We are trying get a SaaS product to authenticate against our AD FS 4.0 services running on Windows Server 2016.
The web application is setup for SSO using JWT and allows us to setup a Shared Secret, Login URL and Logout URL
I got the app to redirect to the AD FS login screen https://hostname/adfs/oauth2/authorize and authenticate against active directory. From there it returns a code value that I know needs to go to https://hostname//adfs/oauth/token but here I'm stuck.
Do I need to build a web service that receives the code from the authorize endpoint, posts it to the token endpoint, and then redirect back to the web app with the JWT? Or can AD FS do this on it's own if I configure it correctly?
What I want is for the web app to redirect to the AD FS login screen (done), AD FS to authenticate against AD (done) and then (do magic) and redirect back to the web app with the JWT.
EDIT:
The following is what I want with Server 2016 AD FS 4.0. Will I need to create my own ADFS/AUTHORIZE->code->ADFS/TOKEN->jwt->Application URL handling service?
UPDATE:
It does appear you have to have control over the client application, which is not the case when you're using a 3rd party SaaS. Therefore we need to implement a myapi such that.
code to /adfs/oauth2/tokenThis flow is called Authorisation Code Grant.
Good diagram here.
Get the code, send it to the /token endpoint, get the access token, send it to the API in the Authorisation header.
If the SaaS product has an OpenID Connect stack, it should do this automatically. The SaaS product needs to drive the flow.
Update:
The only thing you need to do with ADFS is configure it. No programming required.
You need to code the client side.
Client sends to /authorize endpoint.
ADFS responds with code.
Client sends code to /token endpoint.
ADFS responds with token.
Client sends token to API.