We are trying get a SaaS product to authenticate against our AD FS 4.0 services running on Windows Server 2016.
The web application is setup for SSO using JWT and allows us to setup a Shared Secret, Login URL and Logout URL
I got the app to redirect to the AD FS login screen https://hostname/adfs/oauth2/authorize and authenticate against active directory. From there it returns a code value that I know needs to go to https://hostname//adfs/oauth/token but here I'm stuck.
Do I need to build a web service that receives the code from the authorize endpoint, posts it to the token endpoint, and then redirect back to the web app with the JWT? Or can AD FS do this on it's own if I configure it correctly?
What I want is for the web app to redirect to the AD FS login screen (done), AD FS to authenticate against AD (done) and then (do magic) and redirect back to the web app with the JWT.
EDIT:
The following is what I want with Server 2016 AD FS 4.0. Will I need to create my own ADFS/AUTHORIZE->code->ADFS/TOKEN->jwt->Application URL handling service?
UPDATE:
It does appear you have to have control over the client application, which is not the case when you're using a 3rd party SaaS. Therefore we need to implement a myapi such that.
- SaaS redirects to /adfs/oauth2/authorize
- AD FS redirects to /myapi/?code=ab2..3cf
- myapi posts
codeto /adfs/oauth2/token - AD FS response contains JWT
- myapi redirects to SaaS with /?jwt=token
