Application Group Configuration

To use Microsoft AD FS as an authentication provider for Huddo Boards, you will need to configure an Application Group.

1. Open ADFS Management Console

   Click Add Application Group

   

2. Enter a name for the Application Group

   Name: Huddo Boards

   Template: Server application accessing a web API

   Click Next

   

3. Server application

   Tip

   Copy the Client Identifier

   This will be used as the MSAD_CLIENT_ID in the Boards configuration and the Identifier set in the Web API configuration later

   Set the redirect URI to https://<BOARDS_URL>/auth/msad/callback and click Add. For example:

   • https://boards.example.com/auth/msad/callback or
   • https://connections.example.com/boards/auth/msad/callback

   

4. Enable Generate a shared secret

   Warning

   Copy the newly generated client secret - this will not be shown again

   This will be used as the MSAD_CLIENT_SECRET in the Boards configuration

   Click Next

   

5. Web API - add the Identifier

   Identifier: <MSAD_CLIENT_ID> (from step 3)

   Note

   This must match the Client Identifier set previously in order for the id_token generated at login to have additional claims and access the user name and email.

   Click Add, then Next

   

6. Access Control Policy

   Click Next

   

7. Select the following scopes:

   • allatclaims - this must be set to include all claims in the id_token
   • openid - required for authentication
   • email - required for the user's email
   • profile - required for the user's name

   Click Next

   

8. Review the configration and click Next

   

9. Click Close

   

10. Right click the newly created Application Group and select Properties

    

11. Select the Web API

    Click Edit

    

12. Click the Issuance Transform Rules tab

    Click Add Rule

    

13. Select the Send LDAP Attributes as Claims template

    Click Next

    

14. Configure claim rule

    Name: LDAP Attributes

    Select the attribute store - Active Directory

    Map the LDAP attributes to outgoing claim types (type these in manually)

    LDAP Attribute	Outgoing Claim Type
    Display-Name	displayName
    E-Mail-Addresses	email
    objectGUID	objectGUID

    Warning

    The Outgoing Claim Type must be typed exactly as shown for Boards to use these values.

    Click Finish

    

15. Click OK to save the changes

    

16. Click OK to close the Application Group properties