The steps to create an Application Group in ADFS are described below. Note that the following steps were derived from Active Directory Federation Services for Windows Server 2016.
- Open the AD FS Management console (Server Manager → Tools → AD FS Management)
- Right-click Application Groups and select Add Application Group; alternatively, select Application Groups and select Add Application Group from the list of available actions under the Action menu bar or the Actions pane
- Enter a Name and optionally a Description for the new application group
- In the Template list, under Client-Server applications, select the Server application accessing a web API type. Click Next
- Make note of the Client Identifier. This ID will be needed in a later step as well as in the vCenter Identity Provider configuration
- Enter the vCenter Redirect URIs that were given in the vCenter Identity Provider configuration. These Redirect URIs must be exact; otherwise, the vCenter login may not work with ADFS. Click Next
- Check the option to Generate a shared secret, copy the value to the clipboard, and save it in a secure place. This will be needed in the vCenter Identity Provider configuration. Click Next
- Add an Identifier value that is equal to the Client Identifier generated above. Click Next
- Under Choose an access control policy, select Permit everyone. Click Next
- On the Configure Application Permissions page, under Permitted scopes, make sure openid and allatclaims are checked. Click Next
- Review the summary and click Next to create the Application Group
- Click Close to complete the wizard
The Application Group is now created and should be listed in the Application Groups pane. In order to populate the user tokens with the appropriate information during OAuth exchanges, some additional configuration steps are needed to transform Active Directory data into token claims.
- Right-click the newly created Application Group and select Properties; alternatively, select the newly created Application Group and select Properties from the list of available actions under the Action menu bar or the Actions pane
- Select the Web API entry under Applications and click Edit
- Go to the Issuance Transform Rules tab and add each of the following three rules
- Group Rule
- Click Add Rule
- Under Claim rule template, select the option Send LDAP Attributes as Claims and click Next
- Enter a name for the claim rule such as AD Group With Qualified Long Name
- Under Attribute store, select Active Directory
- In the mapping table on the first row, under the LDAP Attribute column, select the Token-Groups - Qualified by Long Domain Name option
- In the mapping table on the same row, under the Outgoing Claim Type column, select the Group option and click Finish
- Subject Rule
- Click Add Rule
- Under Claim rule template, select the option Send LDAP Attributes as Claims and click Next
- Enter a name for the claim rule such as Subject Claim
- Under Attribute store, select Active Directory
- In the mapping table on the first row, under the LDAP Attribute column, select the User-Prinicipal-Name option
- In the mapping table on the same row, under the Outgoing Claim Type column, select the Name ID option and click Finish
- UPN Rule
- Click Add Rule
- Under Claim rule template, select the option Send LDAP Attributes as Claims and click Next
- Enter a name for the claim rule such as User Principal Name
- Under Attribute store, select Active Directory
- In the mapping table on the first row, under the LDAP Attribute column, select the User-Prinicipal-Name option
- In the mapping table on the same row, under the Outgoing Claim Type column, select the UPN option and click Finish
- Click OK to save and close the updated Web API properties
- Click OK again to close the Application Group properties
OpenID Configuration URL
In order to configure ADFS federation in your vCenter Server, you will need to know your ADFS server's OpenID Configuration URL. This is the standard OpenID Connect (OIDC) Discovery Endpoint that advertises OIDC metadata information about an OAuth identity provider. It is a well-known address that is typically the issuer endpoint concatenated with the path “/.well-known/openid-configuration”. For example: https://adfsserver01.corp.local/adfs/.well-known/openid-configuration
To obtain the OpenID Address for your ADFS server:
- Open a PowerShell terminal on your ADFS server as an Administrator
- Execute the following command:
Get-AdfsEndpoint | Select FullUrl | Select-String openid-configuration
- Copy the URL that is returned (select only the URL itself, not the closing bracket or the initial "@{FullUrl=" part)
- Use this URL whenever vCenter asks for the OpenID Address