Prerequisites
Before starting, ensure you have:- Access to the ADFS Management Console with admin permissions.
- An SSL certificate installed and configured for your ADFS server.
Steps for Customers to Obtain Configuration Data
Follow these steps to set up ADFS and retrieve the necessary information for integration.Step 1: Create a New Application Group in ADFS
- Open the ADFS Management Console on your ADFS server.
- In the left-hand menu, expand ADFS > Application Groups.
- Right-click Application Groups and select Add Application Group.
- Enter a name for your application group (e.g.,
Your Platform SSO
) and choose Server application accessing a web API. - Click Next.
Step 2: Configure the Server Application
- On the Server application page:
- Client Identifier: Enter a unique identifier (e.g.,
your-platform-client-id
). - Click Add Application and enter the Roe-AI Redirect URI
https://app.roe-ai.com/sso/callback
.
- Client Identifier: Enter a unique identifier (e.g.,
- Click Next.
Step 3: Configure the Web API
- On the Web API page:
- Leave the Identifier field as the default value (e.g.,
https://<adfs-server>/adfs/services/trust
). - Click Next.
- Leave the Identifier field as the default value (e.g.,
Step 4: Generate a Client Secret
- On the Client Secret page:
- Click Generate a shared secret and copy the generated value. This will be used as the OIDC Client Secret.
- Click Next.
Step 5: Configure Application Permissions
- On the Configure Application Permissions page:
- Ensure the default permission openid is enabled.
- Add any additional permissions required by your platform (e.g.,
email
,profile
). - Click Next.
Step 6: Collect the ADFS Endpoints
- Open the ADFS Federation Metadata XML by navigating to
https://<adfs-server>/FederationMetadata/2007-06/FederationMetadata.xml
. - Extract the following URLs from the metadata:
- Authorization Endpoint:
https://<adfs-server>/adfs/oauth2/authorize
- Token Endpoint:
https://<adfs-server>/adfs/oauth2/token
- User Info Endpoint: Add
/userinfo
to the base ADFS server URL (e.g.,https://<adfs-server>/adfs/oauth2/userinfo
).
- Authorization Endpoint:
<adfs-server>
with the URL of your ADFS server.
Configuration on Your Platform
Once you’ve collected the necessary information from ADFS, configure your platform as follows:Field | Value |
---|---|
OIDC Client ID | The Client Identifier configured in ADFS. |
OIDC Client Secret | The Client Secret generated in Step 4. |
OIDC Authorization Endpoint | https://<adfs-server>/adfs/oauth2/authorize |
OIDC Token Endpoint | https://<adfs-server>/adfs/oauth2/token |
OIDC User Info Endpoint | https://<adfs-server>/adfs/oauth2/userinfo |
OIDC User Identifier Key | sub |
OIDC User First Name Key | given_name |
OIDC User Last Name Key | family_name |
Testing the Integration
- Log out of your account on the platform.
- Go to the login page and select Sign in with SSO.
- Authenticate via ADFS.
- Verify that:
- You are redirected back to the platform.
- Your user details (e.g., name, email) are displayed correctly.
Troubleshooting
- Invalid Client ID/Secret:
- Verify the Client ID and Client Secret are entered correctly in your platform.
- Authorization Errors:
- Ensure the Redirect URI matches the one configured in ADFS.
- User Info Mapping Issues:
- Use a tool like Postman to test the User Info Endpoint (
https://<adfs-server>/adfs/oauth2/userinfo
) and validate the keys.
- Use a tool like Postman to test the User Info Endpoint (
For further assistance, contact our support team.