Skip to main content

Setting up Delegated Authentication with OpenID on Microsoft AD FS

Installing Microsoft AD FS

Before starting the installation, make sure:

  • your Windows computer name is correct since you won't be able to change it after having installed AD FS
  • you configured your server with a static IP address
  • your server joined a domain and your domain is defined under Server Manager > Local server
  • you can resolve your server FQDN like computername.my-domain.com

You can find a checklist here.

Steps to follow:

  • Install AD CS (Certificate Server) to issue valid certificates for AD FS. AD CS provides a platform for issuing and managing public key infrastructure [PKI] certificates.
  • Install AD FS (Federation Server)

Install AD CS

You need to install the AD CS Server Role.

Obtain and Configure an SSL Certificate for AD FS

Before installing AD FS, you are required to generate a certificate for your federation service. The SSL certificate is used for securing communications between federation servers and clients.

  • Follow this guide.
  • Additionally, this guide provides more details on how to create a certificate template.
Install AD FS

You need to install the AD FS Role Service.

Configure the federation service

AD FS is installed but not configured.

  • Click on Configure the federation service on this server under Post-deployment configurationin the Server Manager.
  • Ensure Create the first federation server in a federation server farm and is selected

Screenshot 2023-06-22 at 15.55.57.png

  • Click Next

Screenshot 2023-06-22 at 15.57.41.png

  • Select the SSL Certificate and set a Federation Service Display Name

Screenshot 2023-06-22 at 15.59.27.png

  • On the Specify Service Account page, you can either Create a Group Managed Service Account (gMSA) or Specify an existing Service or gMSA Account

Screenshot 2023-06-22 at 16.04.13.png

  • Choose your database

Screenshot 2023-06-22 at 16.05.50.png

  • Review Options , check prerequisites are completed and click on Configure
  • Restart the server
Add AD FS as an OpenID Connect identity provider

To enable sign-in for users with an AD FS account, create an Application Group in your AD FS.
To create an Application Group, follow theses steps:

  • In Server Manager, select Tools, and then select AD FS Management
  • In AD FS Management, right-click on Application Groups and select Add Application Group
  • On the Application Group Wizard Welcome screen
    • Enter the Name of your application
    • Under Standalone applications section, select Server application and click Next

Screenshot 2023-06-22 at 16.39.52.png

  • Enter https://<matrix domain>/_synapse/client/oidc/callback in Redirect URI: field, click Add, save the Client Identifier somewhere, you will need it when setting up Element and click Next (e.g. https://matrix.domain.com/_synapse/client/oidc/callback)

Screenshot 2023-06-22 at 16.45.44.png

  • Select Generate a shared secret checkbox and make a note of the generated Secret and press Next (Secret needs to be added in the Element Installer GUI in a later step)
  • Right click on the created Application Group and select `Properties``

Screenshot 2023-06-22 at 16.56.40.png

  • Select Add application... button.
  • Select Web API