Enable OpenID Connect with existing Active Directory Federation Services apps

This topic describes how to enable OpenID Connect (OIDC) connections with existing Active Directory Federation Services (ADFS) apps.

Start this procedure

1. Enable an existing app to use OIDC:

   1. In the Admin Console, go to ApplicationsApplications.

   2. Select an ADFS app.
   3. Select the Sign On tab.
   4. In the Settings section, click Edit.
   5. Select OpenID Connect.
   6. Enter the Client ID and the Client secret.
   7. In the Redirect URI field, enter your redirect URI. Use a forward slash at the end of the URI, like https://yourdomain.com/.
   8. Click Save.
2. Open the ADFS Global Authentication Policy for editing and then select the Multi-factor tab.
3. Clear the Okta MFA Provider checkbox and then click OK before proceeding to the next step.

   

4. Upgrade any existing ADFS plugins to version 1.7.0 or later.
5. After the upgrade has finished, verify that your app functions normally.
   1. Open this file with a text editor:

      C:\Users\<adfs_service_account_name>\AppData\Local\Okta\Okta MFA Provider\config\okta_adfs_adapter.json.

      See Configure MFA for Active Directory Federation Services (ADFS).

   2. Search for the useOIDC property and set its value to true.
   3. Save your changes and close the text editor.
      
6. Using a text editor, copy and create the following Microsoft Powershell script and save as ApplyConfigurationSettingChanges.ps1. If required, change the values of the BinDir and ConfigDir variables to match your environment.

   Copy

   ApplyConfigurationSettingChanges.ps1

   1
   2
   3
   4
   5
   6
   7
   8
   9
   10
   11
   12
   13
   14
   15
   16
   17
   18
   19
   20
   21
   22
   23
   24
   25
   26
   27
   28
   29
   30
   31
   32
   # ApplyConfigurationSettingChanges.ps1
   [System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
   
   $BinDir = "C:\Program Files\Okta\Okta MFA Provider\bin"
   $ConfigDir = "C:\Program Files\Okta\Okta MFA Provider\config"
   
   Start-Service adfssrv
   
   # Remove Okta MFA Provider
   $providers = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
   $providers.Remove("OktaMfaAdfs") 
   Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $providers
   
   # Unregister 
   Unregister-AdfsAuthenticationProvider -Name "OktaMfaAdfs" -Confirm:$false -ErrorAction Stop
   
   # restart the ADFS service
   Restart-Service adfssrv -Force
   
   # register MFA adapter again
   $OktaMfaAssamply = [Reflection.Assembly]::Loadfile($BinDir + "\OktaMfaAdfs.dll")
   $typeName = "OktaMfaAdfs.AuthenticationAdapter, OktaMfaAdfs, Version=" + $OktaMfaAssamply.GetName().Version + ", Culture=neutral, PublicKeyToken=3c924b535afa849b"
   Register-AdfsAuthenticationProvider -TypeName $typeName -Name "OktaMfaAdfs" -Verbose -ConfigurationFilePath "$ConfigDir\okta_adfs_adapter.json"
   
   # restart the service
   Restart-Service adfssrv -Force
   
   # Enable Okta MFA adapter
   $providers = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
   $providers.Add("OktaMfaAdfs") 
   Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $providers
                           

7. Open Microsoft PowerShell as an administrator and execute the script ApplyConfigurationSettingChanges.ps1.
8. Verify that the user can authenticate.