Active Directory as an OAuth 2.0 External Identity Provider

​

Prerequisites

• The Active Directory Federation Service (ADFS) needs to be installed.
• A user group must be created in Active Directory. This group is used to manage the list of users permitted to access Vantage.
• Create a Redirect URI to receive the authentication responses. The URI is:
  https://<your-vantage-url>/auth2/signin-oidc

​

Setup

1. Open the management console.
2. Add a new application group and select the Web browser accessing a web application template.

3. In the Native Application tab, enter your Redirect URI and save the generated Client Identifier, which will be required later on. You can also view it again later in the application group properties.

4. In the Apply Access Control Policy tab, select a user group to be granted access to Vantage. You can leave the default value of Allow everyone if you do not want to restrict access for users at that moment.

5. The Summary and Complete tabs are not required to set up Active Directory. Navigate through them and click Close.
6. Check the properties of the application group you have created. You can also manage Redirect URI and Client ID via Server application Properties. For advanced application group settings, use Web application Properties. There, you can also find the Application ID and save it, since it will be required later on in the setup.
7. In the Add Transform Claim Rule dialog, add a claim rule to make sure that the email address and name will be included in the token.

8. In the Configure Claim Rule tab, select Active Directory in Attribute Store.

9. In the Web application Properties dialog, navigate to the Client Permissions tab, select the openid and profile scopes, and click Apply.

​

Next Steps

• The Application (Client) ID from step 6.
• The ADFS URL in the following format: https://<Full computer name>/adfs (a machine’s Full computer name can be found in its system settings). For example, https://adfs.platform.local/adfs.