This article provides step-by-step instructions on how to retrieve external authentication details for RC backend login using Microsoft account with OAuth2 via ADFS.
Look at the following table for supported Windows Server versions and ADFS versions supported on these servers:
|Supported Windows Server
|Windows Server 2016
|Windows Server 2019
|Windows Server 2022
NOTE: For the Outlook Add-in to run with Single Sign On it is from Resource Central Hotfix 8 needed to use the latest manifest version 1.10.0.
Part A. Configure Active Directory Federation Services (ADFS)
1. Go to web server where your Exchange server is installed, click Start ➔ Server Manager ➔ Tools ➔ AD FS Management2. In the opened window, select Application Groups and [Add a new Application Group] from the Actions sidebar. This starts the configuration wizard for a new Group.
3. On the ‘Add Application Group wizard’ ➔ Welcome screen, fill in Name and select “Server application accessinga web API” in Template and Click “Next”
4. On the next screen (Server application), fill in Redirect URI and Click “Add” then Click “Next”. You will have to provide 2 URLs: one for receiving login details from ADFS, one for receiving logout information from ADFS
The URL for receiving login details from ADFS is the Reply URL in RC backend ➔ Authentication ➔ External Authentication.
The Reply URL is automatically generated when you select ‘OAuth2 with AD FS’ option in RC backend ➔ Authentication.
The URL for receiving logout details from ADFS must have the following format:
[RC backend URL]/Api/Authentication/Logout
Then click [OK] to proceed.
5. On the next screen (Configure Application Credentials), check on “Generate a shared secret” and click “Copy to clipboard” save the client secret then click “Next”.
6. On Configure Web API screen, fill in “Identifier” (which is Client Id in Step 4 of this section) and click [Add] button.
Then click [Next] to proceed.
7. Click [Next] on Choose Access Control Policy screen.
8. On Configure Application Permissions screen, check on openid and user_impersonate checkboxes.
Click [Next] proceed.
9. Click [Next] on Summary screen and click [Close] on Complete screen to finish.
NOTE: If, in the system, there are users who have User Principal Name different from SMTP address, we need to add claim to retrieve all email addresses. Please refer to ‘Adding claim to retrieve all email addresses for users who have UPN different from SMTP’ article for more details.
Refer to Step 4 from Part A for more details.
The Client Id can be retrieved from Step 4 in Part A of this protocol.
The Client Secret can be retrieved from Step 5 in Part A of this protocol (highlighted in Green).
Authorization URL, Token URL and Logout URL
https://<server of ADFS>/adfs/.well-known/openid-configuration
And a json file (openid-configuration.json) will be available for you to download/view. If you download it, open this file with Notepad or Notepad++, look for the necessary information as described in the following table:
|URL||Keywords to look for in the json file
Copy the URL, remove the character “\” in each URL and paste into the relevant fields in RC backend.
NOTE: Claim Mapping section is used only when Role Based Access Control (RBAC) function is enabled.
In the Claim Mapping part, the Resource Central information in the left column (Identity Attribute) can be mapped to Token Azure IDP information in the right column (Claims).
In the Claims column, you can customize the information to your purpose and then map it to the compatible Identity Attribute column.
Applies to: RC 4.3+
Reference: TFS #339238
Knowledge base ID: 0319
Last updated: Jun 14, 2023