Active Directory Federation Services using OIDC

Follow the steps below to configure single sign-on (SSO) for Claris Studio with your Active Directory (AD) instance’s Federation Services using OpenID Connect (OIDC). To establish trust between your AD instance and your Claris Studio team, you’ll need to:

  • Create an application group.

  • Add transform rules.

  • Enter data in Claris Studio.

Open the Claris Studio setup page

  1. Sign in to your Claris Studio team.

  2. Click the Users tab on the left, then click Configure External IdP.

    Claris Studio external IdP settings

  3. In the Configure External Identity Provider dialog, for Protocol, choose OIDC. Keep this page open to come back to later.

Add an application group

  1. In your Windows Server instance, sign in with your administrator account. From the Start menu, click Windows Administrative Tools under the Windows Server section on the right.

    Active Directory Federation Services, admin tools

  2. In the new File Explorer window, open the AD FS Management shortcut.

    Active Directory Federation Services, management shortcut

  3. In the left sidebar of the AD FS window, right-click Application Groups > Add Application Group.

    Active Directory Federation Services, add app group

  4. In the wizard, give your new integration a name to distinguish it from any other integrations you might have, then select the Server application accessing a web API option. Click Next.

    Active Directory Federation Services, app group wizard template, web API

  5. In Claris Studio, copy Application Redirect URL (see “Open the Claris Studio setup page” earlier) and paste it in the Redirect URI field. then click Add.

    Additionally, copy Client Identifier value and save it somewhere secure where you can retrieve it later. When you’re finished, click Next.

    Active Directory Federation Services, app group wizard, redirect URI

  6. Select the Generate a shared secret option, then click Copy to clipboard. Paste the value somewhere secure where you can retrieve it later.

    Be sure to label it as separate from the Client Identifier you saved in the previous step. When you’re finished, click Next.

    Active Directory Federation Services, app group wizard, shared secret

  7. Copy the Client Identifier you saved earlier and paste it into the Identifier field, then click Add. Click Next.

    Active Directory Federation Services, app group wizard, client identifier

  8. Choose an access level for your Active Directory users who should be able to access the integration. Leave Permit everyone selected if anyone should be able to access your Claris Studio team. Click Next.

    Active Directory Federation Services, app group wizard, access control policy

  9. For Permitted scopes, be sure that the following items are selected. Some may already be selected.

    • allatclaims

    • email

    • openid

    • profile

    Click Next.

    Active Directory Federation Services, app group wizard, app permissions

  10. On the Summary screen, click Next.

    Active Directory Federation Services, app group wizard, summary

Add transform rules

  1. In the AD FS window, double-click the application group that you just added. Then under Web API, select the row for your integration and click Edit.

    Active Directory Federation Services, Claris Studio OIDC group properties

  2. In the Web API Properties dialog for you application, click the Issuance Transform Rules tab. Then click Add Rule.

    Active Directory Federation Services, web API issuance transform rules

  3. In the wizard to add claims, for Claim rule template, leave Send LDAP Attributes as Claims selected. Then click Next.

    Active Directory Federation Services, transform claim wizard, LDAP attributes

  4. For Claim rule name, give the claim rule a descriptive name. For Attribute store, select Active Directory. Then, add the following LDAP attribute mappings for each row.

    The LDAP Attribute can be selected from the drop-down menu or autocompleted, but values for Outgoing Claim Type must be entered exactly as shown, because they are case sensitive.

    • E-Mail-Addresses → email

    • Given-Name → Given Name

    • Surname → Family Name

    Active Directory Federation Services, transform claim wizard, rule name

    Click Finish when done.

    Active Directory Federation Services, web API properties issuance transform rules

    Finally, in the dialog, click Apply.

Enter values into Claris Studio

  1. Go back to the Claris Studio page you opened earlier (see “Open the Claris Studio setup page”).

  2. In the Configure External Identity Provider dialog, for Protocol, choose OIDC, then provide the following information:

    • Client ID: the Client Identifier token you stored in step 4 of “Add an application group”

    • Client Secret: the Client Secret token you stored in step 5 of “Add an application group”

    • Metadata URL: https://<AD FS Domain>/adfs/.well-known/openid-configuration where <AD FS Domain> is your AD FS domain name or IP address

  3. Select one or more Default Groups that you want to sign in using this external IdP, then click Apply.

    If you have no groups, you can create one here and add users to it later. See Work with groups for more information.

    Calris Studio, Active Directory Federation Services OIDC external IdP configuration

  4. On the Users page, copy the link labeled Application Login URL and provide it to users. Using this URL enables them to sign in to Claris Studio with their SSO credentials.