Settings in AD FS

1. Right-click on Application Groups in the AD FS Management console and select Add Application Group in the menu:
2. Enter a fitting name for the application (e.g. DRACOON), select Server application accessing a web API in Standalone applications and click on Next.
3. Please store the displayed Client Identifier and enter the following URLs in the Redirect URI section: [Your DRACOON URL]/oauth/perform_login
   [Your DRACOON URL]/oauth/openid-callback
4. Select the checkbox Generate a shared secret to generate a shared secret and store this secret securely. After creating, the secret cannot be viewed again!
5. Next, the Web API needs to be configured. Enter the Identifier and the Client ID from step 3.
6. Please select a fitting Access Control Policy in the next step.
7. In the next dialog, select the scopes allatclaims, email, openid and profile.
8. Click on Next, check the summary and review all settings. (Summary). Conclude the setup.
9. In the las step, you need to map the LDA attributes by selecting the just created Application Group and editing the Web API.
10. Click on the tab Issuance Transform Rules and afterward on Add Rule to create a new rule.
11. Enter a name for the rule, select Active Directory as Attribute Store and map E-Mail Addresses - E-Mail Address, Given-Name - Given Name and Surname - Surname to each other.
12. The Endpoints required for the DRACOON configuration can be found using the following URL:
    [Your ADFS URL]/adfs/.well-known/openid-configuration

DRACOON settings

You need to store the Azure settings in DRACOON.

You need to have the role DRACOON configuration manager, to update the following settings.

1. Click on Settings on the left menu and then on Authentication.
2. Click on the tab OpenID Connect.
3. Enable the toggle button Enable login with OpenID Connect.
4. Click on Add.
5. Now you need to enter the Endpoints from above (AD FS configuration)
   

   Hint: For a better overview of the values we recommend using the developer tools in the browser (F12) in order to open the tab Network and then  > Preview to view the OpenID configuration.

6. Enter the setting for the OpenID provider "Azure AD" in DRACOON. The following attributes are rquired to configure DRACOON with equivalent value in your Azure configuration:
   

   Value in DRACOON	OpenID configuration
   Name	Can be entered freely.
   IssuerURL	issuer
   Authorization Endpoint URL	authorization_endpoint
   Token Endpoint URL	token_endpoint
   UserInfo Endpoint URL	userinfo_endpoint
   JWKS Endpoint URL	jwks_uri
   Client ID	Client ID from created Application Group
   Client-Secret	Secret from created Application Group
   Scopes	openid, email, profile
   Redirect URIs	Previously entered Redirect URLs
   Proof Key for Code Exchange (PKCE):	Activation recommended
   PKCE Challenge Method	id_token_signing_alg_values_supported (S256)
   Mapping Claim	upn (recommendation)
   Fallback User Mapping Claim	sub (recommendation)
   User Info Source	Identity Token

7. Save the entered settings.
   AD FS via OpenID can now be used as an authentication method in DRACOON.

Allow OpenID for users

In order to enable OpenID for your DRACOON users, you need to allow the authentication method.

1. Click on Settings in the DRACOON Web App and double-click on the user who should authenticate via OpenID.
2. Select OpenID Connect in the Authentication method field.
3. Select the desired OpenID provider and enter the OpenID username of the user and click on Save.