Enable Open ID Connect with existing ADFS installations

Enable Open ID Connect with existing ADFS installations.
To enable an existing application to use OpenID Connect:

  1. Navigate to your ADFS application and select the Sign On tab.
  2. Select OpenID Connect.
    Ensure that the RedirectURI field is set correctly.

    Ensure that the Redirect URI ends with a training forward slash. For example https://yourdomain.com/.

  3. Upgrade any existing ADFS plug-ins to version 1.7.0 or later
    Note: Be sure to remove the Okta MFA Provider from the Authentication Policy in ADFS before running any plug-in upgrades.

  4. After the upgrade completes, ensure that your application still functions normally.
    1. Using a text editor open C:\Program Files\Okta\Okta MFA Provider\config\okta_adfs_adapter.json.

      Note: By default the okta_adfs_adapter.json file can be found in c:\Program Files\Okta\Okta MFA Provider\config\okta_adfs_adapter.json.

      See Configure MFA for Active Directory Federation Services (ADFS) for more information.
    2. Search for and modify the useOIDC property, setting its value to true.
      for example: useOIDC:true.
  5. Using a text editor copy and create the following Microsoft Powershell script and save as ApplyConfigurationSettingChanges.ps1.
    If required, change the values of the BinDir and ConfigDir variables to match your environment.
    Copy

    ApplyConfigurationSettingChanges.ps1

    # ApplyConfigurationSettingChanges.ps1
    [System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")

    $BinDir = "C:\Program Files\Okta\Okta MFA Provider\bin"
    $ConfigDir = "C:\Program Files\Okta\Okta MFA Provider\config"

    Start-Service adfssrv

    # Remove Okta MFA Provider
    $providers = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
    $providers.Remove("OktaMfaAdfs")
    Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $providers

    # Unregister
    Unregister-AdfsAuthenticationProvider -Name "OktaMfaAdfs" -Confirm:$false -ErrorAction Stop

    # restart the ADFS service
    Restart-Service adfssrv -Force

    # register MFA adapter again
    $OktaMfaAssamply = [Reflection.Assembly]::Loadfile($BinDir + "\OktaMfaAdfs.dll")
    $typeName = "OktaMfaAdfs.AuthenticationAdapter, OktaMfaAdfs, Version=" + $OktaMfaAssamply.GetName().Version + ", Culture=neutral, PublicKeyToken=3c924b535afa849b"
    Register-AdfsAuthenticationProvider -TypeName $typeName -Name "OktaMfaAdfs" -Verbose -ConfigurationFilePath "$ConfigDir\okta_adfs_adapter.json"

    # restart the service
    Restart-Service adfssrv -Force

    # Enable Okta MFA adapter
    $providers = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
    $providers.Add("OktaMfaAdfs")
    Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $providers
  6. As administrator open a Microsoft PowerShell and execute the script ApplyConfigurationSettingChanges.ps1.
  7. Verify that the user can authenticate.

You have successfully upgraded your application plug in to use OpenID Connect.

Next steps

Troubleshooting