WebClient ADFS setup for Office Integrations

Overview

To configure the Web Client to use ADFS follow the same steps as those required for WebDrawer.  If in addition to using ADFS via a web browser you wish to use the Office addins with the Web Client / ServiceAPI you will need to do some additional configuration.  This is to support the OAuth authentication required by client applications.  Use the powershell command Add-ADFSClient on your ADFS server to create the ADFS client, described in this post.

Warning

Be careful with case.  Uris are case sensitive and if you get this wrong everything will be broken.

Things to look for in web.config

The location for the Integration path should allow anonymous access as the authorization is handled by a bearer token sent by the Office Addin.

<location path="Integration">
  <system.web>
    <authorization>
      <allow users="?" />
    </authorization>
  </system.web>
</location>

Also, inside the location path for "hprmserviceapi" ensure that the authorization is similarly set.

Near the top of web.config is the configuration element containing configSections, this should contain the two sections below.

<section 
  name="system.identityModel" 
   type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />

<section 
    name="system.identityModel.services"
    type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />

The appSetting will probably contain the ida:FederationMetadataLocation property if you are authenticating with the WebCleitn using ADFS.  It is not necessary for the Outlook integration wo work.

<add key="ida:FederationMetadataLocation" value="https://adfs1.testteam.local/FederationMetadata/2007-06/FederationMetadata.xml" />

Make sure the system.identityModel and system.identityModel.services have been added and configured, for example:

<system.identityModel>
  <identityConfiguration>
    <audienceUris>
      <add value="https://giri12012r2.trim.lab/HPEContentManager/" />
      <add value="https://giri12012r2/HPEContentManager/" />
    </audienceUris>
    <securityTokenHandlers>
      <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    </securityTokenHandlers>
    <certificateValidation certificateValidationMode="None" />
    <!--Element below commented by: ValidatingIssuerNameRegistry.WriteToConfg on: '24/06/2016 5:12:27 AM (UTC)'. Differences were found in the Metatdata from: 'https://adfs1.testteam.local/FederationMetadata/2007-06/FederationMetadata.xml'.-->
    <!--<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry"><authority name="http://ADFS1.testteam.local/adfs/services/trust"><keys><add thumbprint="538B9CF4D293995C9406D7EA74C3F7353C5DD62A" /></keys><validIssuers><add name="http://ADFS1.testteam.local/adfs/services/trust" /></validIssuers></authority></issuerNameRegistry>-->
    <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
      <authority name="http://ADFS1.testteam.local/adfs/services/trust">
        <keys>
          <add thumbprint="1247E2A79A46AD1EB71BFEA4582C0FB9465EE9BE" />
        </keys>
        <validIssuers>
          <add name="http://ADFS1.testteam.local/adfs/services/trust" />
        </validIssuers>
      </authority>
    </issuerNameRegistry>
  </identityConfiguration>
</system.identityModel>
<system.identityModel.services>
  <federationConfiguration>
    <cookieHandler requireSsl="true" />
    <wsFederation passiveRedirectEnabled="true" issuer="https://adfs1.testteam.local/adfs/ls" realm="https://giri12012r2.trim.lab/HPEContentManager/"  requireHttps="true" />
  </federationConfiguration>
</system.identityModel.services>

I discuss this in more detail when describing ADFS setup for WebDrawer.  The key points to consider are:

  • replace the audienceUri with one that is valid id for your relying party trust
  • ensure that the authority name points to your ADFS server
  • replace the issuer and realm with your ADFS server name and your realm

Things to look for in hprmServiceAPI.config

The <setup /> element has an attibute called useADFS, which would better be called showADFSLogout.  Set this to true to show logout link in the user menum as seen here.

The authentication section gives the WebClient the information it requires to use OAuth authentication for the UI components.  The audience should match the identifier in your relying party trust and the federation endpoint is the same as that in ida:FederationMetadataLocation. 

<authentication allowAnonymous="false">
  <activeDirectory>
    <add 
         name="adfs" 
         audience="https://giri12012r2.trim.lab/HPEContentManager/" 
         metadataEndpoint="https://adfs1.testteam.local/FederationMetadata/2007-06/FederationMetadata.xml"/>
  </activeDirectory>
</authentication>

ADFS\config.xml file

Within the WebClient folder you will find an ADFS folder which contains a file called config.xml.  This file stores the information your Office clients need to connect to ADFS.  It must be available via anonymous access so that it can be fetched before authenticatin has happened.  Before you will have the values required for this file you will need to have configured and ADFS client as descirbed in this post. The four values in this file are:

Element Source
clientAuthority The address of your adfs instance.
Example
https://adfs1.testteam.local/adfs
clientResourceUri The identifier of your relying party trust.
Example
https://MyServer/MyWebClient/
clientID The guid used in the client created by Add-ADFSClient.
clientReturnUri The RedirectUri specified when running Add-ADFSClient.
Written on June 30, 2016