Enable Open ID Connect with existing ADFS installations

Enable Open ID Connect with existing ADFS installations.
To enable an existing application to use OpenID Connect:

  1. Navigate to your ADFS application and select the Sign On tab.
  2. Select OpenID Connect.
    Ensure that the RedirectURI field is set correctly.

    Ensure that the Redirect URI ends with a training forward slash. For example https://yourdomain.com/.

  3. Upgrade any existing ADFS plug-ins to version 1.7.0 or later
    Note: Be sure to remove the Okta MFA Provider from the Authentication Policy in ADFS before running any plug-in upgrades.

  4. After the upgrade completes, ensure that your application still functions normally.
    1. Using a text editor open C:\Program Files\Okta\Okta MFA Provider\config\okta_adfs_adapter.json.

      Note: By default the okta_adfs_adapter.json file can be found in c:\Program Files\Okta\Okta MFA Provider\config\okta_adfs_adapter.json.

      See Configure MFA for Active Directory Federation Services (ADFS) for more information.
    2. Search for and modify the useOIDC property, setting its value to true.
      for example: useOIDC:true.
  5. Using a text editor copy and create the following Microsoft Powershell script and save as ApplyConfigurationSettingChanges.ps1.
    If required, change the values of the BinDir and ConfigDir variables to match your environment.


    # ApplyConfigurationSettingChanges.ps1
    [System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")

    $BinDir = "C:\Program Files\Okta\Okta MFA Provider\bin"
    $ConfigDir = "C:\Program Files\Okta\Okta MFA Provider\config"

    Start-Service adfssrv

    # Remove Okta MFA Provider
    $providers = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
    Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $providers

    # Unregister
    Unregister-AdfsAuthenticationProvider -Name "OktaMfaAdfs" -Confirm:$false -ErrorAction Stop

    # restart the ADFS service
    Restart-Service adfssrv -Force

    # register MFA adapter again
    $OktaMfaAssamply = [Reflection.Assembly]::Loadfile($BinDir + "\OktaMfaAdfs.dll")
    $typeName = "OktaMfaAdfs.AuthenticationAdapter, OktaMfaAdfs, Version=" + $OktaMfaAssamply.GetName().Version + ", Culture=neutral, PublicKeyToken=3c924b535afa849b"
    Register-AdfsAuthenticationProvider -TypeName $typeName -Name "OktaMfaAdfs" -Verbose -ConfigurationFilePath "$ConfigDir\okta_adfs_adapter.json"

    # restart the service
    Restart-Service adfssrv -Force

    # Enable Okta MFA adapter
    $providers = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
    Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $providers
  6. As administrator open a Microsoft PowerShell and execute the script ApplyConfigurationSettingChanges.ps1.
  7. Verify that the user can authenticate.

You have successfully upgraded your application plug in to use OpenID Connect.

Next steps