Single Sign-On with Microsoft AD FS and njs
This guide applies to NGINX Plus Release 15 and later, based on the
nginx-openid-connectGitHub repo. Starting with NGINX Plus Release 34, use the simpler solution with the native OpenID connect module.See Single Sign-On With Microsoft AD FS for details.
This guide explains how to enable single sign-on (SSO) for applications being proxied by F5 NGINX Plus. The solution uses OpenID Connect as the authentication mechanism, with Microsoft Active Directory Federation Services (AD FS) as the identity provider (IdP) and NGINX Plus as the relying party.
You can find more information about the NGINX Plus OpenID Connect integration in the project’s GitHub repo.
The instructions assume you have the following:
- 
A running deployment of AD FS, either on‑premises or in Azure. 
- 
An NGINX Plus subscription and NGINX Plus R15 or later. For installation instructions, see the NGINX Plus Admin Guide. 
- 
The NGINX JavaScript module (njs), required for handling the interaction between NGINX Plus and the IdP. After installing NGINX Plus, install the module with the command for your operating system. For Debian and Ubuntu: sudo apt install nginx-plus-module-njsFor CentOS, RHEL, and Oracle Linux: sudo yum install nginx-plus-module-njs
- 
The following directive included in the top-level ("main") configuration context in /etc/nginx/nginx.conf, to load the NGINX JavaScript module: load_module modules/ngx_http_js_module.so;
Create an AD FS application for NGINX Plus:
- 
Open the AD FS Management window. In the navigation column on the left, right‑click on the Application Groups folder and select Add Application Group from the drop‑down menu. The Add Application Group Wizard window opens. The left navigation column shows the steps you will complete to add an application group. 
- 
In the Welcome step, type the application group name in the Name field. Here we are using ADFSSSO. In the Template field, select Server application under Standalone applications. Click the Next > button.   
- 
In the Server application step: - 
Make a note of the value in the Client Identifier field. You will add it to the NGINX Plus configuration in Step 4 of Configuring NGINX Plus. 
- 
In the Redirect URI field, type the URI of the NGINX Plus instance including the port number, and ending in /_codexch. Here we’re using https://my-nginx.example.com:443/_codexch . Click the Add button. Notes: - For production, we strongly recommend that you use SSL/TLS (port 443).
- The port number is mandatory even when you’re using the default port for HTTP (80) or HTTPS (443).
 
 
- 
- 
Click the Next > button.   
- 
In the Configure Application Credentials step, click the Generate a shared secret checkbox. Make a note of the secret that AD FS generates (perhaps by clicking the Copy to clipboard button and pasting the clipboard content into a file). You will add the secret to the NGINX Plus configuration in Step 4 of Configuring NGINX Plus. Click the Next > button.   
- 
In the Summary step, verify that the information is correct, make any necessary corrections to previous steps, and click the Next > button. 
Configure NGINX Plus as the OpenID Connect relying party:
- 
Create a clone of the nginx-openid-connect GitHub repository. git clone https://github.com/nginxinc/nginx-openid-connect
- 
Copy these files from the clone to /etc/nginx/conf.d: - frontend.conf
- openid_connect.js
- openid_connect.server_conf
- openid_connect_configuration.conf
 
- 
Get the URLs for the authorization endpoint, token endpoint, and JSON Web Key (JWK) file from the AD FS configuration. Run the following curlcommand in a terminal, piping the output to the indicatedpythoncommand to output the entire configuration in an easily readable format. We’ve abridged the output to show only the relevant fields.shell $ curl https://<ADFS-server-address>/oidc/adfs/.well-known/openid-configuration | python -m json.tool { ... "authorization_endpoint": "https://<ADFS-server-address>/oidc/adfs/auth", ... "jwks_uri": "https://<ADFS-server-address>/oidc/adfs/certs", ... "token_endpoint": "https://<ADFS-server-address>/oidc/adfs/token", ... }
- 
In your preferred text editor, open /etc/nginx/conf.d/frontend.conf. Change the "default" parameter value of each of the following map directives to the specified value: - map $host $oidc_authz_endpoint– Value of- authorization_endpointfrom Step 3 (in this guide,- https://<ADFS-server-address>/oidc/adfs/auth)
- map $host $oidc_token_endpoint– Value of- token_endpointfrom Step 3 (in this guide,- https://<ADFS-server-address>/oidc/adfs/token)
- map $host $oidc_client– Value in the Client ID field from Step 3 of Configuring AD FS (in this guide,- 3e23f0eb-9329-46ff-9d37-6ad24afdfaeb)
- map $host $oidc_client_secret– Value in the Client secret field from Step 4 of Configuring AD FS (in this guide,- NUeuULtSCjgXTGSkq3ZwEeCOiig4-rB2XiW_W)
- map $host $oidc_hmac_key– A unique, long, and secure phrase
 
- 
Configure the JWK file. The procedure depends on which version of NGINX Plus you are using. - 
In NGINX Plus R17 and later, NGINX Plus can read the JWK file directly from the URL reported as jwks_uriin Step 3. Change /etc/nginx/conf.d/frontend.conf as follows:- Comment out (or remove) the auth_jwt_key_file directive.
- Uncomment the auth_jwt_key_request directive. (Its parameter, /_jwks_uri, refers to the value of the$oidc_jwt_keyfilevariable, which you set in the next step.)
- Change the second parameter of the set $oidc_jwt_keyfiledirective to the value reported in thejwks_urifield in Step 3 (in this guide,https://<ADFS-server-address>/oidc/adfs/certs).
 
- 
In NGINX Plus R16 and earlier, the JWK file must be on the local disk. (You can also use this method with NGINX Plus R17 and later if you wish.) - Copy the JSON contents from the JWK file named in the jwks_urifield in Step 3 (in this guide,https://<ADFS-server-address>/oidc/adfs/certs) to a local file (for example,/etc/nginx/my_adfs_jwk.json).
- In /etc/nginx/conf.d/frontend.conf, change the second parameter of the set $oidc_jwt_keyfiledirective to the local file path.
 
- Copy the JSON contents from the JWK file named in the 
 
- 
- 
Confirm that the user named by the user directive in the NGINX Plus configuration (in /etc/nginx/nginx.conf by convention) has read permission on the JWK file. 
In a browser, enter the address of your NGINX Plus instance and try to log in using the credentials of a user who has access to the application.
 
See the Troubleshooting section at the nginx-openid-connect repository on GitHub.
- Version 2 (March 2020) – Updates to Configuring NGINX Plus section
- Version 1 (December 2019) – Initial version (NGINX Plus Release 20)