OIDC configuration with AD FS
OpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, an authorization framework. OIDC enables single sign-on (SSO) to reduce the number of times a user has to log on to access websites and applications. OIDC can be configured for authentication with third-party products.
Configuring AD FS
This topic describes how you configure AD FS, but not how to install AD FS. AD FS will be the identity provider in your configuration, and before you can begin configuring, you need access to AD FS.
Do the following:
-
In AD FS, open the Server Manager.
-
In the menu to the right, select Tools > AD FS Management.
-
In the AD FS management pane, select Application Groups > Actions > Add an Application Group.
-
Select Server Application. Enter a name and description. Click Next.
-
Under Server Application, there is a client ID. Note it down.
-
Enter the Redirect URI: https://<QSEhostname>/<VirtualProxyPrefix>/oidcauthn and click the Add URI button.
Information noteUse adfs as the virtual proxy prefix. -
Click Next.
-
Select Generate a shared secret. A secret key is generated. Note it down.
A summary of your settings is displayed. Click Next and complete the steps for adding the application group.
-
Open the created application group.
The Properties window appears.
-
Click Add application.
A new window appears: Add a new application to <app group name>.
-
Select Web API template. Click Next.
-
Optionally, edit the Web API name.
-
Under Identifier, add the client ID that you noted down when creating the server application in this application group. Click Next.
-
Under Apply Access Control Policy, select Permit everyone. Click Next.
-
Under Configure Application Permissions > Client application, the server application is selected. Keep this unchanged. Under Permitted scopes, select allatclaims, email, openid, and profile. Click Next.
-
A summary of your settings is shown. Click Next to complete the steps for adding the Web API.
-
Open Web API > Issuance Transform Rules.
-
Click Add Rule. Enter a name for the rule, select Active Directory for Attribute store and then add “E-Mail Addresses” – “E-Mail Address” and "Token-Groups - Unqualified Names" - "Group" mapping. Save your changes.
-
Navigate to Relying Party Trusts in the ADFS Management tool.
-
Make sure you have the following relying party trust. Identifier should be https://<ADFShostname>/adfs/services/trust.
-
If the relying party trust is not available, you need to add a new. Follow the steps described in https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-relying-party-trust#to-create-a-claims-aware-relying-party-trust-manually, but skip the steps Configure certificate and Configure URL.
-
Make sure you add the email address for users who will be using Qlik Sense Enterprise sites through AD FS authentication.
-
Open Active Directory Users and Computers on the AD server.
-
Navigate to the Users folder, right-click the user and select Properties.
-
Under General, enter the user’s email address in the E-mail field.
-
Click OK to save the changes.
Creating and configuring the virtual proxy
Do the following:
-
In the Qlik Management Console (QMC), open Virtual proxies.
-
Click Create new.
-
In Properties, to the right, ensure that the sections Identification, Authentication, Load balancing, and Advanced are selected.
-
Under Identification, enter adfs for Description and Prefix.
-
For Session cookie header name, add -adfs at the end of the existing name so that it reads X-Qlik-Session-adfs.
-
For Authentication method, select OIDC.
-
Enter the “OpenID Configuration” URL in the OpenID Connect metadata URI field. The URL should be in the following format: https://<ADFShostname>/adfs/.well-known/openid-configuration.
-
Enter the noted Client ID and Client secret in the corresponding fields.
-
For Realm, enter adfs. Users added in the repository through OIDC authentication will have user directory name set to “adfs”.
Information noteIf the subject attribute value format is domainname\username, realm is optional. If not, realm is mandatory.
The attributes sub, name, and email are mandatory. Other attributes are not mandatory, but must have a value. A configuration with empty attributes will generate an error. -
In the name field, change the value to unique_name.
-
In the groups field, change the value to group.
-
In the client_id field, change the value to appid.
-
In the scope field, enter openid allatclaims profile email.
Information noteThe openid part is mandatory. Other scopes can be added, but must match what is set on the identity provider side. -
Under Load balancing nodes, click Add new server node.
-
Select the engine nodes this virtual proxy will load balance connections to.
-
Under Advanced, in the Host allow list section, click Add new value.
-
Add the host name of the AD FS server.
-
Click Apply and then OK to restart the services.
-
In the Associated items menu to the right, select Proxies.
-
Click Link and link the virtual proxy to the proxy or proxies that will use this configuration.
The proxy service is restarted.
Verify that the claims and scopes that you have configured in the IdP server are returned in claims_supported and scopes_supported tags when you select the OpenID Connect Metadata URI, https://{IdP_hostname}/.well-known/openid-configuration.
This completes the AD FS configuration.