Skip to main content

Configure ADFS

Set up Active Directory Federation Services (ADFS) as your identity provider.

Requirement: ADFS 2016 or later (required for OIDC support).

Before you start, find your callback URL on the Configure SSO page: {gatewayUrl}/api/auth/callback/adfs.

1. Create an Application Group

  1. Open ADFS Management Console
  2. Right-click Application Groups → Add Application Group
  3. Enter a name (e.g. "Willow Integration")
  4. Select template: Server application accessing a web API
  5. Select Next

2. Configure the Server Application

  1. Note the Client Identifier (GUID); this is your Client ID
  2. Add Redirect URI: {gatewayUrl}/api/auth/callback/adfs
  3. Select Next

3. Generate a Client Secret

  1. Select Generate a shared secret
  2. Copy and save the Client Secret immediately (shown only once)
  3. Select Next

4. Configure the Web API

  1. Set Identifier to the same Client ID from step 2
  2. Choose your Access Control Policy
  3. Select Next

5. Configure Application Permissions

Check these scopes: openid, email, profile → select Next, then Close.

6. Configure Claims

  1. Right-click your Application Group → Properties
  2. Select the Web API → Edit
  3. Go to Issuance Transform Rules → Add Rule → Send LDAP Attributes as Claims
  4. Map:
    • E-Mail-Addressesemail
    • Display-Namename
    • User-Principal-Nameupn
  5. Select OK

For more details, see Microsoft's guide to AD FS OpenID Connect/OAuth flows and application scenarios.

Finish in Willow

  1. Go to Admin → Settings → Authentication Settings
  2. Select Provider: ADFS
  3. Enter:
    • Client ID: the GUID from step 2
    • Client Secret: the secret from step 3
    • Issuer: https://adfs.example.com/adfs
  4. Select Save Changes
ADFS SSO provider configured in Willow Authentication Settings

Troubleshoot

  • Verify the issuer URL ends with /adfs
  • Test OIDC discovery: visit {issuer}/.well-known/openid-configuration. You should get a JSON response.
  • Ensure claim rules are configured (email, name, upn)
  • Pre-2016 ADFS only supports SAML, which is not compatible with Willow