Using AD FS for client authentication

Pexip Infinity can integrate with Active Directory Federation Services (AD FS) to provide Connect apps and other third-party applications with single sign-on access. This allows users to register their clients using their AD credentials.

This topic explains how to configure AD FS and Pexip Infinity to enable users to register their clients using their AD FS credentials. It covers:

How it works
Prerequisites
Setting up an OAuth 2.0 Client on Windows Server
Registering and provisioning Connect apps
Troubleshooting

How it works

The process of authenticating and registering a Connect app to Pexip Infinity via end-user SSO with AD FS works as follows:

When the Connect app launches it opens up a page in a web browser for the user to sign in to AD FS using their AD credentials.
The user signs in with their AD credentials and is redirected back to the Connect app, which then requests an access token from AD FS.
The AD FS server returns the AD FS access token to the Connect app. This token proves that the user has successfully authenticated with AD FS.
The Connect app sends a registration request for the device alias to a Conferencing Node and supplies the AD FS access token. Note that the user's AD credentials are never sent to Pexip Infinity.
The Conferencing Node communicates with the AD FS server to obtain its signing certificate and thus verify that the AD FS access token came from the AD FS server.
The Conferencing Node then checks that the AD FS access token is valid for the device alias the user is registering. This means the device alias must be configured as an SSO-enabled alias within Pexip Infinity and have an associated email address or username that matches the user's email address.
The Conferencing Node sends a Pexip registration token to the Connect app, which the client then uses to maintain its registration with Pexip Infinity.

Note that:

The AD FS access token lasts for 8 hours. The Connect app automatically opens the sign-in page when it needs a new AD FS access token. This typically occurs when the user loads the client for the first time in the day. However, if the user is already signed into AD FS, then they might not notice anything because they will be immediately redirected back to the client without needing to sign in.
A Conferencing Node requests the signing certificate from the AD FS server the first time it needs to validate a token and then caches it for one hour for subsequent SSO registration requests.
The Pexip registration token is used by the Connect app to periodically refresh its registration with the Conferencing Node. This means that while the client remains registered, it does not matter if the AD FS access token expires. But if the client becomes unregistered (e.g. due to a long network connection failure) and the AD FS token has expired, then the user is asked to sign in to AD FS again.
The legacy Connect apps do not support AD FS authentication.

Prerequisites

Before you integrate your AD FS deployment with Pexip Infinity, you must make sure your AD FS deployment satisfies the following requirements.

AD FS version

You must be using a version of Windows Server that supports OAuth 2.0 with AD FS, i.e. Windows Server 2012 R2 or later.

Internet accessibility and security

Your Federation Service must be accessible by:

all Pexip Infinity Conferencing Nodes
all users who need to sign into AD FS to authenticate with Pexip Infinity.

In practice this means your Federation Service must be accessible from the internet. This raises security concerns, but Microsoft provide documentation about the recommended deployment of AD FS:

Top-level AD FS documentation can be found at https://docs.microsoft.com/en-us/windows-server/identity/active-directory-federation-services.
Note the network layout recommendations made in the Microsoft documentation, for example https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/federation-server-farm-using-sql-server where all AD FS servers are deployed inside the corporate network and are load-balanced.
To make the Federation Service accessible from the internet, separate servers in the DMZ can be installed with the Web Application Proxy (WAP) role, which proxy requests to the internal AD FS servers from the internet.
Your Federation Service Name, e.g. adfs.example.com, must be routable from both inside and outside your corporate network.
- Inside your corporate network, it should resolve directly to your AD FS server (or the IP address used to load balance multiple AD FS servers).
- Outside your corporate network, it should resolve to your WAP servers in the DMZ.
This requires the correct DNS configuration to be setup. Microsoft also provide documentation about this, for example https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/configure-name-resolution-for-a-federation-server-proxy-in-a-dns-zone-that-serves-only-the-perimeter-network.
Another very good source of information for creating a highly available AD FS deployment can be found in the series of blog posts at https://blogs.technet.microsoft.com/platformspfe/2014/08/28/part-1-windows-server-2012-r2-ad-fs-federated-web-sso/.

These posts refer to AD FS 3.0 on Windows Server 2012 R2, but they also apply to AD FS 4.0 on Windows Server 2016.

AD account with email address for each user

Pexip Infinity uses email addresses to identify users. This means every user in your organization who needs to authenticate to Pexip Infinity must have an Active Directory account that includes an email address.

Certificates

Each AD FS server must be provided with a valid certificate which is trusted by your Pexip Infinity deployment. The subject of this certificate needs to match the Federation Service Name.

Setting up an OAuth 2.0 Client on Windows Server

To set up an OAuth 2.0 Client, use the appropriate set of instructions below for your version of AD FS and Windows Server.

Windows Server 2016 and later
AD FS 3.0 on Windows Server 2012 R2

These instructions apply to Windows Server 2016 and later.

Creating a Native Application

In this step you create a new application group with a new native application for the OAuth client — which is the Connect app in this case.

Log on to a computer that can make configuration changes to your Federation Service. If your AD FS deployment uses Windows Internal Database (WID), this must be the Primary AD FS Server. If your AD FS deployment uses SQL Server then any AD FS server can make configuration changes.
From the top right of the Server Manager application window, select Tools > AD FS Management.
From the left panel, select Application Groups and then from the right panel select Add Application Group.
At the Welcome screen, enter a Name and Description for the application group. Then from the Template section, under Standalone applications, select Native application.
At the Native application screen, enter a Name for the application. A new Client Identifier is randomly generated for you (this will be required later when adding the OAuth client details to the Management Node.

In the Redirect URI field, enter:

https://<address>/api/client/v2/oauth2_redirect
where <address> is the FQDN of a Conferencing Node or reverse proxy, for example
https://px01.vc.example.com/api/client/v2/oauth2_redirect

You may want to use a reverse proxy rather than a Conferencing Node for the redirect URI if you want to provide some redundancy capability.

The Redirect URI you enter here must match exactly the URI used when provisioning the Connect app.
At the Summary screen, review the settings and select Next.

The new application group, along with the new native application, is created.

Creating a Web API Resource

In this step you create a Web API within your application group. The Web API acts as the resource that is accessed when users authenticate to Pexip Infinity using their AD credentials.

On the AD FS Management Tool, from the left-hand panel select Application Groups and from the middle panel select the application group you have just created. From the right-hand panel, select Properties.
At the bottom of the Properties window, select Add application...
At the Welcome screen, from the Template section, select Web API.
At the Configure Web API screen, enter a Name and an Identifier (which must be in URL format).
At the Choose Access Control Policy screen select an appropriate policy. The default is Permit everyone.
At the Configure Application Permissions screen, ensure the native application you created above appears in the list of Client applications. All the Permitted scopes should be deselected because the Pexip Infinity Connect apps do not request any scopes.
At the Summary screen, review the entered settings then select Next.

The new Web API should now be created.

Configuring Claim Rules

In this step you configure an Issuance Transform Rule for the Web API. This rule specifies which claims should be sent to the Relying Party (i.e. which claims will be inside the OAuth token that is sent to Pexip Infinity).

Pexip Infinity requires certain claims to be present inside the token in order to establish the user's identity. These are claims that come from the user's Active Directory account.

Ensure there is an Attribute Store configured for Active Directory. To do this, from the AD FS Management Tool, in the left-hand panel expand Service and select Attribute Stores. Select the attribute store called Active Directory. Open its properties and ensure its Attribute store type is Active Directory.

If the Attribute Store is not present, add it by selecting Add Attribute Store. In the Add an Attribute Store window, enter a Display name of Active Directory and select an Attribute store type of Active Directory.
Add the Issuance Transform Rule on the Web API you just created. To do this, from the AD FS Management Tool, at the bottom of the left-hand panel select Application Groups. Select the Application Group you just created and open its Properties.
Select the Web API you created earlier and then select Edit.
Select the Issuance Transform Rules tab and then select Add Rule.
Select a Claim rule template of Send Claims Using a Custom Rule and then select Next.
Enter a Claim rule name and enter the following as the Custom rule.
```
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("email", "object_guid", "first_name", "last_name", "display_name"), query = ";mail,objectGUID,givenName,sn,displayName;{0}", param = c.Value);
```
The above rule queries Active Directory for the attributes: mail, objectGUID, givenName, sn and displayName, and then maps them to the claims: email, object_guid, first_name, last_name and display_name which will appear in the token payload that is returned when the user successfully logs in. The email and object_guid claims are required by Pexip Infinity when verifying the token. If they are not present in the token, the user will fail to authenticate to Pexip Infinity.
Select Finish, and in the next window ensure you select Apply.

Checking and enabling AD FS endpoints

In this step you ensure that the appropriate AD FS endpoints have been enabled to support Pexip's requirements. In the context of AD FS, an endpoint is a URL that AD FS is configured to serve.

To find the details of these AD FS endpoints:

From the Server Manager application window, select Tools > AD FS Management.
From the AD FS Management Tool, in the left-hand panel expand AD FS > Service > Endpoints.
Locate and check the following 2 endpoints:
- an OAuth type endpoint with path /adfs/oauth2/
  (this is used by users who sign in to AD FS)
- a Federation Metadata type endpoint with path /FederationMetadata/2007-06/FederationMetadata.xml
  (this is used by Conferencing Nodes)
Ensure that both of these endpoints are Enabled. If you are using a Web Application Proxy (WAP) you must also ensure they are Proxy Enabled.

Determining Federation Service Properties

To add an AD FS OAuth 2.0 Client to the Pexip Infinity Management Node, you must first determine your Federation Service Name (this is the FQDN that clients use to access AD FS) and Federation Service Identifier. To check these:

From the AD FS Management Tool, from the left-hand panel select the top level AD FS folder, and then select Edit Federation Service Properties.

In the example below, the Federation Service Name is adfs.rd.pexip.com and the Federation Service identifier is http://adfs.rd.pexip.com/adfs/services/trust.

Adding the AD FS OAuth 2.0 Client to the Pexip Infinity Management Node

From the Pexip Infinity Management Node, go to Users & Devices > AD FS Authentication Clients.
Select Add AD FS OAuth 2.0 Client.

Complete the fields as follows:

Field	Description
Name	The name to use to refer to this OAuth 2.0 client on AD FS.
Description	An optional description of this OAuth 2.0 client.
AD FS Server configuration
Federation Service name	The FQDN which is used by clients to connect to AD FS. This is the name seen when Determining Federation Service Properties.
Federation Service Identifier	The URL which identifies AD FS. This is the identifier seen when Determining Federation Service Properties.
Resource Identifier	The URL which identifies the OAuth 2.0 resource on AD FS. This should be the identifier you gave the Web API resource which you created earlier.
Client ID	The ID of the AD FS OAuth 2.0 Client. This will show a randomly generated GUID but you must replace this with the one that was generated earlier when Creating a Native Application.
AD FS Domains
AD FS Domain: #1
Domain	An FQDN which, when present in a user's email address, permits that user to authenticate using this AD FS OAuth 2.0 client. For example, if a user has the email bob@example.com, then example.com must be configured as a Domain to allow that user to sign on with AD FS. A single domain can only be used by a single AD FS 2.0 OAuth client.
Description	An optional description of the AD FS domain.

Select Save and Test Connection. This will save your data and report success or failure details of this connection. See Troubleshooting for more information.

These instructions apply to AD FS 3.0 on Windows Server 2012 R2.

Creating a Relying Party Trust

In this step you create a Relying Party Trust, which acts as the resource that is accessed when users authenticate to Pexip Infinity using their AD credentials.

Log on to a computer that can make configuration changes to your Federation Service. If your AD FS deployment uses Windows Internal Database (WID), this must be the Primary AD FS Server. If your AD FS deployment uses SQL Server then any AD FS server can make configuration changes.
From the Server Manager application window, select Tools > AD FS Management.
From the left-hand panel, expand AD FS > Trust Relationships > Relying Party Trusts. Then from the right-hand panel select Add Relying Party Trust....
At the Add Relying Party Trust Wizard welcome screen, select Start.
At the Select Data Source screen, select Enter data about the relying party manually and select Next.
At the Specify Display Name screen, enter a Display name and Note, and select Next.
At the Choose Profile screen, select AD FS profile and select Next.
At the Configure Certificate screen, do not configure a certificate. Simply select Next.
At the Configure URL screen, do not enable support for either the WS-Federation Passive or the SAML 2.0 WebSO protocols. Simply select Next.
At the Configure Identifiers screen, enter a Relying Party Trust Identifier. This must be unique against all of your Relying Party Trusts, and must be in URL format.
At the Configure Multi-factor Authentication Now? screen, optionally enable multi-factor authentication. Enabling multi-factor authentication will affect how your users sign in to AD FS.
At the Choose Issuance Authorization Rules screen, select Permit all users to access this relying party.
At the Ready to Add Trust screen, review the settings and then select Next.
At the Finish screen, verify that the relying party trust was added successfully. Choose to Open the Edit Claim Rules dialog... then select Close.

Configuring Claim Rules

In this step you configure an Issuance Transform Rule for the Relying Party. This rule specifies which claims should be sent to the Relying Party (i.e. which claims will be inside the OAuth token that is sent to Pexip Infinity).

Pexip Infinity requires certain claims to be present inside the token in order to establish the user's identity. These are claims that come from the user's Active Directory account.

Ensure there is an Attribute Store configured for Active Directory. To do this, in the AD FS Management Tool, from the left-hand panel expand AD FS > Trust Relationships > Attribute Stores. Look for the attribute store called Active Directory. Open its properties and ensure its Attribute store type is Active Directory.

If the Attribute Store is not present, add it by selecting Add Attribute Store. In the Add an Attribute Store window, enter a Display name of Active Directory and select an Attribute store type of Active Directory.
From the left-hand panel expand AD FS > Trust Relationships > Relying Party Trusts, select the Relying Party you just created, and from the right-hand panel select Edit Claim Rules....
Select the Issuance Transform Rules tab, then select Add Rule....
At the Select Rule Template screen, select a Claim rule template of Send Claims Using a Custom Rule.
At the Configure Rule screen, enter a Claim rule name, and in the Custom rule section enter the following:
```
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("email", "object_guid", "first_name", "last_name", "display_name"), query = ";mail,objectGUID,givenName,sn,displayName;{0}", param = c.Value);
```
The above rule queries Active Directory for the attributes: mail, objectGUID, givenName, sn and displayName, and then maps them to the claims: email, object_guid, first_name, last_name and display_name which will appear in the token payload that is returned when the user successfully logs in. The email and object_guid claims are required by Pexip Infinity when verifying the token. If they are not present in the token, the user will fail to authenticate to Pexip Infinity.
Select Finish.
You are returned to the Issuance Transform Rules tab. Select Apply.

Checking and enabling AD FS endpoints

In this step you ensure that the appropriate AD FS endpoints have been enabled to support Pexip's requirements. In the context of AD FS, an endpoint is a URL that AD FS is configured to serve.

To find the details of these AD FS endpoints:

From the Server Manager application window, select Tools > AD FS Management.
From the AD FS Management Tool, in the left-hand panel expand AD FS > Service > Endpoints.
Locate and check the following 2 endpoints:
- an OAuth type endpoint with path /adfs/oauth2/
  (this is used by users who sign in to AD FS)
- a Federation Metadata type endpoint with path /FederationMetadata/2007-06/FederationMetadata.xml
  (this is used by Conferencing Nodes)
Ensure that both of these endpoints are Enabled. If you are using a Web Application Proxy (WAP) you must also ensure they are Proxy Enabled.

Determining Federation Service Properties

From the AD FS Management Tool, from the left-hand panel select the top level AD FS folder, and then select Edit Federation Service Properties.

In the example below, the Federation Service Name is adfs.rd.pexip.com and the Federation Service identifier is http://adfs.rd.pexip.com/adfs/services/trust.

Adding the AD FS OAuth 2.0 Client to the Pexip Infinity Management Node

In this step you add the details of the OAuth 2.0 client to the Pexip Infinity Management Node.

From the Pexip Infinity Management Node go to Users & Devices > AD FS Authentication Clients.
Select Add AD FS OAuth 2.0 Client.

Complete the fields as follows:

Field	Description
Name	The name to use to refer to this OAuth 2.0 client on AD FS.
Description	An optional description of this OAuth 2.0 client.
AD FS Server configuration
Federation Service name	The FQDN which is used by clients to connect to AD FS. This is the name seen when Determining Federation Service Properties.
Federation Service Identifier	The URL which identifies AD FS. This is the identifier seen when Determining Federation Service Properties.
Resource Identifier	The URL which identifies the OAuth 2.0 resource on AD FS. This should be the identifier you gave the Relying Party Trust which you created earlier.
Client ID	The ID of the AD FS OAuth 2.0 Client. This will show a randomly generated GUID which you may leave as is.
AD FS Domains
AD FS Domain: #1
Domain	An FQDN which, when present in a user's email address, permits that user to authenticate using this AD FS OAuth 2.0 client. For example, if a user has the email bob@example.com, then example.com must be configured as a Domain to allow that user to sign on with AD FS. A single domain can only be used by a single AD FS 2.0 OAuth client.
Description	An optional description of the AD FS domain.

Select Save.

Adding the OAuth 2.0 Client to AD FS

In this final step you add the OAuth 2.0 client to AD FS. This is done using the Add-AdfsClient PowerShell command.

This command can be generated for you on the Pexip Infinity Management Node as follows:

From the Pexip Infinity Management Node, select the AD FS OAuth 2.0 client you just created.
From the bottom of the page, select Save and Get Setup Config.
On this page, copy the command in the Add-AdfsClient field.

The command will look something like:

Add-AdfsClient -Name "AD FS 2012" -ClientId "c5bddcf3-f3fd-48c0-acc4-6d1af4ddf434" -RedirectUri @("pexip-auth://adfs", "https://<Conference Node or Reverse Proxy>/api/client/v2/oauth2_redirect") -Description "AD FS Server for Connect clients"

This uses the Name, Description and Client ID configured for this AD FS OAuth 2.0 Client.

It also specifies two redirect URIs that may be used when provisioning the Connect apps. In the second URI you must replace <Conference Node or Reverse Proxy> with the actual address of either your Conferencing Node or your reverse proxy.

Note that the pexip-auth://adfs is an alternative redirect URI that immediately redirects the user back to the app. This redirect method causes the AD FS sign-in page to remain open and thus may cause user confusion as it is not clear the user has successfully signed in. You can enter both types of redirect URI when configuring AD FS. The redirect URI that is actually used is the one that the Connect app is provisioned with.

One of the Redirect URIs you enter here must match exactly the URI used when provisioning the Connect app.
On your AD FS server, open PowerShell and issue the above command.
You must also enable Refresh tokens for the Relying Party Trust. This is done using the following PowerShell command:

Set-AdfsRelyingPartyTrust -TargetName “<Relying Party Trust Display Name>" -IssueOAuthRefreshTokensTo AllDevices

Where <Relying Party Trust Display Name> is the Display name of the Relying Party Trust which was created earlier.
You can now test your connection. Return to the Pexip Infinity Management Node, select the AD FS client again and select Save and Test Connection. This will save your data and report success or failure details of this connection. See Troubleshooting for more information.

Other commands are also available from the AD FS Setup Config page:

To verify the changes have been saved, use the Get-AdfsClient command.
If you need to modify the client, use the Set-AdfsClient command.

For information about these and other relevant commands, see the following Microsoft documentation:

Add-AdfsClient: https://docs.microsoft.com/en-us/powershell/module/adfs/add-adfsclient
Set-AdfsClient: https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsclient
Get-AdfsClient: https://docs.microsoft.com/en-us/powershell/module/adfs/get-adfsclient
Enable-AdfsClient: https://docs.microsoft.com/en-us/powershell/module/adfs/enable-adfsclient
Disable-AdfsClient: https://docs.microsoft.com/en-us/powershell/module/adfs/disable-adfsclient
Set-AdfsRelyingPartyTrust: https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsrelyingpartytrust

Users should now be able to use AD FS services and their AD credentials to register their Connect apps to Pexip Infinity.

Registering and provisioning Connect apps

When your AD FS integration is complete, you can provision your Connect app users with the relevant settings so that they can use AD FS services and their AD credentials to register their Connect apps to Pexip Infinity.

See Registering and provisioning the Connect desktop app for instructions about how to do this and for details of the associated end-user experience.

Troubleshooting

You can test your AD FS configuration by going to Users & Devices > AD FS Authentication Clients, selecting the client you want to test, and then from the bottom of the page selecting Save and Test Connection.

The page will refresh and display one or more diagnostic messages indicating success or failure. Example error messages are:

Error message	Possible cause and resolution
Unable to connect to the Federation Metadata located at https://<address>/FederationMetadata/2007-06/FederationMetadata.xml.	Check that the Federation Service Name FQDN is correct and reachable. Each AD FS server must be provided with a valid certificate which is trusted by your Pexip Infinity deployment. The subject of this certificate needs to match the Federation Service Name.
The Entity ID 'http://<address>/adfs/services/trust' was found in the Federation Metadata located at https://<address>/FederationMetadata/2007-06/FederationMetadata.xml. This differs from the AD FS Identifier entered below. Please make sure it is entered correctly.	There is a discrepancy between the Federation Service Identifier configured in Pexip Infinity and what is configured in the AD Federation Service Properties.
No signing certificates could be found in the Federation Metadata located at https://<address>/FederationMetadata/2007-06/FederationMetadata.xml.	Each AD FS server must be configured with at least one Token-signing certificate. You can check these in your AD FS configuration by going to Service > Certificates and making sure at least one Token-signing certificate is listed and has not expired.

Error message

Possible cause and resolution

Unable to connect to the Federation Metadata located at https://<address>/FederationMetadata/2007-06/FederationMetadata.xml.

Check that the Federation Service Name FQDN is correct and reachable.

Each AD FS server must be provided with a valid certificate which is trusted by your Pexip Infinity deployment. The subject of this certificate needs to match the Federation Service Name.

The Entity ID 'http://<address>/adfs/services/trust' was found in the Federation Metadata located at https://<address>/FederationMetadata/2007-06/FederationMetadata.xml. This differs from the AD FS Identifier entered below. Please make sure it is entered correctly.

There is a discrepancy between the Federation Service Identifier configured in Pexip Infinity and what is configured in the AD Federation Service Properties.

No signing certificates could be found in the Federation Metadata located at https://<address>/FederationMetadata/2007-06/FederationMetadata.xml.

Each AD FS server must be configured with at least one Token-signing certificate. You can check these in your AD FS configuration by going to and making sure at least one Token-signing certificate is listed and has not expired.

Typical success messages (no action is required) include:

"Successfully found one signing certificate in the Federation Metadata located at https://<address>/FederationMetadata/2007-06/FederationMetadata.xml."
"Successfully verified AD FS Identifier matches the Entity ID 'http://<address>/adfs/services/trust' in the Federation Metadata located at https://<address>/FederationMetadata/2007-06/FederationMetadata.xml."