Sales
Denmark +45 7944 7000
Europe +45 7944 7000
North America +1 (202)-536-4165
Support
Denmark +45 7944 7002
Europe +44 203 002 3889
North America +1 (202)-536-4165
Start a conversation
  1. Add-On Products Support
  2. Resource Central
  3. Knowledgebase

External Authentication Details for OpenID Connect with ADFS

Overview

This article provides step-by-step instructions on how to retrieve external authentication details for RC backend login using Microsoft account with OpenID Connect via ADFS.

Requirements

Look at the following table for supported Windows Server versions and ADFS versions supported on these servers:

Supported Windows Server
 Supported ADFS
Windows Server 2016
 ADFS 4.0
Windows Server 2019
 ADFS 5.0
Windows Server 2022
 ADFS 10.0


NOTE: For the Outlook Add-in to run with Single Sign On it is from Resource Central Hotfix 8 needed to use the latest manifest version 1.11.0.

Authentication Details for OpenID Connect with ADFS

Part A. Configure Active Directory Federation Services (ADFS)

1. Go to web server where your Exchange server is installed, click Start  Server Manager  Tools  AD FS Management2. In the opened window, select Application Groups and [Add a new Application Group] from the Actions sidebar. This starts the configuration wizard for a new Group.

3. On the ‘Add Application Group wizard’  Welcome screen, fill in Name and select “Server application” in Template and Click [Next].

4. On the next screen, fill in ‘Redirect URL’ and click [Add]. You will have to provide 2 URLs: one for receiving login details from ADFS, one for receiving logout information from ADFS

The URL for receiving login details from ADFS is the Reply URL in RC backend  Authentication  External Authentication.

The Reply URL is automatically generated when you select ‘OpenID Connect with AD FS’ option in RC backend ➔ Authentication.

The URL for receiving logout details from ADFS must have the following format:

[RC backend URL]/Api/Authentication/Logout

e.g. http://ResourceCentral.com/Api/Authentication/Logout

then click [OK] to proceed.

5. On the next screen (Configure Application Credentials), check on “Generate a shared secret” and click “Copy to clipboard” to save the client secret.

Then click [Next] to proceed.

6. On Configure Web API screen, fill in “Identifier” (which is Client Id in Step 4 of this section) and click [Add] button.

Then click [Next] to proceed.

7. Click [Next] on Choose Access Control Policy screen.

8. On Configure Application Permissions screen, check on openid, allatclaims, and user_impersonate checkboxes.

Click [Next] proceed.

9. Click [Next] on Summary screen and click [Close] on Complete screen to finish.

10. On the Application Groups, double click on [RC43RTM_OIDC ADFS].

After that, its properties pop-up will appear as the figure below:

Then, double click on [RC43RTM_OIDC ADFS – Web API] and choose [Issuance Transfrom Rules] tab.

Next, click [Add Rule] to select Rule Template as below:

Step 1: Choose Rule Type

In this step, choose Send LDAP Attributes as Claims in Claim rule template category. Click [Next] to go to the second step.

Step 2: Choose Active Directory in Attribute store category.

Then, a mapping table including 2 columns will appear. While in the LDAP Attribute column, you can type or select the attributes, you must select or type the item corresponding to the Attributes on the left in the Outgoing Claim Type column.

E.g.:

E-mail-Addresses attribute must be mapped to E-mail Address claim type.

Given-Name attribute must be mapped to Given Name claim type.

Surname attribute must be mapped to Name claim type.

Click [Finish] to end.


NOTE: If, in the system, there are users who have User Principal Name different from SMTP address, we need to add claim to retrieve all email addresses. Please refer to ‘Adding claim to retrieve all email addresses for users who have UPN different from SMTParticle for more details.



Part B. Retrieve details for OpenID Connect with AD FS Authentication Protocol

Reply URL

Refer to Step 4 in Part A for more details.

Client Id

The Client Id can be retrieved from Step 4 in Part A of this protocol.

Client Secret

The Client Secret can be retrieved from Step 5 in Part A of this protocol (highlighted in Green).

Authorization URL, Token URL and Logout URL

Go to the following link: 

https://<server of ADFS>/adfs/.well-known/openid-configuration

And a json file (openid-configuration.json) will be available for you to download/view. If you download it, open this file with Notepad or Notepad++, look for the necessary information as described in the following table:

URL
 Keywords to look for in the json file
Authorization URL 
 authorization_endpoint
Token URL 
 token_endpoint
Logout URL 
 end_session_endpoint

Copy the URL, remove the character “\” in each URL and paste into the relevant fields in RC backend.

Copy the URL, remove the character “\” in each URL and paste into the relevant fields in RC backend.

Claim Mapping

NOTE: Claim Mapping section is used only when Role Based Access Control (RBAC) function is enabled.

In the Claim Mapping part, the Resource Central information in the left column (Identity Attribute) can be mapped to Token Azure IDP information in the right column (Claims).

In the Claims column, you can customize the information to your purpose and then map it to the compatible Identity Attribute column.

Properties

Applies toRC 4.3+

Reference: TFS #339238

Knowledge base ID: 0320

Last updated: Jun 14, 2023


Choose files or drag and drop files