Single Sign-On for AD FS and PKCE

Active Directory Federation Services (AD FS) is a software component that provides single sign-on (SSO) authorization services to users. This feature lets users access multiple applications on the server by authenticating only in one of the applications.

For example, a user who is logged in to Lexmark Management Console (LMC) can already access Lexmark Print Management Console.

Proof Key for Code Exchange (PKCE) is a lightweight mechanism implemented in the application that requests an authorization code. LPM and LDD support it as a simple extension to the Authorization 2.0 authorization code grant. With the integration of the third-party open source application Keycloak, PKCE allows users to authenticate once and access multiple applications without reentering their credentials.

Notes:

• ADFS Servers 2019 and 2022 are supported in LPM or LDD application.
• If the AD FS SSO login type is enabled, then users are redirected to the AD FS logout screen after logging out. To log in again, users must go to the Print Management Console URL.

Configuring the AD FS server

For LMC, when creating a client-server application, select web browser accessing a web application as the application type.

Make sure to add the following:

• Redirect URI—https://<load-balancer-hostname-or-ipaddress>/lmc/login/oauth2/code/adfs

• Logout URI—https:/</load-balancer-hostname-or-ipaddress>/lmc/lmc-logout.do

For LPM, when creating a client-server application, select Native application or Native application accessing a web API as the application type.

Make sure to add the following:

• Redirect URI—https://<load-balancer-hostname-or-ipaddress>/printrelease/callback.html

• Logout URI—https:/</load-balancer-hostname-or-ipaddress>//printrelease/logout.html

Updating Apache configuration

1. Open Windows Explorer.

2. Navigate to <LDD-install-path>/Apache2/conf.

3. Edit httpd-lpm-csp.conf.

4. From the Location /printrelease/ block, append the following before the closing double quotes (replace the value of <adfs-server-address>):

   frame-ancestors 'self' https://<adfs-server-address>/;

5. Add the following at the end of the file (replace the value of <adfs-server-address>):

   <Location ~ "^/lmc/(.*)">

   Header set Content-Security-Policy "frame-ancestors 'self' https://<adfs-server-address>/;"

   </Location>

6. Save the file.

7. Restart the Apache2.4 service.

Configuring AD FS login

1. On the upper-right corner of Print Management Console, click .

2. Click Login.

3. From the Type menu, select AD FS SSO.

4. In the Login Group text field, type the name of the Active Directory or LDAP group that is provided with administrator access or privilege to Print Management Console.

   Note: If the user logging in is a member of the Login Group, then the user must have administrator access. Otherwise, the user is redirected to the user portal.

5. Click Save Changes.

Note: If the AD FS SSO login type is enabled, then users are redirected to the AD FS logout screen after logging out. To log in again, users must go to the Print Management Console URL.

Configuring Print Management Console settings

1. Click on the upper-right corner of Print Management Console.

2. Configure the AD FS and LDAP server settings:

   For AD FS settings:

   1. Type the address of the AD FS server.

   2. Import the SSL certificate for LPM to communicate to the AD FS server.

   3. Type the client ID.

   4. Type the client secret.

      Note: This field is not required.

   5. Type the scope of the client.

      Note: The default value is openid.

   6. Click Save Changes.

   For LDAP settings:

   1. Click Add.

      Note: If there is no existing LDAP entry which is the Active Directory pointed to by the AD FS, then configure the server details.

   2. Configure the server details.

      Note: In the LDAP settings, add the Active Directory pointed to by the AD FS.

   3. Click Save Changes.