Enable Open ID Connect with existing ADFS installations

Enable Open ID Connect with existing ADFS installations.

To enable an existing application to use OpenID Connect:

  1. Navigate to your ADFS application and select the Sign On tab.
  2. Select OpenID Connect.
    Ensure that the RedirectURI field is set correctly.
    Important Note

    Important

    Ensure that the Redirect URI ends with a training forward slash.  For example https://yourdomain.com/.

  3. Upgrade any existing ADFS plug-ins to version 1.7.0 or later
    Note: Be sure to remove the Okta MFA Provider from the Authentication Policy in ADFS before running any plug-in upgrades.

  4. After the upgrade completes, ensure that your application still functions normally.
    1. Using a text editor, open the okta_adfs_adapter.json file and modify it to set "useOIDC":true.
      Note: By default the okta_adfs_adapter.json file can be found in c:\Program Files\Okta\Okta MFA Provider\config\okta_adfs_adapter.json.

      See MFA for Active Directory Federation Services (ADFS) Configuration for more information.
  5. Using a text editor copy and create the following Microsoft Powershell script and save as ApplyConfigurationSettingChanges.ps1.

    # ApplyConfigurationSettingChanges.ps1
    [System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
    
    $BinDir = "C:\Program Files\Okta\Okta MFA Provider\bin"
    $ConfigDir = "C:\Program Files\Okta\Okta MFA Provider\config"
    
    Start-Service adfssrv
    
    # Remove Okta MFA Provider
    $providers = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
    $providers.Remove("OktaMfaAdfs") 
    Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $providers
    
    # Unregister 
    Unregister-AdfsAuthenticationProvider -Name "OktaMfaAdfs" -Confirm:$false -ErrorAction Stop
    
    # restart the ADFS service
    Restart-Service adfssrv -Force
    
    # register MFA adapter again
    $OktaMfaAssamply = [Reflection.Assembly]::Loadfile($BinDir + "\OktaMfaAdfs.dll")
    $typeName = "OktaMfaAdfs.AuthenticationAdapter, OktaMfaAdfs, Version=" + $OktaMfaAssamply.GetName().Version + ", Culture=neutral, PublicKeyToken=3c924b535afa849b"
    Register-AdfsAuthenticationProvider -TypeName $typeName -Name "OktaMfaAdfs" -Verbose -ConfigurationFilePath "$ConfigDir\okta_adfs_adapter.json"
    
    # restart the service
    Restart-Service adfssrv -Force
    
    # Enable Okta MFA adapter
    $providers = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
    $providers.Add("OktaMfaAdfs") 
    Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $providers
    						
  6. If required change the values of the BinDir and ConfigDir variables to match your environment.
  7. As administrator open a Microsoft PowerShell and execute the script ApplyConfigurationSettingChanges.ps1.
  8. Verify that the user can authenticate.

You have successfully upgraded your application plug in to use OpenID Connect.

Next steps

Troubleshooting