To connect Active Directory Federation Services as an OpenID provider in DRACOON, the steps described in this article are necessary.
Settings in AD FS
- Right-click on Application Groups in the AD FS Management console and select Add Application Group in the menu:
- Enter a fitting name for the application (e.g. DRACOON), select Server application accessing a web API in Standalone applications and click on Next.
- Please store the displayed Client Identifier and enter the following URLs in the Redirect URI section: [Your DRACOON URL]/oauth/perform_login
[Your DRACOON URL]/oauth/openid-callback
- Enable the checkbox Generate a shared secret to generate a shared secret and store this secret securely. After creating the secret cannot be viewed again!
- Next, the Web API needs to be configured. Enter the Identifier and the Client ID from step 3.
- Please select a fitting Access Control Policy in the next step.
- In the next dialog, select the scopes allatclaims, email, openid and profile.
- Click on Next, check the summary and review all settings. (Summary). Conclude the setup.
- In the las step, you need to map the LDA attributes by selecting the just created Application Group and editing the Web API.
- Click on the tab Issuance Transform Rules and afterward on Add Rule to create a new rule.
- Enter a name for the rule, select Active Directory as Attribute Store and map E-Mail Addresses - E-Mail Address, Given-Name - Given Name and Surname - Surname to each other.
- The Endpoints required for the DRACOON configuration can be found using the following URL:
[Your ADFS URL]/adfs/.well-known/openid-configuration
You need to store the Azure settings in DRACOON.
You need to have the role DRACOON configuration manager, to update the following settings.
- Click on Settings on the left menu and then on Authentication.
- Click on the tab OpenID Connect.
- Enable the toggle button Enable login with OpenID Connect.
- Click on Add.
- Now you need to enter the Endpoints from above (AD FS configuration)
Hint: For a better overview of the values we recommend using the developer tools in the browser (F12) in order to open the tab Network and then > Preview to view the OpenID configuration.
- Enter the setting for the OpenID provider "Azure AD" in DRACOON. The following attributes are rquired to configure DRACOON with equivalent value in your Azure configuration:
Value in DRACOON OpenID configuration Name Can be entered freely. IssuerURL issuer Authorization Endpoint URL authorization_endpoint Token Endpoint URL token_endpoint UserInfo Endpoint URL userinfo_endpoint JWKS Endpoint URL jwks_uri Client ID Client ID from created Application Group Client-Secret Secret from created Application Group Scopes openid, email, profile Redirect URIs Previously entered Redirect URLs Proof Key for Code Exchange (PKCE): Activation recommended PKCE Challenge Method id_token_signing_alg_values_supported (S256) Mapping Claim upn (recommendation) Fallback User Mapping Claim sub (recommendation) User Info Source Identity Token
- Save the entered settings.
AD FS via OpenID can now be used as an authentication method in DRACOON.
Allow OpenID for users
In order to enable OpenID for your DRACOON users, you need to allow the authentication method.
- Click on Settings in the DRACOON Web App and double-click on the user who should authenticate via OpenID.
- Select OpenID Connect in the Authentication method field.
- Select the desired OpenID provider and enter the OpenID username of the user and click on Save.