3.3 Setting up the ADFS Auth web service

The ADFS Auth web service is an intermediary web service used to store information for the AD FS Adapter OAuth. You can install it on the same server as the standalone authentication service (web.oauth2.ext).

For information on how the ADFS Auth web service fits into the AD FS authentication architecture, see section 3.1, Overview.

3.3.1 Installing the ADFS Auth web service

To install the standalone authentication service, run the MyID Installation Assistant, and on the Server Roles and Features screen, select External Authentication Server > AD FS Auth Web Service option.

You can install this service on the same server as the standalone authentication service (web.oauth2.ext).

For more information about running the MyID Installation Assistant, see the Selecting the server roles and features section in the Installation and Configuration Guide.

3.3.2 Configuring the ADFS Auth web service

Once you have installed the ADFS Auth web service, you must configure the service with the location of your AD FS. This allows the ADFS Auth web service to accept connections from the AD FS Adapter OAuth installed on the AD FS server.

To configure the ADFS Auth web service:

  1. In a text editor, open the appsettings.Production.json file for the web service.

    By default, this is:

    C:\Program Files\Intercede\MyID\AdfsAuth\appsettings.Production.json

    This file is the override configuration file for the appsettings.json file for the web service. If this file does not already exist, you must create it in the same folder as the appsettings.json file.

  2. Set the following:

    "AllowedOrigins": [ "https://<ADFS domain>" ]

    where <ADFS domain> is the domain of your AD FS server; for example:

    "AllowedOrigins": [ "https://adfs.example.com" ]

  3. Save the appsettings.Production.json file.

  4. Recycle the web service app pool:

    1. On the MyID web server, in Internet Information Services (IIS) Manager, select Application Pools.
    2. Right-click the AdfsAuthPool application pool, then from the pop-up menu click Recycle.

    This ensures that the web service has picked up the changes to the configuration file.

3.3.3 Configuring the AD FS server to communicate with the ADFS Auth web service

On the AD FS server, you must configure AD FS to set the Content-Security-Policy to allow it to http POST to the domain on which the ADFS Auth web service runs.

For example, run the following PowerShell commands:

Copy 
Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" -SetHeaderValue "default-src 'self' <domainOfAdfsAuthWS> 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:;"
net stop adfssrv
net start adfssrv

where <domainOfAdfsAuthWS> is the web domain on which the ADFS Auth web service runs.

3.3.4 Logging the ADFS Auth web service

You can configure logging for the web service; see the MyID REST and authentication web services section in the Configuring Logging guide for details.