Setting up AD FS Single Sign-On for LDD

Active Directory Federation Services (AD FS) is a software component to provide single sign-on (SSO) authorization services to users. This feature enables users to access multiple applications on the server.

Note: LDD supports AD FS 2016, 2019, and 2022.

  1. Add the certificate of AD FS server to the Java runtime environment (JRE) trust store located at <LDD installation directory>\jre\lib\security\cacerts using keytool.

    Note: For more information, see https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/.

  2. Configure <server.properties>.

    Parameter

    Value

    Description

    server.oauth.isEnabled

    <TRUE>

    Enables server oauth.

    Note: To allow some users to log in to LDD, log in to LDD using default credentials and then set proper roles against the AD FS administrator or user groups.

    server.oauth.providerName

    <ADFS>

    Used to generate the URL to be used as the redirect URL in the AD FS server during client registration.

    server.oauth.authorizatonUrl

    https://<adfs fully qualified domain name>/adfs/oauth2/authorize/

    The server oauth authorization URL available from the AD FS server configuration.

    server.oauth.clientAuthenticationMethod

    NONE

    The value is set to NONE when the client secret is unavailable.

    server.oauth.scopes

    openid

    profile

    email

    allatclaims

    openid is required to trigger openid flow, and allatclaims is required to get LDAP user attributes in idtoken.

    server.oauth.tokenUrl

    https://<adfs fully qualified domain name>/adfs/oauth2/token/

    The server oauth token URL.

    server.oauth.jwkSetUrl

    https://<adfs fully qualified domain name>/adfs/discovery/keys

    The server ouath jwk set URL.

    server.oauth.usernameAttribues

    UPN

    Available in AD FS server setup.

    server.oauth.clientid

    <ClientID>

    The client ID of the client. This value cannot be empty.

    server.oauth.clientSecret

    <ClientSecret>

    The password of the client. This value cannot be empty.

    server.oauth.userInfoUri

    <UserInfoUri>

    Required for Oauth2 flow to call this URI to get user properties.

    server.oauth.sessionlogouturl

    https://adcpremise1.lpm.lex/adfs/oauth2/logout

    Required to enable true logout in AD FS or else logout implementation does not work properly.

    server.oauth.langattributename

    LANG

    User-specific language attribute in Active Directory.

    server.oauth.groupnameattribute

    GROUP

    Must be configured correctly as LDD detects the correct group name for the logged-in user to apply roles and authorization.


Notes: