To start integrating AD FS authentication into your app, you need to set up Telerik Platform accordingly. Otherwise your backend will return an error even if your code is properly implemented.
You don't need to know how to set up an AD FS service but there are a few requirements that you need to relay to your organization's AD FS administrator to meet. These are:
- Ask your AD FS Administrator to create a Relying Party Trust for your Telerik Platform app and provide them with the following data:
Relying Party Identifier in the following format:
- If implementing active federation:
https://example.com. The value does not need to be a real resolving live URL because AD FS will never try to access it.
- WS-Federation Passive Endpoint: https://api.everlive.com/v1/your-app-id/adfs/token (or copy the Reply URL value from your app's the Users > Authentication screen after setting it up).
- SAML Assertion Consumer Endpoint: https://api.everlive.com/v1/your-app-id/adfs/token (or copy the Reply URL value from your app's the Users > Authentication screen after setting it up).
- Relying Party Identifier in the following format:
- Ask your AD FS Administrator to provide you with the Federation Metadata URL.
It usually takes the following format:
- In case you want to use active federation, ask your AD FS Administrator to expose the WS-Trust 1.3 UsernameMixed endpoint.
It usually takes the following form:
https://fs.example.com/adfs/services/trust/13/usernamemixed. If you use the Backend Services SDK method that accepts a username and a password, the SDK will infer that this is the WS-Trust endpoint and contact it with the supplied username and password in order to obtain a token for you. This operation uses Transport Layer Security.
- Ask your AD FS Administrator to configure the following claims that Telerik Platform will try to read from an issued security token:
- Primary SID (Required)
- Name (Recommended)
- Common Name (Recommended)
- E-Mail Address (Recommended)
- Given Name (Recommended)
- Surname (Recommended)
- Ask your AD FS Administrator to ensure that the AD FS STS issues SAML 2.0 Security Tokens. This security token type is the only one supported by Telerik Platform.
- Go to Users > Authentication.
- Check the box in front of Active Directory.
- For ADFS metadata URL, enter the Federation Metadata URL that your AD FS Administrator has provided.
- For ADFS realm, enter the Relying Party Identifier that you supplied to your AD FS Administrator.
The Reply URL is generated automatically based on this value.
- Click Save.