Security

Configure Thinfinity RDS and VirtualUI with ADFS and OAuth 2.0

Configure Thinfinity RDS and VirtualUI with ADFS and OAuth 2.0

Active Directory Federation Services (ADFS) is a Single Sign-On solution developed by Microsoft.
It was included in Windows Server OS to provide users with an SSO authenticated access compatible with Integrated Windows Authentication (IWA) through Active Directory (AD).
This tutorial will show you how to configure two of our Thinfinity products with ADFS and OAuth 2.0:

First of all, navigate to your Active Directory Federation Services manager, click on “Application Groups” and then “Add Application Group”.

 

How to configure Thinfinity products with AD FS and OAuth 2.0.

 

Then we’ll create a “Server Application”. Which will give us a Client ID and Client Secret.

 

How to configure Thinfinity products with AD FS and OAuth 2.0.

 

Give it a name and in the Redirect URI field, type in the URL used to connect to Thinfinity and, for testing purposes, add a “ /OAuth “ at the end of the URL, as shown below :

 

How to configure Thinfinity products with AD FS and OAuth 2.0.

 

Click on “Add” and then “Next”.
In this next window, click on “Generate a shared secret” and save the secret for future use.

 

How to configure Thinfinity products with AD FS and OAuth 2.0.

 

Then click “Next” -> “Next” -> “Complete”
Now we need to add a new application, in the case a “Web API” one.

 

How to configure Thinfinity products with AD FS and OAuth 2.0.

 

Click again on “Add Application”, select “Web API” and click on “Next”

 

How to configure Thinfinity products with AD FS and OAuth 2.0.

 

We need to give it an identifier name, in this case, for testing purposes, we are going to use
“ urn: Cybelesoft.Application.VirtualUI “

 

How to configure Thinfinity products with AD FS and OAuth 2.0.

 

Then click “Next” -> “Next” -> “Complete”
Now we need to modify that Web API we generated, and add a Rule with claims on it:

 

How to configure Thinfinity products with AD FS and OAuth 2.0.

 

In this case, we are going to use the User Principal Name or “UPN” for the claim:

 

How to configure Thinfinity products with AD FS and OAuth 2.0.

Click on “Finish” and then “Apply”.
Now we need to configure Thinfinity with all the information we configured on ADFS side.
Open the Thinfinity Server Manager and navigate to the “Authentication” tab.
Then click on “Add”->”OAuth 2.0”->”Other”:

 

How to configure Thinfinity products with AD FS and OAuth 2.0.

Over here we have two different fields, ClientID, and Client Secret:

 

How to configure Thinfinity products with AD FS and OAuth 2.0.

 

ClientID = Client Identifier configured on the Native Application side of AD FS.
Client Secret = Shared Secret generated on AD FS.
Then, click on the “Server” tab and configure the following:
Authorization URL = This is your ADFS URL with “/adfs/oauth2/authorize” at the end.
Authorization Parameters = This is the Identifier we configured in the WebAPI
Token Validation Server URL = This is your ADFS URL with “/adfs/oauth2/token” at the end.
In the User information field, select “Get from Token”.
end.
Login username value in returned JSON = This is the claim we are going to use in order to log in with Thinfinity. In this case, we are using the “upn”.

 

How to configure Thinfinity products with AD FS and OAuth 2.0.

 

Click “Ok”, and then click “Apply”.
Now we need to configure the “mappings” use for Thinfinity, in order to map an AD FS user, with the local AD instance that Thinfinity uses for permissions in Access Profiles or.
In this case, we are going to use an “*” asterisk mapping, in order to allow all incoming AD FS users to login, using the Access Profiles assigned to my local “cybeleadmin” user.
Click on the first add, type in “*”, and click “Ok”.
Then on the second “Add”, search for a local user you used for permission in the Access Profile or Application.

 

How to configure Thinfinity products with AD FS and OAuth 2.0.

 

And that’s it!
The next you navigate to the Thinfinity landing page, you’ll see the option to authenticate using this new OAuth method.

Have any questions?

Book a call today to learn more about how Thinfinity® can help your organization. We are always available to guide you and provide the best solution based on your specific needs.

Add Comment

Thinfinity_logo

Get a Demo

Experience how Universal ZTNA with Thinfinity® integrates with VDI and DaaS for unmatched security and flexibility.

Blogs you might be interested in

<span>Authentication</span>, <span>Independent software Vendor (ISV)</span>, <span>IT Admin</span>, <span>IT Security</span>, <span>OAuth 2.0</span>, <span>RBAC</span>, <span>Thinfinity VirtualUI</span>, <span>Thinfinity Workspace</span>