Skip to content

Use AD FS as OIDC Identity Provider

For the prerequisites and the configuration on AD FS side, refer to the SEAL Interfaces for OIDC documentation.

On AD FS side, two server applications with Web API have to be configured, one for the Client Credential Flow between the services and one for the Code Flow used for the interactive logon. Each server application has an ID and a secret which have to be configured with SEAL Operator.

Configure the SEAL Operator Part

In SEAL Operator, configure the keys for AD FS:

  1. Export the complete configuration of SEAL Operator from Consul to a YAML file in order to ensure that the current configuration settings are used.

    operator config export <filename>.yml --insecure

  2. In the env section, specify the following keys for all services:

    • AUTH_CLIENT_SECRET: Secret generated when configuring the first server application in AD FS above

    • AUTH_CLIENT_ID: ID generated when configuring the first server application in AD FS above

    • AUTH_ISSUER_URL: This URL is used by the services for connecting to the AD FS provider.

    • ID_PROVIDER_NAME: Name of the AD FS; hint: Even configured to use the HTTPS protocol, the URL provided here comes without HTTPS protocol and uses HTTP protocol as URI!

    • ID_PROVIDER_CERT: Absolute path and file name to the certificate file exported above (optional)

    • TRUSTED_CLIENT: Client name configured in AD FS for granting access via access token; the information is contained in the token. This URI is used to check the token from the AD FS. It is a combination of two parts microsoft:identityserver:<client_identifier>.

  3. In the env section, specify the following keys for the operator-ui service:

    • AUTH_CLIENT_SECRET: Secret generated when configuring the second server application in AD FS above

    • AUTH_CLIENT_ID: ID generated when configuring the second server application in AD FS above

    Example - AD FS configuration in SEAL Operator

    env:
  service:
    any:
      tag:
        any:
          ...
          AUTH_CLIENT_SECRET: ZveeFKncasjTvkCVul7jS_d_SdlltJLgFeW2-4IU
          AUTH_CLIENT_ID: f20d7f7b-6e78-4259-a796-85946aeaaa27
          AUTH_TOKEN_ENDPOINT: https://oictest.de/adfs/oauth2/token
          AUTH_ISSUER_URL: https://oictest.de/adfs/
          ID_PROVIDER_NAME: http://oictest.de/adfs/services/trust
          ID_PROVIDER_CERT: c:\cert\export_token_signing.cer
          TRUSTED_CLIENT: microsoft:identityserver:f20d7f7b-6e78-4259-a796-85946aeaaa27
          ...
    operator-ui:
      tag:
        any:
          ...
          AUTH_CLIENT_SECRET: TJ79W3mMnvPDJ6Ax0kGt8YFz-0ooF3HNdRUpy6as
          AUTH_CLIENT_ID: ab762716-544d-4aeb-a526-687b73838a33
          ...

  4. Save the file <filename>.yml and re-import it to Consul.

    operator config import <filename>.yml --insecure

Literature - keys

For further information about the available keys, refer to the description of the Keys.

Hint - content of a token

By means of https://jwt.io/, you can decode the token and see its content.

Back to top