Configuring Microsoft AD FS On-Premise SSO with OpenID Connect

Updated
  • Published on Jun 22, 2025
  • 2 minute(s) read
  • DL
 Prev Next

Overview

This article provides step-by-step guidance on how to configure Microsoft Active Directory Federation Services (AD FS) for Encodify using OpenID Connect (OIDC).

Configuring OpenID Connect for Encodify via Microsoft AD FS (On-Premise)

Step 1: Start IdP Configuration in Encodify

  1. Navigate to: Site Configuration → Identity Providers and Users → Identity Providers.

  2. Click Add New IdP.

  3. Fill in the fields as follows:

    • Name ID: Use only English letters without spaces. This will be part of the URL.

    • Display Name for Login Page: This will be shown on the login button.

    • Authentication Method: Select OpenID Connect.

    • Email Domains (optional): Specify allowed domains (e.g. encode.dk, microsoft.com).

  4. Click Next to proceed to Step 2

Step 2: Link to a Login URL

  1. Link your IdP configuration to an existing Login URL and Login Page, or create new ones.

    • Each IdP can be linked to only one Login URL.

  2. Click Next to proceed to Step 3.

Step 3: Copy Callback URL and Authorisation Base URL

  1. Copy the Callback URL and the Authorisation Base URL shown in Encodify. You'll use these values when creating the server application in AD FS.

    1. Example Callback URL: /login/oauth2/code/adfsoidc

    2. Example Authorisation Base URL: /oauth2/authorization/adfsoidc

Step 4: Create OAuth Credentials in Microsoft AD FS Server

Important: Minimum version supporting Open ID: Windows Server 2016.

Create a Server Application

  1. Open the AD FS Management Console.

  2. Create a new Application Group.

  1. Select Server application under Standalone Applications.

  2. Enter a name for your app integration.

  3. Copy the Client Identifier.

  1. For Redirect URI, paste the Callback URL from Encodify.

  1. Check Generate a shared secret and copy it.

  1. Click Next to complete setup.

Add Web API Application

  1. Open the created Application Group and click Add Application → Web API.

  2. Set an identifier:

    • Use your AD FS Server App Client ID and any internal identifier like the Jira/Confluence base URL.

  3. Click Next.

  1. For Access Control Policy, select Permit Everyone.

  1. On Configure Application Permissions, select scopes:

    • allatclaims

    • email

    • openid

  2. Click Next and complete the wizard.

Set LDAP Attributes as Claims

  1. Re-open the Web API entry under your Application Group.

  1. Go to Issuance Transform Rules → Add Rule.

  1. Choose Send LDAP Attributes as Claims.

  1. Map as follows:

LDAP Attribute

Outgoing Claim Type

E-Mail-Addresses

E-Mail Address

Display-Name

Name

Department

Role

Token-Groups - Unqualified Names

Group

  1. Finish the configuration.

Step 5: Complete IdP Configuration in Encodify

  1. Select the OpenID Connect Type

    • Choose Microsoft Active Directory Federation Services (MS ADFS) from the dropdown.

  2. Choose one of the following setup options:

Option A: Auto-fetch Configuration via URL

  1. In the OpenID Connect Config URL field, enter:

    rubyCopyEdithttps://adfs.encode.dk/adfs/.well-known/openid-configuration

  2. Press Enter. The following fields will auto-populate:

    • OpenID Connect JWK URI

    • OAuth2 Authorization URL

    • OAuth2 Access Token URL

Option B: Manual Configuration

  1. Clear the OpenID Connect Config URL field.

  2. Enter the following values manually:

    Field

    Value

    OpenID Connect JWK URI

    https://adfs.encode.dk/adfs/discovery/keys

    OAuth2 Authorization URL

    https://adfs.encode.dk/adfs/oauth2/authorize/

    OAuth2 Access Token URL

    https://adfs.encode.dk/adfs/oauth2/token/

    OAuth2 Client ID

    03f0e403-9943-4339-ad5f-56a8a9abccc8

    OAuth2 Client Secret

    Paste the shared secret from AD FS

    OAuth2 Scope

    email, openid, allatclaims

    External User ID Attribute

    email

  3. Map additional attributes:

Note: AD FS claims may differ from configured claim rule names.

AD FS Token Claim

Encodify Attribute

unique_name

Name

email

Email

  1. Click Next to continue with additional setup steps such as assigning access rights, default groups, etc.

ADFS.png

Step 6: Attribute and Group Mapping (Optional)

  1. You can optionally map token claims from Okta to:

    • Encodify Access Rights

    • User Groups

  2. If you're not mapping from token attributes, continue with default settings.

Step 8: Default User Groups

  1. Define default groups to assign on first login.

  2. Click Next.

Step 9: Welcome Message & First Login Email

  1. Optionally enable a Welcome Email and First Login Message.

  2. Click Save IdP to complete the setup.

Logging In via Microsoft AD FS OIDC

If AD FS is the only authentication method linked to the Login URL, users are redirected directly. If multiple methods exist, users will see a button (e.g. Sign in with ADFS OIDC). Upon first login, users will be auto-provisioned in Encodify with configured roles and attributes.

Related articles