Configuring the standalone authentication service for AD FS

3.4 Configuring the standalone authentication service for AD FS

The standalone authentication service (web.oauth2.ext) provides a connection to the MyID database and allows the AD FS Adapter to authenticate to AD FS using credentials issued using MyID. You must configure the web.oauth2.ext service with a shared secret to secure the connection between the adapter and the service. You must also add the URL of the ADFS Auth web service to the list of allowed redirect URLs.

You must make sure that the standalone authentication service is installed. For more information about the web.oauth2.ext standalone authentication service, see section 2, Setting up the standalone authentication service.

If web.oauth2.ext (which is authenticating the user) is on a different server from web.oauth2 (which registered the FIDO credential), ensure there is a load balancer or reverse proxy in front of both of these servers, so that the client computer sees the same domain in the URL for both of these machines.

3.4.1 Generating a shared secret

MyID uses a shared secret to secure the connection between the AD FS Adapter and the standalone authentication service.

Important: You must keep the shared secret safe, as it can provide access to the features of the MyID authentication service, so must be an unguessable value; for this reason, you are recommended to generate a GUID for the shared secret. Do not use the same shared secret for other purposes such as end-user authentication or server-to-server API authentication.

You can use the provided GenClientSecret.ps1 PowerShell script to generate a GUID and create a SHA-256 hash converted to Base64:

On the web server, open a PowerShell window.
Navigate to the web.oauth2.ext folder.

By default, this is:

C:\Program Files\Intercede\MyID\web.oauth2.ext
Run the script:

.\GenClientSecret.ps1

The script generates a GUID to use as the shared secret, creates a SHA-256 hash from the GUID, then converts the hash to Base64; for example:

PS C:\Program Files\Intercede\MyID\web.oauth2> .\GenClientSecret.ps1

client secret: 82564d6e-c4a6-4f64-a6d4-cac43781c67c

SHA256+base64: kv31VP5z/oKS0QMMaIfZ2UrhmQOdgAPpXV/vaF1cymk=

Important: Do not use this example secret in your own system.
Take a note of the following values:
- client secret – you need this value for the AD FS Client Secret screen in the AD FS Adapter installation program.
  
  See section 3.5, Installing the AD FS Adapter OAuth.
- SHA256+base64 – you need this value for the ClientSecrets parameter in the web.oauth2.ext web service configuration file. The server does not store the secret, only the Base64-encoded hash.
  
  See section 3.4.2, Updating the web.oauth2.ext configuration file.

Note: If you are going to add the secret to the AD FS Adapter configuration file manually rather than using the installation program (for example, if you have an installed system, and you want to update the client secret periodically) you are strongly recommended to encrypt the secret using the provided DPAPIEncrypt.ps1 PowerShell script before adding it to the configuration file; see section 3.6.2, Encrypting the client secret for details. If you use the installation program, the secret is encrypted automatically.

3.4.2 Updating the web.oauth2.ext configuration file

You must update the web.oauth2.ext configuration file to include the secret you have generated to secure the connection between the AD FS Adapter and the standalone authentication service, and add the URL of the ADFS Auth web service to the list of allowable redirect URIs.

To configure the web.oauth2.ext service:

In a text editor, open the appsettings.Production.json file for the web service.

By default, this is:

C:\Program Files\Intercede\MyID\web.oauth2.ext\appsettings.Production.json

This file is the override configuration file for the appsettings.json file for the web service.

You must edit the myid.adfs client section in this configuration file, and provide the required configuration settings.

Edit the following section in the appsettings.Production.json file:

Copy

"Clients":[
    {},
    {},
    {
        "ClientId":"myid.adfs",
        "ClientName":"MyID ADFS",
        "ClientSecrets":[
            {
                "Value":"<secret>"
            }
        ],
        "RedirectUris":[
            "https://<auth service domain>/AdfsAuth/home/AdfsAuth"
        ],
        "Properties":
            {
                "Skin":  "popover",
                "EnableFido2LoginBasicAssurance":  false,
                "EnableFido2LoginHighAssurance":  true
            }
        }
    }
]

Important: When you have clients in the appsettings.json file and the appsettings.Production.json file, you must make sure the Production file does not overwrite the entries in the base file. In these settings files, entries in arrays are determined by their index; therefore if you have two client entries in the appsettings.json file before the myid.adfs entry, you must include two blank array entries {}, in the appsettings.Production.json file before you include the details for the myid.adfs client.

Set the following values:
- <secret> – set this to the Base64-encoded SHA-256 hash of the secret you created; for example:
  
  "Value":"kv31VP5z/oKS0QMMaIfZ2UrhmQOdgAPpXV/vaF1cymk="
  
  See section 3.4.1, Generating a shared secret.
- <auth service domain> – set this to the domain of the MyID ADFS Auth server; for example:
  
  "https://myserver.example.com/AdfsAuth/home/AdfsAuth"
You can set the following Properties:
- Skin – currently only popover is available as a skin option for the authentication GUI. The authentication web page shows a background image with a popover representing the authentication UI; this is suitable for large windows. If you are displaying the authentication page in a small popup window, you can omit this option.
- EnableFido2LoginBasicAssurance – set this to true to allow authentication using FIDO basic assurance authenticators, which provide only single-factor authentication.
- EnableFido2LoginHighAssurance – set this to true to allow authentication using FIDO high assurance authenticators, which provide multi-factor authentication.
  
  When using FIDO with web.oauth2, authentication using high and basic assurance is controlled using the logon mechanisms feature; as the web.oauth2.ext standalone authentication service does not use the MyID application server, this feature is not available, and you must specify the logon mechanisms using the above options.
  
  For more information about basic and high assurance FIDO authenticators, see the Supported authenticators section in the FIDO Authenticator Integration Guide.
By default, EnableFido2LoginBasicAssurance is set to false, to prevent authentication with FIDO basic assurance authenticators, and EnableFido2LoginHighAssurance is set to true, to allow authentication with FIDO high assurance authenticators.
For example:
Copy
```
"Clients":[
    {},
    {},
    {
        "ClientId":"myid.adfs",
        "ClientName":"MyID ADFS",
        "ClientSecrets":[
            {
                "Value":"kv31VP5z/oKS0QMMaIfZ2UrhmQOdgAPpXV/vaF1cymk="
            }
        ],
        "RedirectUris":[
            "https://myserver.example.com/AdfsAuth/home/AdfsAuth"
        ],
        "Properties":
            {
                "Skin":  "popover",
                "EnableFido2LoginBasicAssurance":  false,
                "EnableFido2LoginHighAssurance":  true
            }
        }
    }
]
```
Save the appsettings.Production.json file.
Recycle the web service app pool:
1. On the MyID web server, in Internet Information Services (IIS) Manager, select Application Pools.
2. Right-click the myid.web.oauth2.ext.pool application pool, then from the pop-up menu click Recycle.
This ensures that the web service has picked up the changes to the configuration file.