Using ADFS with OpenID Connect Authenticator extension

Hi,

I’m trying to implement SSO by using the OpenID Connect Authenticator extension with ADFS as the federation provider.

When I login to XWiki using the ADFS login page I get the following error 500:

# HTTP Status 500 – Internal Server Error

**Type** Exception Report

**Message** Failed to handle Resource Reference [path = authenticator/callback, endpoint = authenticator, pathSegments = [callback]]

**Description** The server encountered an unexpected condition that prevented it from fulfilling the request.

**Exception**

javax.servlet.ServletException: Failed to handle Resource Reference [path = authenticator/callback, endpoint = authenticator, pathSegments = [callback]] org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:161) org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87) javax.servlet.http.HttpServlet.service(HttpServlet.java:741) org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63) org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)

**Root Cause**

org.xwiki.resource.ResourceReferenceHandlerException: Failed to handle http servlet request org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:110) org.xwiki.resource.internal.DefaultResourceReferenceHandlerChain.handleNext(DefaultResourceReferenceHandlerChain.java:79) org.xwiki.resource.internal.AbstractResourceReferenceHandlerManager.handle(AbstractResourceReferenceHandlerManager.java:82) org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:159) org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87) javax.servlet.http.HttpServlet.service(HttpServlet.java:741) org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63) org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)

**Root Cause**

org.xwiki.contrib.oidc.provider.internal.OIDCException: Failed to get user info:invalid_token org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.updateUserInfo(OIDCUserManager.java:187) org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.updateUserInfo(OIDCUserManager.java:162) org.xwiki.contrib.oidc.auth.internal.endpoint.CallbackOIDCEndpoint.handle(CallbackOIDCEndpoint.java:197) org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:134) org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:108) org.xwiki.resource.internal.DefaultResourceReferenceHandlerChain.handleNext(DefaultResourceReferenceHandlerChain.java:79) org.xwiki.resource.internal.AbstractResourceReferenceHandlerManager.handle(AbstractResourceReferenceHandlerManager.java:82) org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:159) org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87) javax.servlet.http.HttpServlet.service(HttpServlet.java:741) org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63) org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)

In ADFS I created an application group containing a server application and a web application:

My xwiki.properties is as follows:

oidc.endpoint.authorization=https://***/adfs/oauth2/authorize/
oidc.endpoint.token=https://***/adfs/oauth2/token/
oidc.endpoint.userinfo=https://***/adfs/userinfo
oidc.endpoint.logout=https://***/adfs/oauth2/logout

oidc.scope=openid,profile,email

oidc.userinfoclaims=

oidc.secret=mu***kH (generated by ADFS)

oidc.clientid=14***70

Whenever I change the relying party identifier in the web application to my XWiki url I am able to login but there is no user info. I also played with the properties to no avail.

I’m pretty lost at this moment and am not sure where to look for the problem. Can anybody point me into some direction?

Thanks in advance,

Ewan

This error suggests that the userinfo endpoint does not accept the token that was given to the authenticator by the token endpoint.

Unfortunately I don’t know anything about ADFS, so I won’t be of much other help to figure out the right configuration.

Since that userinfo endpoint does not seem to be an OIDC endpoint that means it might need some specific info. It’s possible to customize the userinfo request a bit beyond the strict OIDC protocol, but you will need to hunt down what might be needed by this endpoint exactly. For example the error seems to suggest that the OIDC way the token is sent with the authenticator is not what this endpoint expects, so you could try playing with oidc.endpoint.userinfo.method first (the token is sent in a totally different way with GET or POST).

Hi,

Thanks for your response.

I will investigate the userinfo endpoint further. It is specified as a OIDC endpoint however so it should follow these standards.

Ewan

@ewanoomen Hi! I’m trying to set up Xwiki with ADFS too, did you ever get this to work? I don’t even get X-Wiki to show the ADFS login instead of LDAP

Hi @VleeG, unfortunately I don’t think I ever did get it to work. Not completely sure how I proceeded (and I don’t work there anymore) but I think we just ended up keeping LDAP.