ADFS OIDC SSO Integration
Problem:
OpenID Connect SSO Integration encountered "bad input: failed to create OpenID Provider" error.
2022-02-20 00:07:45.368 WARN bad input: failed to create OpenID Provider
2022-02-20 00:07:45.368 DEBUG POST /api/v2/oidc/test [400 Bad Request]: code=400, message=bad input: failed to create OpenID Provider
Solution:
Add a OpenID Connect configuration to ADFS
1. Open the "AD FS Management" tool located under the "Tools" menu at the top right of the Server Manager.
2. Select the "Application Groups" folder item in the left sidebar.
3. Click on "Add Application Group..." in the sidebar to the right.
4. Give the application group a name, for example "OpenID Connect"
5. Select the "Server application accessing a web API" list item and click next. This is Key earlier I was using only server application , it has to be server application accessing web api
6. Copy and paste the Client Identifier to a text file for later use.
7. Enter the your authentication "Redirect URI" as provided by aqua UI and Click next.
8. Tick the "Generate a shared secret" box. Copy and paste the Secret to a text for use with your application. Click next.
9. Paste and add the Client Identifier (from step 6) as the "Identifier". Click next.
10. Select the access control policy you'd like to use and click next.
11. Make sure the box next to "openid" ,”profile” and “allatclaims” is ticked. check only 3 box , else I have seen groups/roles being ignored
12. Finish the wizard.
Configure OpenID Connect to provide user groups as claims
1. Open the "AD FS Management" tool located under the "Tools" menu at the top right of the Server Manager.
2. Select the "Application Groups" folder item in the left sidebar.
3. Double click on the group added earlier, then double click on the "Web API" application.
4. Select the tab named "Issuance Transform Rules".
5. Click the "Add Rule..." button at the bottom.
6. Select "Send LDAP Attributes as Claims" and click next.
7. Give the rule a name, for example "groups".
8. Select "Active Directory" as the "Attribute Store".
9. In the table below, select "Token-Groups Unqualified Names" in the first column and type "groups" into the second column.
10. Finish the wizard.
Now in the Aqua UI
Key Cloak
Customers who use Key Cloak would need to include the /realms/<realm name> in the IDP Issuer URL:
https://{keycloakhost}:{keycloakport}/realms/{realm}
Example:
"https://localhost/auth/realms/demo"
Did you find it helpful? Yes No
Send feedbackSorry we couldn't be helpful. Help us improve this article with your feedback.