|
| 1 | +--- |
| 2 | +title: OpenID Connect with Active Directory Federation Services (ADFS) |
| 3 | +description: |
| 4 | + Learn how to use Azure's Active Directory Federation Services (ADFS) SSO with |
| 5 | + Coder. |
| 6 | +--- |
| 7 | + |
| 8 | +This article walks you through setting up single sign-on to Coder using Azure's |
| 9 | +Active Directory Federation Services (ADFS). |
| 10 | + |
| 11 | +Configuring |
| 12 | +[Coder's OpenID Connect](../../admin/access-control/index.md#openid-connect) |
| 13 | +feature requires you to provide three pieces of information from Azure: |
| 14 | + |
| 15 | +- Client ID |
| 16 | +- Client Secret |
| 17 | +- Issuer |
| 18 | + |
| 19 | +This guide will show you how to set up Azure's Active Directory Federation |
| 20 | +Services and obtain the information you need to provide to Coder. |
| 21 | + |
| 22 | +## Step 1: Create a new application group for Coder |
| 23 | + |
| 24 | +1. On the server running ADFS, open Server Manager and go to **Tools** > **AD FS |
| 25 | + Management**. |
| 26 | + |
| 27 | +  |
| 28 | + |
| 29 | +1. In the left-hand pane, right-click on **Application Groups** and select **Add |
| 30 | + Application Group...**. |
| 31 | + |
| 32 | +  |
| 33 | + |
| 34 | +1. In the prompt window that appears, enter a **Name** and a **Description** |
| 35 | + (optional). Under **Template**, select **Server application accessing a web |
| 36 | + API**. Click **Next** to proceed. |
| 37 | + |
| 38 | +  |
| 39 | + |
| 40 | +1. In the next prompt window, you'll see a **Client identifier**. Save this |
| 41 | + value, since you'll need to provide it at a later step. Next, provide a |
| 42 | + **Redirect URI** (this value should be |
| 43 | + `https://coder.your-domain.com/oidc/callback`) and click **Add**. Then, click |
| 44 | + **Next** to proceed. |
| 45 | + |
| 46 | +  |
| 47 | + |
| 48 | +1. In the next screen, titled **Configure Application Credentials**, click the |
| 49 | + **Generate a shared secret** checkbox. Note the **Secret** value that |
| 50 | + appears, since you'll need to provide this to Coder at a later step. Click |
| 51 | + **Next** to proceed. |
| 52 | + |
| 53 | +  |
| 54 | + |
| 55 | +1. In the next step, **Configure Web API**, enter the **Client identifier** that |
| 56 | + you saved in step 4 in the field called **Identified** and click **Add**. |
| 57 | + Click **Next** to proceed. |
| 58 | + |
| 59 | +  |
| 60 | + |
| 61 | +1. On the **Choose Access Control Policy** screen, choose your preferred access |
| 62 | + control policy, and click **Next** to proceed. |
| 63 | + |
| 64 | + In the example below, we permit members of a specific group `coder-users` to |
| 65 | + access Coder. |
| 66 | + |
| 67 | +  |
| 68 | + |
| 69 | +1. For the step **Configure Application Permissions**, select the following |
| 70 | + **Permitted scopes**: |
| 71 | + |
| 72 | + - `allataclaims` |
| 73 | + - `email` |
| 74 | + - `openid` |
| 75 | + - `profile` |
| 76 | + |
| 77 | + Click **Next** to proceed. |
| 78 | + |
| 79 | +  |
| 80 | + |
| 81 | +1. Finally, in the **Summary** window, review the information you've provided. |
| 82 | + Click **Next** when you're ready to proceed and close the setup wizard. |
| 83 | + |
| 84 | +## Step 2: Modify the claim rules |
| 85 | + |
| 86 | +In this step, you'll ensure that the access tokens sent by ADFS include the |
| 87 | +following |
| 88 | +[OIDC standard claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims): |
| 89 | +`name` and `email`. |
| 90 | + |
| 91 | +1. In Server Manager, double-click on your newly created application group. |
| 92 | + |
| 93 | +1. Under **Applications**, select the **Web API** application and click |
| 94 | + **Edit**. |
| 95 | + |
| 96 | +  |
| 97 | + |
| 98 | +1. Select the tab **Issuance Transform Rules** and click **Add Rule...**. This |
| 99 | + will open the **Add Transform Claim Rule Wizard**. |
| 100 | + |
| 101 | +  |
| 102 | + |
| 103 | +1. In the rule wizard, under **Claim rule template**, select the option to |
| 104 | + **Send Claims using a Custom Rule**, and click **Next**. |
| 105 | + |
| 106 | +1. Enter a name for the claim rule. |
| 107 | + |
| 108 | +1. In the **Custom Rule** field, enter a claim rule written in the |
| 109 | + [ADFS Claim Rule Language](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-the-claim-rule-language). |
| 110 | + |
| 111 | + The following example claim rule maps the Active Directory attributes |
| 112 | + `userPrincipalName` and `displayName` as `email` and `name`, respectively: |
| 113 | + |
| 114 | + ```text |
| 115 | + c:[Type == |
| 116 | + "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", |
| 117 | + Issuer == "AD AUTHORITY"] |
| 118 | + => issue(store = "Active Directory", types = ("email", "name"), |
| 119 | + query = ";userPrincipalName,displayName;{0}", param = c.Value); |
| 120 | + ``` |
| 121 | + |
| 122 | + > For more information, see |
| 123 | + > [Create a Rule to Send Claims Using a Custom Rule](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-send-claims-using-a-custom-rule) |
| 124 | +
|
| 125 | +## Step 3: Gather information for Coder authentication |
| 126 | + |
| 127 | +Once you've created your application group, you'll have the **Client ID** and |
| 128 | +**Client Secret**. However, you still need the **issuer**, which you can get by |
| 129 | +running the `Get-ADFSProperties` Powershell cmdlet on the server running ADFS: |
| 130 | + |
| 131 | +```console |
| 132 | +Get-ADFSProperties | Select IdTokenIssuer |
| 133 | +``` |
| 134 | + |
| 135 | +You should see something similar for the output: |
| 136 | + |
| 137 | +```console |
| 138 | +PS C:\Users\coder> Get-ADFSProperties | Select IdTokenIssuer |
| 139 | + |
| 140 | +IdTokenIssuer |
| 141 | +- - - - - - - |
| 142 | +https://dc1.ba3...da221.westeurope.aksapp.io/adfs |
| 143 | +``` |
| 144 | + |
| 145 | +## Step 4: Configure Coder authentication |
| 146 | + |
| 147 | +At this point, you can continue with configuring authentication in Coder. |
| 148 | + |
| 149 | +1. Log into Coder and go to **Manage** > **Admin** > **Authentication**. |
| 150 | + |
| 151 | +1. In the top-most drop-down box, select **OpenID Connect**. |
| 152 | + |
| 153 | +1. Provide the requested values for **Client ID**, **Client Secret**, and |
| 154 | + **Issuer**. |
| 155 | + |
| 156 | +When done, click **Save Preferences**. At this point, Coder validates your |
| 157 | +configuration before proceeding. If successful, you can expect Coder to send |
| 158 | +OIDC login attempts to your configured ADFS instance. |
0 commit comments