Single Sign-On with Microsoft Active Directory FS

Enable OpenID Connect-based single-sign for applications proxied by NGINX Plus, using Microsoft AD FS as the identity provider (IdP).

This guide explains how to enable single sign-on (SSO) for applications being proxied by NGINX Plus. The solution uses OpenID Connect as the authentication mechanism, with Microsoft Active Directory Federation Services (AD FS) as the identity provider (IdP) and NGINX Plus as the relying party.

See Also:
You can find more information about the NGINX Plus OpenID Connect integration in the project’s GitHub repo.

Prerequisites

The instructions assume you have the following:

  • A running deployment of AD FS, either on‑premises or in Azure.

  • An NGINX Plus subscription and NGINX Plus R15 or later. For installation instructions, see the NGINX Plus Admin Guide.

  • The NGINX JavaScript module (njs), required for handling the interaction between NGINX Plus and the IdP. After installing NGINX Plus, install the module with the command for your operating system.

    For Debian and Ubuntu:

    sudo apt install nginx-plus-module-njs

    For CentOS, RHEL, and Oracle Linux:

    sudo yum install nginx-plus-module-njs

  • The following directive included in the top-level (“main”) configuration context in /etc/nginx/nginx.conf, to load the NGINX JavaScript module:

    load_module modules/ngx_http_js_module.so;

Configuring AD FS

Create an AD FS application for NGINX Plus:

  1. Open the AD FS Management window. In the navigation column on the left, right‑click on the Application Groups folder and select Add Application Group from the drop‑down menu.

    The Add Application Group Wizard window opens. The left navigation column shows the steps you will complete to add an application group.

  2. In the Welcome step, type the application group name in the Name field. Here we are using ADFSSSO. In the Template field, select Server application under Standalone applications. Click the  Next >  button.

  3. In the Server application step:

    1. Make a note of the value in the Client Identifier field. You will add it to the NGINX Plus configuration in Step 4 of Configuring NGINX Plus.

    2. In the Redirect URI field, type the URI of the NGINX Plus instance including the port number, and ending in /_codexch. Here we’re using https://my-nginx.example.com:443/_codexch. Click the  Add  button.

      Notes:

      • For production, we strongly recommend that you use SSL/TLS (port 443).
      • The port number is mandatory even when you’re using the default port for HTTP (80) or HTTPS (443).

  4. Click the  Next >  button.

  5. In the Configure Application Credentials step, click the Generate a shared secret checkbox. Make a note of the secret that AD FS generates (perhaps by clicking the Copy to clipboard button and pasting the clipboard content into a file). You will add the secret to the NGINX Plus configuration in Step 4 of Configuring NGINX Plus. Click the  Next >  button.

  6. In the Summary step, verify that the information is correct, make any necessary corrections to previous steps, and click the  Next >  button.

Configuring NGINX Plus

Configure NGINX Plus as the OpenID Connect relying party:

  1. Create a clone of the nginx-openid-connect GitHub repository.

    git clone https://github.com/nginxinc/nginx-openid-connect

  2. Copy these files from the clone to /etc/nginx/conf.d:

    • frontend.conf
    • openid_connect.js
    • openid_connect.server_conf
    • openid_connect_configuration.conf

  3. Get the URLs for the authorization endpoint, token endpoint, and JSON Web Key (JWK) file from the AD FS configuration. Run the following curl command in a terminal, piping the output to the indicated python command to output the entire configuration in an easily readable format. We’ve abridged the output to show only the relevant fields.

    $ curl https://<ADFS-server-address>/oidc/adfs/.well-known/openid-configuration | python -m json.tool
{
 ...
    "authorization_endpoint": "https://<ADFS-server-address>/oidc/adfs/auth",
    ...
    "jwks_uri": "https://<ADFS-server-address>/oidc/adfs/certs",
    ...
    "token_endpoint": "https://<ADFS-server-address>/oidc/adfs/token",
 ...
}

  4. In your preferred text editor, open /etc/nginx/conf.d/frontend.conf. Change the “default” parameter value of each of the following map directives to the specified value:

    • map $host $oidc_authz_endpoint – Value of authorization_endpoint from Step 3 (in this guide, https://<ADFS-server-address>/oidc/adfs/auth)
    • map $host $oidc_token_endpoint – Value of token_endpoint from Step 3 (in this guide, https://<ADFS-server-address>/oidc/adfs/token)
    • map $host $oidc_client – Value in the Client ID field from Step 3 of Configuring AD FS (in this guide, 3e23f0eb-9329-46ff-9d37-6ad24afdfaeb)
    • map $host $oidc_client_secret – Value in the Client secret field from Step 4 of Configuring AD FS (in this guide, NUeuULtSCjgXTGSkq3ZwEeCOiig4-rB2XiW_W)
    • map $host $oidc_hmac_key – A unique, long, and secure phrase

  5. Configure the JWK file. The procedure depends on which version of NGINX Plus you are using.

    • In NGINX Plus R17 and later, NGINX Plus can read the JWK file directly from the URL reported as jwks_uri in Step 3. Change /etc/nginx/conf.d/frontend.conf as follows:

      1. Comment out (or remove) the auth_jwt_key_file directive.
      2. Uncomment the auth_jwt_key_request directive. (Its parameter, /_jwks_uri, refers to the value of the $oidc_jwt_keyfile variable, which you set in the next step.)
      3. Change the second parameter of the set $oidc_jwt_keyfile directive to the value reported in the jwks_uri field in Step 3 (in this guide, https://<ADFS-server-address>/oidc/adfs/certs).

    • In NGINX Plus R16 and earlier, the JWK file must be on the local disk. (You can also use this method with NGINX Plus R17 and later if you wish.)

      1. Copy the JSON contents from the JWK file named in the jwks_uri field in Step 3 (in this guide, https://<ADFS-server-address>/oidc/adfs/certs) to a local file (for example, /etc/nginx/my_adfs_jwk.json).
      2. In /etc/nginx/conf.d/frontend.conf, change the second parameter of the set $oidc_jwt_keyfile directive to the local file path.

  6. Confirm that the user named by the user directive in the NGINX Plus configuration (in /etc/nginx/nginx.conf by convention) has read permission on the JWK file.

Testing

In a browser, enter the address of your NGINX Plus instance and try to log in using the credentials of a user who has access to the application.

Troubleshooting

See the Troubleshooting section at the nginx-openid-connect repository on GitHub.

Revision History

  • Version 2 (March 2020) – Updates to Configuring NGINX Plus section
  • Version 1 (December 2019) – Initial version (NGINX Plus Release 20)