Managing the AD FS Adapter OAuth

3.6 Managing the AD FS Adapter OAuth

After you have installed the AD FS Adapter OAuth, you can manage its settings using a provided suite of PowerShell scripts and a JSON configuration file.

3.6.1 Configuration file

The AD FS Adapter OAuth configuration is stored in a JSON file called Fido2AdfsAdapter.json in the ADFS_Adapter_OAuth folder; by default, this is:

C:\Program Files\Intercede\ADFS_Adapter_OAuth

If you have manually unregistered the AD FS Adapter OAuth and want to register it again, you can run the following PowerShell script :

RegisterADFSProvider.ps1 – this script reads the information in the configuration file and uses it to register the AD FS Adapter OAuth.

You can also make changes to the configuration file and apply new settings.

To edit and apply new configuration settings:

In the ADFS_Adapter_OAuth folder, open the following file in a text editor:

Fido2AdfsAdapter.json
You can edit the following values:
- server – set this to the URL of the your standalone authentication server; for example:
  
  https://myserver.example.com/web.oauth2.ext
- client_secret – set this to the client secret you set up to secure the connection between the AD FS Adapter OAuth and the standalone authentication server.
  
  See section 3.4.1, Generating a shared secret for details of creating the secret.
  
  You can include the secret in plain text in the configuration file by setting the client_secret_encrypted option to false; however, you are strongly recommended to encrypt the secret. See section 3.6.2, Encrypting the client secret for details.
- redirect_server – set this to the URL of the ADFS Auth web service; for example:
  
  https://myserver.example.com/AdfsAuth
Do not change any of the other values in the configuration file.
Save the Fido2AdfsAdapter.json file.
Run the ReconfigureADFSProvider.ps1 PowerShell script to apply the changes.

This script unregisters the AD FS Adapter OAuth, then re-registers it using the updated settings.

3.6.2 Encrypting the client secret

You are strongly recommended to encrypt the client secret in the Fido2AdfsAdapter.json file. This is done automatically by the installation program, but if you need to update the client secret, you can encrypt it manually using the provided DPAPIEncrypt.ps1 PowerShell script.

To encrypt the client secret:

Log on to the AD FS server using the account configured as the logon account for the AD FS service.

Note: It is important that you use this account to encrypt the secret, as no other accounts can decrypt the secret to use it.
Open a PowerShell command prompt, and navigate to the ADFS_Adapter_OAuth folder.

By default, this is:

C:\Program Files\Intercede\ADFS_Adapter_OAuth
Run the following PowerShell script:

.\DPAPIEncrypt.ps1 <secret>

For example:

.\DPAPIEncrypt.ps1 82564d6e-c4a6-4f64-a6d4-cac43781c67c

The script outputs an encrypted copy of the secret; for example:

PS C:\Program Files\Intercede\ADFS_Adapter_OAuth> .\DPAPIEncrypt.ps1 82564d6e-c4a6-4f64-a6d4-cac43781c67c
AQAAANCMnd8BFdERjHoS [...] AAABGh5yPNcG7ubkY1aV93UrTxi7Daw==

(Encrypted output string truncated for documentation purposes.)
Copy the encrypted secret.
Edit the Fido2AdfsAdapter.json file, and set the following:
- client_secret – set this to the encrypted secret.
- client_secret_encrypted – set this to true.
For example:

"client_secret": "AQAAANCMnd8BFdERjHoS [...] AAABGh5yPNcG7ubkY1aV93UrTxi7Daw==",
"client_secret_encrypted": "true",
Save the Fido2AdfsAdapter.json file.
Run the ReconfigureADFSProvider.ps1 PowerShell script to apply the changes.

This script unregisters the AD FS Adapter OAuth, then re-registers it using the updated settings.

3.6.3 Managing themes

After you have installed the AD FS Adapter, the Intercede branding files are stored in the Themes folder in the installation folder.

Note: The themes folder is shared between the AD FS Adapter OAuth and the AD FS Adapter Mobile, if you have both installed.

The MyIDAuthTheme2019 folder contains files used for Windows Server 2019 or Windows Server 2022, and includes custom images, CSS, JavaScript and HTML. You are not expected to edit these files. The MyIDAuthTheme folder contains files previously used for systems running Windows Server 2016.

You can apply and remove these themes using the following PowerShell scripts:

ApplyCustomTheme.ps1

This script applies the Intercede branding to the Relying Party Trust selected at installation time.
RemoveCustomTheme.ps1

This script removes the Intercede branding from the Relying Party Trust selected at installation time.

3.6.4 Logging for the AD FS Adapter OAuth

Once you have installed and configured the AD FS Adapter OAuth as an authentication method for a Relying Party Trust, when an authentication starts it raises a Windows application event showing the configuration loaded when AD FS started the AD FS Adapter OAuth plug-in. This shows the latest AD FS Adapter OAuth configuration provided by the installer or reconfiguration script.

If the AD FS Adapter OAuth encounters a problem, it raises a Windows application error event describing the problem.

To see these events:

Open the Windows Event Viewer application.
Select Windows Logs > Application.

Events created in the Application event log by the AD FS Adapter OAuth have the source set to:

MyIDFidoAdfsAdapter

Additionally, If the calling AD FS service detects a problem from the AD FS Adapter OAuth, it raises an error event in the following location, describing the problem from the AD FS point of view:

Applications and Service Logs > ADFS > Admin