3.3.1 Installing the ADFS Auth web service

To install the standalone authentication service, run the MyID installation program, and on the Server Roles and Features screen, select MyID External Authentication Server > ADFS Auth Web Service option.

You can install this service on the same server as the standalone authentication service (web.oauth2.ext).

For more information about running the MyID installation program, see the Running the installation program section in the Installation and Configuration Guide.

3.3.2 Setting up the web.config file for the ADFS Auth web service

Once you have installed the ADFS Auth web service, you must edit the web.config file for the service; if you do not do this, the web service will not start.

To edit the web.config file:

1. In a text editor, open the web.config file for the web service.

   By default, this is:

   C:\Program Files\Intercede\MyID\AdfsAuth\web.config

2. Replace the content of the file with the following:

   Copy

   <?xml version="1.0" encoding="utf-8"?>
   <configuration>
     <location path="." inheritInChildApplications="false">
       <system.webServer>
         <handlers>
           <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
         </handlers>
         <aspNetCore processPath="dotnet" arguments=".\Intercede.MyID.Server.Web.AdfsAuth.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
       </system.webServer>
     </location>
   </configuration>
   <!--ProjectGuid: c0e3ae9d-b065-46b1-8801-02ce654dd6cb-->

3. Save the file.

4. Recycle the web service app pool:

   1. On the MyID web server, in Internet Information Services (IIS) Manager, select Application Pools.
   2. Right-click the AdfsAuthPool application pool, then from the pop-up menu click Recycle.

   This ensures that the web service has picked up the changes to the configuration file.

3.3.3 Configuring the ADFS Auth web service

Once you have installed the ADFS Auth web service, you must configure the service with the location of your AD FS. This allows the ADFS Auth web service to accept connections from the AD FS Adapter OAuth installed on the AD FS server.

To configure the ADFS Auth web service:

1. In a text editor, open the appsettings.Production.json file for the web service.

   By default, this is:

   C:\Program Files\Intercede\MyID\AdfsAuth\appsettings.Production.json

   This file is the override configuration file for the appsettings.json file for the web service. If this file does not already exist, you must create it in the same folder as the appsettings.json file.

2. Set the following:

   "AllowedOrigins": [ "https://<ADFS domain>" ]

   where <ADFS domain> is the domain of your AD FS server; for example:

   "AllowedOrigins": [ "https://adfs.example.com" ]

3. Save the appsettings.Production.json file.

4. Recycle the web service app pool:

   1. On the MyID web server, in Internet Information Services (IIS) Manager, select Application Pools.
   2. Right-click the AdfsAuthPool application pool, then from the pop-up menu click Recycle.

   This ensures that the web service has picked up the changes to the configuration file.

3.3.4 Configuring the AD FS server to communicate with the ADFS Auth web service

On the AD FS server, you must configure AD FS to set the Content-Security-Policy to allow it to http POST to the domain on which the ADFS Auth web service runs.

For example, run the following PowerShell commands:

Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" -SetHeaderValue "default-src 'self' <domainOfAdfsAuthWS> 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:;"
net stop adfssrv
net start adfssrv

where <domainOfAdfsAuthWS> is the web domain on which the ADFS Auth web service runs.