Authenticate users via on-premise Active Directory Federation Services (AD FS) #6622
-
|
I was reading the documentation and found that NextAuth is able to authenticate via Azure Active Directory, but I can't find any examples for using an on-premise Active Directory service, specifically Active Directory Federation Services (AD FS). Is this possible using NextJS? And if so: I assume that I have to write a custom implementation for it. Are there any examples? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
|
Bumping on this, were you able to find any resources/examples or did you implement your own custom provider and would be willing to share? |
Beta Was this translation helpful? Give feedback.
-
|
I ended up implementing my own custom provider for ADFS. Here's what I created 2 years ago: import { OAuthConfig, OAuthUserConfig } from "next-auth/providers"
export interface ADFSProfile extends Record<string, any> {
/**
* The subject of the JWT (user)
*/
sub: string;
/**
* The display name of the user
*/
unique_name: string;
/**
* The company email address of the user.
*/
email: string;
/**
* The assigned role(s) of the user.
*/
role: string | string[];
}
/**
* Configures Active Directory Federation Services as a NextAuth provider.
*/
export default function ADFS<P extends ADFSProfile>(
options: OAuthUserConfig<P> & {
/**
* The OAuth Authorize URL
*/
authorizeUrl: string;
}
): OAuthConfig<P> {
return {
id: "adfs",
name: "ADFS (SSO)",
type: "oauth",
authorization: {
url: options.authorizeUrl,
params: {
scope: "openid profile email",
},
},
idToken: true,
// @ts-ignore
async profile(profile: P, tokens)
{
// Usually the user only has one role, which is a string.
let role = profile.role;
if (Array.isArray(profile.role))
{
// In rare occasions where the user has multiple roles,
// the 'Administrator' role is the leading role.
const opRole = profile.role.find(x => x == 'Administrator');
// If the user has the 'Administrator' role, this will be the assigned role.
if (opRole != undefined) {
role = opRole;
}
// Otherwise, take the first occurance in the list.
else {
role = profile.role[0]
}
}
return {
id: profile.sub,
name: profile.unique_name,
email: profile.email,
role: role,
idToken: tokens.id_token
}
},
options,
}
}Its important to setup your ADFS correctly, e.g.: configuring outgoing claims for roles (group membership) or any other LDAP-property you may need for your situation. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks loads, this is going to save so much time to start with. We've got a bunch of AAD providers already configured, how similar would you say ADFS config is to AAD? |
Beta Was this translation helpful? Give feedback.
-
|
ADFS and ADD are quite different to begin with. I have no experience with AAD within NextAuth, but I suppose it will be quite similar to this ADFS config, as both support OpenID Connect. The big difference is the way you need to setup your application(s) within Azure Entra ID (ADD), compared to ADFS. You can find lots of information about this when you specifically search for oAuth or OpenID Connect implementations. These are open standards, so in the end it doesn't really make any difference within Entra ID. It will depend on your specific setup. |
Beta Was this translation helpful? Give feedback.
I ended up implementing my own custom provider for ADFS. Here's what I created 2 years ago: