AD FS (OIDC)
AD FS (OIDC) can be used as an external login provider for Therefore™. The exact process and UI options are managed by Microsoft and can be subject to change from their side at any time.
Configuration on the AD FS server
On the AD FS server, an application group has to be created.
Check that the following settings are configured for the application group:
-
Set the correct application type and Redirect URIs (see below) for the Therefore™ applications that should use the external user directory. For example, set 'Native application' for the Therefore™ Navigator or 'Web Browser' for the Therefore™ Web Client.
-
If a web application is configured, it needs to be granted the following permitted scopes:
- email
- openid
- profile
Redirect URIs
For the configuration of the application group on the AD FS server, redirect URIs for Therefore™ applications are necessary. They can be found here:
Configuration in Therefore™
To configure AD FS as an external login provider, select the option 'AD FS (OIDC)' under 'External User Directories'. Enter the AD FS domain into the filed labeled Domain / Directory name.
Click the button labeled 'Auto-Detect'. A dialog labeled 'OIDC Discovery Endpoint' opens. Enter the OIDC discovery URL and click OK. The other settings in the dialog are auto-populated based on the input, except for the Therefore™ Client ID that has to be entered manually.
Enter the following values into the respective fields in the dialog of the Therefore™ Solution Designer:
| AD FS Label | Therefore™ Setting | Description |
|---|---|---|
| Discovery URL | OIDC Discovery Endpoint |
Enter the OIDC discovery URL to auto-populate the other settings. The URL follows the pattern specified below:
|
| Client id | Therefore™ Client ID | The ID of the native application configured on the AD FS server |