ADAL.JS, ADFS and Windows 2016

0
votes

Plan is to support OAuth2 workflows in AngularJS application. ADAL supports 'Implicit Grant Flow.' ADFS in older versions (available in Windows 2012 R2) supported only 'Authorization Grant Flow'

Our plan is to begin by setup of a lab environment. It was suggested to us that Windows 2012 R2 has limited support for OAuth2 hence; we should setup environment using Windows 2016 and ADFS 4.0.

So before we start with a setup involving AD, ADFS, IIS, AngularJS application (which is definitely non-trivial) wanted to confirm can ADFS running on Windows 2016 server. We plan to use ADAL.JS in order to support OAuth2 support - Implicit Grant workflows?

2
azureoauth-2.0adalwindows2012
Why the need for ADFS? If all you're trying to do is login on prem users, use Azure AD pass through authenticationevilSnobu
Yes, that is also planned. We followed following video "". As per video it should be seamless SSO. However, what we observed is it does not work for Edge. For other popular browsers like Chrome and Firefox it still asks for the username (not happy) though password is not asked (that is good). Is it something wrong with configuration we do not know? any thoughts ?no-minds
Oops.. Link to video is here "youtube.com/watch?v=PyeAC85Gm7w"no-minds
Found a new link (docs.microsoft.com/en-us/azure/active-directory/connect/…) just now which seems to explain why for few application browsers still ask from 'username'. Now only thing I want to know is what is the type of token returned in step 9 under "How does sign-in on a web browser with Seamless SSO work?". My guess it is an OAuth2 access token. Any thoughts ?no-minds
Should be an id_token.evilSnobu

2 Answers

0
votes

As OAuth 2.0 support in ADFS on Windows Server 2012 R2 states about the Supported authorization grants as follows:

Authorization grant type / ADFS (Windows Server 2012 R2)

Authorization code grant : Supported

Implicit grant : Not supported

Resource Owner Password Credentials grant : Not supported

Client Credentials grant : Not supported

Also, as ADFS as OAuth2 provider / Authentication server possible? answered as follows:

With ADFS 2016 (which will release imminently), you have the full Oauth/OIDC support. With this you can build web apps, single page apps, API's, multi-tiered app systems that require On-behalf-of support, confidential clients (with support for windows service accounts acting as confidential clients).

For your scenario, you could follow Build a single page web application using OAuth and ADAL.JS with AD FS 2016. Note: The previous walkthrough is applicable only to AD FS Server 2016 and higher.

0
votes

I am following that (https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/single-page-application-with-ad-fs) but I am getting 401 error while trying to browse the TodoList page. The userdata is showing aud, iss, iat, exp, upn, unique-name and sub but not my family and given name. In relaying party trust I have:

 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "family_name"), query = ";displayName,mail,givenName,sn;{0}", param = c.Value);```
and in Insuance transform rules I have:
```c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/claims/Group", "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"), query = ";mail,givenName,sn,tokenGroups(SID),sAMAccountName;{0}", param = c.Value);```