PIXILAB Wiki

To be able to follow the steps below you'll need to have Windows Server 2016 or later with the "Active Directory Federation Services" (ADFS) feature enabled.

1. Open the "AD FS Management" tool located under the "Tools" menu at the top right of the Server Manager.
2. Select the "Application Groups" folder item in the left sidebar.
3. Click on "Add Application Group…" in the sidebar to the right.
4. Give the application group a name, for example "OpenID Connect"
5. Select the "Server application accessing a web API" list item and click next.
6. Copy and paste the Client Identifier to a text file for later use.
7. In the Redirect URI field, enter and add the address to your Blocks server followed by "/rest/auth/callback". For example "https://pixi.guide/rest/auth/callback". Click next.
8. Tick the "Generate a shared secret" box. Copy and paste the Secret to a text file for later use. Click next.
9. Paste and add the Client Identifier (from step 6) as the "Identifier". Click next.
10. Select the access control policy you'd like to use and click next.
11. Make sure the box next to "openid" is ticked.
12. Finish the wizard.

1. Open the "AD FS Management" tool located under the "Tools" menu at the top right of the Server Manager.
2. Select the "Application Groups" folder item in the left sidebar.
3. Double click on the group added earlier, then double click on the "Web API" application.
4. Select the tab named "Issuance Transform Rules".
5. Click the "Add Rule…" button at the bottom.
6. Select "Send LDAP Attributes as Claims" and click next.
7. Give the rule a name, for example "BlocksRoles".
8. Select "Active Directory" as the "Attribute Store".
9. In the table below, select "Token-Groups Unqualified Names" in the first column and type "roles" into the second column.

1. Open your Blocks configuration file on your Blocks server and add the "auth" section below to the already existing "server" section. Replace the values of [BLOCKS-IP], [WINDOWS-SERVER-IP], [CLIENT-ID] and [CLIENT-SECRET]. [CLIENT-ID] and [CLIENT-SECRET] is the items copied and saved from the Add a OpenID Connect configuration to ADFS section above.

   • server:
       auth:
         urlResolver: null
         ajaxRequestResolver: null
         callbackUrl: https://[BLOCKS-IP]/rest/auth/callback
         rolesOwner: claims
         rolesPath: realm_access.roles
         clients:
           - org.pac4j.oidc.client.OidcClient:
               configuration:
                 discoveryURI: [WINDOWS-SERVER-IP]/adfs/.well-known/openid-configuration
                 clientId: [CLIENT-ID]
                 secret: [CLIENT-SECRET]
                 clientAuthenticationMethod: client_secret_basic
                 scope: openid
         servlet:
           security:
             - matchers: internalMatcher
             clients: OidcClient
             authorizers: isAuthenticated

2. Start Blocks and go to "/edit" for login.

Since the groups you've configured for your users in your windows server does not match the roles used by Blocks, you must add role mappings to the Blocks configuration file. You do this by defining a server.auth.rolesMapping parameter where the keys are the group names of your windows server configuration and the values the roles Blocks know about. For example:

rolesMapping:
  Administrator: Admin
  SomeManageGroup1: Manager
  SomeManageGroup2: Creator
  SomeManageGroup3: Editor
  SomeManageGroup4: Contributor
  SomeManageGroup5: Staff

In the section named Configure OpenID Connect to provide user groups to Blocks we add a configuration that will provide Blocks with all of the user's groups. This may not be wanted since there can be thousand of theses in an already existing windows server configuration. In other cases there will exist groups that doesn't have anything to to with Blocks at all. To filter the groups provided to Blocks, follow the steps below.

1. Open the "AD FS Management" tool located under the "Tools" menu at the top right of the Server Manager.
2. Select the "Application Groups" folder item in the left sidebar.
3. Double click on the group added earlier, then double click on the "Web API" application.
4. Select the tab named "Issuance Transform Rules".
5. Remove any rules you may have already added.
6. Click the "Add Rule…" button at the bottom.
7. Select "Send Claims Using a Custom Rule" and click next.
8. Give the rule the name "StoreRoles" and paste the following into the "Custom rule" field:
   • c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] ⇒ add(store = "Active Directory", types = ("roles"), query = ";tokenGroups;{0}", param = c.Value);
9. Click finish and add yet another rule.
10. Again, select "Send Claims Using a Custom Rule" and click next.
11. Give this rule the name "IssueRoles" and paste the following into the "Custom rule" field:
    • c:[Type == "roles", Value =~ "^Blocks.+"] ⇒ issue(claim = c);
12. The part containing "^Blocks.+" is a regex expression used to filter the windows groups send to Blocks as roles. In this case we only accept the windows groups starting with "Blocks".
13. Click finish.