Identity Provider Setup with ADFS
Example Setup of Identity Provider using OIDC via ADFS
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Example setup of creating an Identity Provider (ADFS) using OIDC within Koha Administration. This setup is bare-bones and only allows for authentication through ADFS for OPAC / Staff Interface.
- Open ADFS Management Console, Select Application Groups, and choose to 'Add Application Group...'
- Give the new application group a name and optionally a description, then under Template: choose 'Server Application'
- Click next and copy the client identifier to a notepad for later
- Under Redirect URI, enter the OPAC URL and Staff Access URL (Ex: https://library.example.com and https://library-intra.example.com)
- Click next, and on the Application Credentials Screen, choose the Generate a Shared Secret checkbox and copy to the notepad the generated secret
- Double check all items on the summary screen and then click next again, and then close
Now, login as an Administrator to the Staff Interface, Go to Administration > Identity Providers, and choose to add a New Identity Provider
- Enter an Identification Code (EX: ADFS), and then a description that will be shown to end-users (EX: Domain Credentials or Network User)
- For protocol, choose from the dropdown 'OIDC'
- Under Advanced Configuration, choose the 'Add default OIDC configuration' and in the text box enter the client ID in the specified field, Shared Secret in the Client Secret Field, and for "well_known_url" enter the ADFS OIDC Endpoint (It should be enabled on the ADFS Management Console, EX: https://adfs.example.com/adfs/.well-known/openid-configuration)
- Next under Mapping, choose 'Add default OIDC mapping' but in my test case then needed to change the email mapping from "email":"email" to "email":"upn" (But based on your Active Directory Config may need to mess with these mappings)
- For Matchpoint, choose Email
- Now under Domain Configuration, for Domain in this case I put in * to allow all to login via ADFS, then the rest of the options here should be self-explanatory, just ensure for user logins you enable Allow OPAC and Allow Staff.
- In this example though, I turned Auto-Register & Update on Login both to No, since although the Email/UPN is passed during authentication, the users First Name and Surname are not even after changing the fields (Again you may need to fiddle with this as well)
- Now click submit, the Identity Provider will be added and you will be required to restart/reboot your Koha Instance to get it to initalize correctly.
(This is bare-bones documentation on setup)