Connect your ADFS to desk.ly using OpenID Connect
Preparations
If you use Active Directory Federation Services (ADFS) in your company, you can also use this for authentication with desk.ly. In this case, as with Single Sign On with OpenID, make sure that your account has a subdomain. If this is the case, we can now continue in the "Admin Area" under "Authentication".
In the authentication settings activate the "Company login (OpenID authentication)". Copy the "Callback URL" from the right side and save it somewhere, we will need it later.
Configuration in ADFS
Create application
Now go to the AD FS Management Console and add a new Application Group. In the dialog box that opens, enter a name for the application and select "Server application accessing a web API" under "Client-Server applications".
In the next step you copy the displayed "Client Identifier" and store it somewhere. We will need it later as well. Under "Redirect URI" add the URL you copied from the previous step (Preparations).
Now enable "Generate a shared secret" at "Configuration Application Credentials". Also copy this and put it somewhere.
In the next step "Configure Web API" add the "Client Identifier" you just copied to "Identifier".
Now decide in the next step for a suitable "Apply Access Control Policy".
Now make sure that you check allatclaims, email, openid and profile under "Configure Application Permissions".
Check all settings again under "Summary" and then complete the setup.
Configure the application
Now we need to add some LDAP attributes to make the login in desk.ly work. To do this, select the Application Group you just created and edit the "Web API".
Click on the "Issuance Transform Rules" tab and add a new rule. Give it a name and select "Active Directory" under "Attribute Store". Now create the following attributes:
LDAP Attribute | Outgoing Claim Type |
---|---|
User-Principal-Name | UPN |
E-Mail-Adresses | |
Surname | lastName |
Given-Name | givenName |
Configuration in desk.ly
Now return to the authentication settings in desk.ly and fill in the fields:
- Type: Active Directory Federation Services (ADFS)
- Discovery URL: [YOUR ADFS URL]/adfs/.well-known/openid-configuration
- Client ID: Paste the "Client Identifier" that you copied when you created the application in ADFS.
- Client Secret: Insert the secret you copied when you created the application in ADFS.
- Audience: microsoft:identityserver:[CLIENT ID]
- Response Type: code
- Scopes: allatclaims openid profile email