Authenticating in the web client and Office integration with Azure AD

Configuring the Web Client and Office integration to use Azure AD for authentication is a multi-step process. Here I run through a simple scenario to get this working, first in a video and following some sample config.

web.config

First add the below to the configSections element.

    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />

Add this element to appSettings. Replace the value with the federation metadata URL from your Azure AD App.

    <add key="ida:FederationMetadataLocation" value="https://login.microsoftonline.com/xxx-xxx-xxx-xxx-xxx/federationmetadata/2007-06/federationmetadata.xml" />

Replace the authentication element with this:

    <authorization>
      <deny users="?" />
    </authorization>
    <authentication mode="None" />

Near the end of the web.config (just below the end configuration tag) include this:


  <system.identityModel>
    <identityConfiguration>
      <audienceUris>
        <add value="[APP IF FROM WEB APP REGISTRATION]" />
        <add value="[APPLICATION ID URI FROM 'EXPOSE AND API' IN WEB APP REGISTRATION]"/>
      </audienceUris>
      <securityTokenHandlers>
        <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
        <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      </securityTokenHandlers>
      <certificateValidation certificateValidationMode="None" />

      <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
        <authority name="https://sts.windows.net/[TENANT ID]/">
          <keys>

          </keys>
          <validIssuers>
            <add name="https://sts.windows.net/[TENANT ID]/" />
          </validIssuers>
        </authority>
      </issuerNameRegistry>
    </identityConfiguration>
  </system.identityModel>
  <system.identityModel.services>
    <federationConfiguration>
      <cookieHandler requireSsl="true" />
      <wsFederation passiveRedirectEnabled="true" issuer="https://login.windows.net/[YOUR DOMAIN]/wsfed" realm="[APPLICATION ID URI FROM 'EXPOSE AND API' IN WEB APP REGISTRATION]" requireHttps="true" />
    </federationConfiguration>
  </system.identityModel.services>
  <location path="adfs">
    <system.web>
      <authorization>
        <allow users="?" />
      </authorization>
    </system.web>
  </location>

hprmServiceAPI.config

Add the authentication element:

  <authentication allowAnonymous="false">
    <activeDirectory>
      <add name="adfs" audience="[APPLICATION ID URI FROM 'EXPOSE AND API' IN WEB APP REGISTRATION]" metadataEndpoint="[FEDERATION METADATA DOCUMENT]"/>
    </activeDirectory>
  </authentication>

Add useADFS=”true” to the setup element.

 <setup  databaseId="M1" useADFS="true" 

config.xml

Create the config.xml file in the ADFS folder under your web client install folder.

<adfsClient>
<clientAuthority>https://login.windows.net/[YOUR DOMAIN]</clientAuthority>
<clientResourceUri>[APPLICATION ID URI FROM 'EXPOSE AND API' IN WEB APP REGISTRATION]</clientResourceUri>
<clientID>[APPLICATION ID IN NATIVE APP REGISTRATION]</clientID>
<clientReturnUri>[replyUrlsWithType url FROM MANIFEST IN NATIVE APP REGISTRATION</clientReturnUri>
</adfsClient>
Written on August 8, 2019