Absolutely, yes! ADFS is built to support integration with non-AD user sources for single sign-on (SSO) through its Claims Provider Trust framework. This lets you connect systems like OpenLDAP, custom OAuth/OIDC providers, or SAML-based identity platforms to ADFS, enabling those non-AD users to authenticate and get access tokens for your applications.

Here’s how to configure ADFS to authenticate users from a non-AD source and return a valid access token for SSO:

1. Create a Claims Provider Trust for Your Non-AD Source #

This trust tells ADFS to recognize and accept authentication from your external user directory:

• For LDAP-based non-AD directories (e.g., OpenLDAP):
  • Open the ADFS Management Console, go to Claims Provider Trusts → Add Claims Provider Trust.
  • Choose "Enter data about the claims provider manually" and follow the wizard:
    • Specify a display name for your non-AD source.
    • Under "Configure LDAP Attributes", enter your LDAP server’s address, a service account with read access to the directory, and the LDAP search base (e.g., dc=example,dc=com).
  • Finish the wizard, then open Edit Claim Rules to set up attribute mapping.
• For OAuth/OIDC/SAML-based identity providers:
  • Use the "Import data about the claims provider from a file or URL" option, pointing to the IDP’s metadata (e.g., https://your-non-ad-idp/.well-known/openid-configuration).
  • Configure the trust to accept incoming claims from the external IDP.

2. Configure Claim Rules to Map Non-AD User Attributes #

ADFS needs to translate non-AD user attributes into standard claims that will be included in the access token. Here’s how:

• Open the claim rules editor for your new Claims Provider Trust.
• Add a LDAP Attribute Claim Rule (for LDAP sources) to pull attributes like uid, mail, or givenName from the non-AD directory.
• Add a Transform Claim Rule to map these LDAP attributes to standard identity claims, e.g.:
  • Map LDAP uid to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier (this is the unique user ID).
  • Map LDAP mail to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
• For non-LDAP sources, create rules to pass through incoming claims from the external IDP to ADFS’s claim pipeline.

You can also use PowerShell to automate rule creation, for example:

Add-AdfsClaimRuleSet -TargetClaimsProviderTrust "Your Non-AD LDAP" -ClaimRules '@RuleTemplate = "LdapClaims" @RuleName = "Get LDAP Attributes" @LdapAttribute = "uid,mail" @OutgoingClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier,http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"'

3. Set Up a Relying Party Trust for Your Application #

Your application needs to be registered as a Relying Party in ADFS so it can receive access tokens:

• Go to Relying Party Trusts → Add Relying Party Trust.
• Import your app’s metadata (if it supports OIDC/SAML) or enter details manually (like redirect URIs).
• Configure Issuance Transform Rules to determine which claims are included in the access token sent to your app. For example, pass through the nameidentifier and emailaddress claims to the app.

4. Test the Flow & Retrieve the Access Token #

Once everything is set up, test the SSO flow and get your access token:

1. Initiate the authorization request to ADFS’s OAuth2 endpoint:

   GET https://<your-adfs-server>/adfs/oauth2/authorize?client_id=<your-app-client-id>&response_type=code&redirect_uri=<your-app-redirect-uri>&scope=openid%20email
   

2. Users will be redirected to your non-AD identity source’s login page. After successful authentication, ADFS will send an authorization code to your app’s redirect URI.
3. Exchange the code for an access token by sending a POST request to ADFS’s token endpoint:

   POST https://<your-adfs-server>/adfs/oauth2/token
   Content-Type: application/x-www-form-urlencoded
   
   client_id=<your-app-client-id>&client_secret=<your-app-client-secret>&code=<authorization-code>&redirect_uri=<your-app-redirect-uri>&grant_type=authorization_code
   

4. The response will include an access_token (a JWT by default) that your app can use for SSO and authorization.

• Network Connectivity: Ensure ADFS can reach your non-AD user directory (e.g., open LDAP ports 389/636, or allow HTTPS traffic to external OAuth IDPs).
• Custom Authentication Providers: For non-standard non-AD sources, you might need to build a custom ADFS authentication provider to handle unique authentication logic (like multi-factor auth specific to your non-AD system).
• Token Validation: ADFS’s access tokens are signed with its private key—your app can validate the token using ADFS’s public keys, available at https://<your-adfs-server>/adfs/discovery/keys.

内容的提问来源于stack exchange，提问作者user217648