Skip to content

Use AD FS as OIDC Identity Provider

For the prerequisites and the configuration on AD FS side, refer to the SEAL Interfaces for OIDC documentation.

Configure the SEAL Operator Part

In SEAL Operator, configure the keys for AD FS:

  1. Export the complete configuration of SEAL Operator from Consul to a YAML file in order to ensure that the current configuration settings are used.

    operator config export <filename>.yml --insecure

  2. In the env section, specify the following keys for all services:

    • AUTH_CLIENT_SECRET: Secret generated when configuring the server application in AD FS above

    • AUTH_CLIENT_ID: ID generated when configuring the server application in AD FS above

    • AUTH_TOKEN_ENDPOINT: URL of the token endpoint; the information is contained in the token.

    • AUTH_ISSUER_URL: This URL is used by the services for connecting to the AD FS provider.

    • ID_PROVIDER_NAME: Name of the AD FS; hint: Even configured to use the HTTPS protocol, the URL provided here comes without HTTPS protocol and uses HTTP protocol as URI!

    • ID_PROVIDER_CERT: Absolute path and file name to the certificate file exported above

    • TRUSTED_CLIENT: Client name configured in AD FS for granting access via access token; the information is contained in the token. This URI is used to check the token from the AD FS. It is a combination of two parts microsoft:identityserver:<client_identifier>.

    Example - AD FS configuration in SEAL Operator

    env:
  service:
    any:
      tag:
        any:
          ...
          AUTH_CLIENT_SECRET: ZveeFKncasjTvkCVul7jS_d_SdlltJLgFeW2-4IU
          AUTH_CLIENT_ID: f20d7f7b-6e78-4259-a796-85946aeaaa27
          AUTH_TOKEN_ENDPOINT: https://oictest.de/adfs/oauth2/token
          AUTH_ISSUER_URL: https://oictest.de/adfs/
          ID_PROVIDER_NAME: http://oictest.de/adfs/services/trust
          ID_PROVIDER_CERT: c:\cert\export_token_signing.cer
          TRUSTED_CLIENT: microsoft:identityserver:f20d7f7b-6e78-4259-a796-85946aeaaa27
          ...

  3. Save the file <filename>.yml and re-import it to Consul.

    operator config import <filename>.yml --insecure

Literature - keys

For further information about the available keys, refer to the description of the Keys.

Hint - content of a token

By means of https://jwt.io/, you can decode the token and see its content.

Back to top