac4j.oidc.client.OidcClient:
           configuration:
-            discoveryURI: [WINDOWS-SERVER-IP]/adfs/.well-known/openid-configuration
+            discoveryURI: [PROTOCOL]://[ADFS-SERVER]/adfs/.well-known/openid-configuration
             clientId: [CLIENT-ID]
             secret: [CLIENT-SECRET]
@@ Line 55: / Line 55: @@
       security:
         - matchers: internalMatcher
-        clients: OidcClient
+          clients: OidcClient
-        authorizers: isAuthenticated
+          authorizers: isAuthenticated
 </code>
   - Start Blocks and go to "/edit" for login.
+:!: Make sure you maintain all indentation as shown above, using only spaces for indentation. Here's more about [[blocks:server_configuration_file|Blocks' configuration file]] and it syntax.
 ===Role Mapping===
@@ Line 76: / Line 78: @@
 ====Filter the groups provided to Blocks====
-In the section named **Configure OpenID Connect to provide user groups to Blocks** we add a configuration that will provide Blocks with all of the user's groups. This may not be wanted since there can be thousand of theses in an already existing windows server configuration. In other cases there will exist groups that doesn't have anything to to with Blocks at all. To filter the groups provided to Blocks, follow the steps below.
+In the section named **Configure OpenID Connect to provide user groups to Blocks** we add a configuration that will provide Blocks with all of the user's groups. This may not be wanted since there can be thousands of these in an already existing windows server configuration. In other cases there will exist groups that doesn't have anything to to with Blocks at all. To filter the groups provided to Blocks, follow the steps below.
 ===Configure OpenID Connect to provide user groups to Blocks===
@@ Line 87: / Line 89: @@
   - Click the "Add Rule..." button at the bottom.
   - Select "Send Claims Using a Custom Rule" and click next.
-  - Give the rule the name "StoreRoles" and paste the following into the "Custom rule" field:
+  - Give the rule the name "StoreRoles" and paste the following into the "Custom rule" field: <code>c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("roles"), query = ";tokenGroups;{0}", param = c.Value); </code>
-    * c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("roles"), query = ";tokenGroups;{0}", param = c.Value);
   - Click finish and add yet another rule.
   - Again, select "Send Claims Using a Custom Rule" and click next.
-  - Give this rule the name "IssueRoles" and paste the following into the "Custom rule" field:
+  - Give this rule the name "IssueRoles" and paste the following into the "Custom rule" field: <code>c:[Type == "roles", Value =~ "^Blocks.+"] => issue(claim = c);</code>
-    * c:[Type == "roles", Value =~ "^Blocks.+"] => issue(claim = c);
+  - The "^Blocks.+" part is a [[https://en.wikipedia.org/wiki/Regular_expression|regular expression]] used to filter the windows groups sent to Blocks as roles. In this case we only accept the windows groups starting with "Blocks". Adjust this to meet your needs.
-  - The part containing  //**"^Blocks.+"**//  is a regex expression used to filter the windows groups sent to Blocks as roles. In this case we only accept the windows groups starting with "Blocks". Adjust this to meet your needs.
   - Click finish.