Single Sign-On with Microsoft Active Directory FS
This guide explains how to enable single sign-on (SSO) for applications being proxied by F5 NGINX Plus. The solution uses OpenID Connect as the authentication mechanism, with Microsoft Active Directory Federation Services (AD FS) as the Identity Provider (IdP) and NGINX Plus as the Relying Party (RP), or OIDC client application that verifies user identity.
This guide applies to NGINX Plus Release 35 and later. In earlier versions, NGINX Plus relied on an njs-based solution, which required NGINX JavaScript files, key-value stores, and advanced OpenID Connect logic. In the latest NGINX Plus version, the new OpenID Connect module simplifies this process to just a few directives.
-
A Microsoft AD FS instance, either on-premises or in Azure, with administrator privileges.
-
An NGINX Plus subscription and NGINX Plus Release 35 or later. For installation instructions, see Installing NGINX Plus.
-
A domain name pointing to your NGINX Plus instance, for example,
demo.example.com.
Microsoft Active Directory Federation Services (AD FS) serves as the Identity Provider.
-
In AD FS, open the Server Manager.
-
In Server Manager, select Tools, and then select AD FS Management.
-
In AD FS Management, right-click on Application Groups and select Add Application Group.
-
On the Application Group Wizard Welcome screen:
-
Enter the Name of your application, for example,
NGINX Demo App. -
Under Standalone applications, select Server application.
-
-
On the Application Group Wizard Server application screen:
-
Copy the Client Identifier value generated by AD FS. The client identifier is your AD FS Application ID, you will need it later when configuring NGINX Plus.
-
In Redirect URI, enter the Redirect URI for your NGINX Plus instance, for example,
https://demo.example.com/oidc_callback, and then click Add.
-
-
On the Application Group Wizard Configure Application Credentials screen:
-
Select Generate a shared secret.
-
Copy and save the generated Client Secret, you will need it later when configuring NGINX Plus. You will not be able to view the secret after the application group is created.
-
Select Next to complete the steps for adding the application group.
-
After creating the application group, you need to configure the logout URLs to support RP-initiated logout:
-
In AD FS Management, navigate to Application Groups and select your application group.
-
Right-click on the application group and select Properties.
-
In the Properties dialog, add the post logout redirect URI to the application configuration:
- Add the post logout URL, for example:
https://demo.example.com/post_logout/.
- Add the post logout URL, for example:
Check the OpenID Connect endpoint URL. By default, AD FS publishes the .well-known/openid-configuration document at the following address:
https://adfs-server-address/adfs/.well-known/openid-configuration.
-
Run the following
curlcommand in a terminal:curl https://adfs-server-address/adfs/.well-known/openid-configuration | jq .where:
-
the
adfs-server-addressis your AD FS server address -
the
/adfs/.well-known/openid-configurationis the default address for AD FS for document location -
the
jqcommand (optional) is used to format the JSON output for easier reading and requires the jq JSON processor to be installed.
The configuration metadata is returned in the JSON format:
{ ... "issuer": "https://adfs-server-address/adfs", "authorization_endpoint": "https://adfs-server-address/adfs/oauth2/authorize/", "token_endpoint": "https://adfs-server-address/adfs/oauth2/token/", "jwks_uri": "https://adfs-server-address/adfs/discovery/keys", "userinfo_endpoint": "https://adfs-server-address/adfs/userinfo", "end_session_endpoint": "https://adfs-server-address/adfs/oauth2/logout", ... } -
-
Copy the issuer value, you will need it later when configuring NGINX Plus. Typically, the OpenID Connect Issuer for AD FS is:
https://adfs-server-address/adfs.
You will need the values of Client ID, Client Secret, and Issuer in the next steps.
With AD FS configured, you can enable OIDC on NGINX Plus. NGINX Plus serves as the Rely Party (RP) application — a client service that verifies user identity.
-
Ensure that you are using the latest version of NGINX Plus by running the
nginx -vcommand in a terminal:nginx -vThe output should match NGINX Plus Release 35 or later:
nginx version: nginx/1.29.0 (nginx-plus-r35) -
Ensure that you have the values of the Client ID, Client Secret, and Issuer obtained during AD FS Configuration.
-
In your preferred text editor, open the NGINX configuration file (
/etc/nginx/nginx.conffor Linux or/usr/local/etc/nginx/nginx.conffor FreeBSD). -
In the
http {}context, make sure your public DNS resolver is specified with theresolverdirective. By default, NGINX Plus re‑resolves DNS records at the frequency specified by time‑to‑live (TTL) in the record, but you can override the TTL value with thevalidparameter:http { resolver 10.0.0.1 ipv4=on valid=300s; # ... } -
In the
http {}context, define the AD FS OIDC provider namedadfsby specifying theoidc_provider {}context:http { resolver 10.0.0.1 ipv4=on valid=300s; oidc_provider adfs { # ... } # ... } -
In the
oidc_provider {}context, specify:-
Your actual AD FS Client ID from Step 5 of AD FS Configuration with the
client_iddirective -
Your Client Secret from Step 6 of AD FS Configuration with the
client_secretdirective -
The Issuer URL from Step 2 of AD FS Configuration with the
issuerdirectiveThe
issueris typically your AD FS OIDC URL. By default, NGINX forms the provider metadata endpoint by appending.well-known/openid-configurationto the issuer. For AD FS, this often resolves tohttps://adfs-server-address/adfs/.well-known/openid-configuration. If your AD FS issuer differs fromhttps://adfs-server-address/adfs(for example, a custom path), you can explicitly specify the metadata document with theconfig_urldirective. -
The logout_uri is URI that a user visits to start an RP‑initiated logout flow.
-
The post_logout_uri is absolute HTTPS URL where AD FS should redirect the user after a successful logout. This value must also be configured in the AD FS application properties.
-
If the logout_token_hint directive set to
on, NGINX Plus sends the user’s ID token as a hint to AD FS. This directive is optional, however, if it is omitted the AD FS may display an extra confirmation page asking the user to approve the logout request. -
If the userinfo directive is set to
on, NGINX Plus will fetch/userinfofrom the AD FS and append the claims from userinfo to the$oidc_claims_variables. -
Important: All interaction with the IdP is secured exclusively over SSL/TLS, so NGINX must trust the certificate presented by the IdP. By default, this trust is validated against your system’s CA bundle (the default CA store for your Linux or FreeBSD distribution). If the IdP’s certificate is not included in the system CA bundle, you can explicitly specify a trusted certificate or chain with the
ssl_trusted_certificatedirective so that NGINX can validate and trust the IdP’s certificate.
http { resolver 10.0.0.1 ipv4=on valid=300s; oidc_provider adfs { issuer https://adfs.example.com/adfs; client_id <client_id>; client_secret <client_secret>; logout_uri /logout; post_logout_uri https://demo.example.com/post_logout/; logout_token_hint on; userinfo on; } # ... } -
-
Make sure you have configured a server that corresponds to
demo.example.com, and there is a location that points to your application (see Step 10) athttp://127.0.0.1:8080that is going to be OIDC-protected:http { # ... server { listen 443 ssl; server_name demo.example.com; ssl_certificate /etc/ssl/certs/fullchain.pem; ssl_certificate_key /etc/ssl/private/key.pem; location / { # ... proxy_pass http://127.0.0.1:8080; } } # ... } -
Protect this location with AD FS OIDC by specifying the
auth_oidcdirective that will point to theadfsconfiguration specified in theoidc_provider {}context in Step 5:# ... location / { auth_oidc adfs; # ... proxy_pass http://127.0.0.1:8080; } # ... -
Pass the OIDC claims as headers to the application (Step 10) with the
proxy_set_headerdirective. These claims are extracted from the ID token returned by AD FS:-
$oidc_claim_sub- a uniqueSubjectidentifier assigned for each user by AD FS -
$oidc_claim_emailthe e-mail address of the user -
$oidc_claim_name- the full name of the user -
any other OIDC claim using the
$oidc_claim_variable
# ... location / { auth_oidc adfs; proxy_set_header sub $oidc_claim_sub; proxy_set_header email $oidc_claim_email; proxy_set_header name $oidc_claim_name; proxy_pass http://127.0.0.1:8080; } # ... -
-
Provide endpoint for completing logout:
# ... location /post_logout/ { return 200 "You have been logged out.\n"; default_type text/plain; } # ... -
Create a simple test application referenced by the
proxy_passdirective which returns the authenticated user’s full name and email upon successful authentication:# ... server { listen 8080; location / { return 200 "Hello, $http_name!\nEmail: $http_email\nAD FS sub: $http_sub\n"; default_type text/plain; } } -
Save the NGINX configuration file and reload the configuration:
nginx -s reload
This configuration example summarizes the steps outlined above. It includes only essential settings such as specifying the DNS resolver, defining the OIDC provider, configuring SSL, and proxying requests to an internal server.
http {
# Use a public DNS resolver for Issuer discovery, etc.
resolver 10.0.0.1 ipv4=on valid=300s;
oidc_provider adfs {
# The 'issuer' is typically your AD FS OIDC URL
# e.g. https://adfs.example.com/adfs
issuer https://adfs.example.com/adfs;
# Replace with your actual AD FS Client ID and Secret
client_id <client_id>;
client_secret <client_secret>;
# RP‑initiated logout
logout_uri /logout;
post_logout_uri https://demo.example.com/post_logout/;
logout_token_hint on;
# Fetch userinfo claims
userinfo on;
}
server {
listen 443 ssl;
server_name demo.example.com;
ssl_certificate /etc/ssl/certs/fullchain.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
location / {
# Protect this location with AD FS OIDC
auth_oidc adfs;
# Forward OIDC claims as headers if desired
proxy_set_header sub $oidc_claim_sub;
proxy_set_header email $oidc_claim_email;
proxy_set_header name $oidc_claim_name;
proxy_pass http://127.0.0.1:8080;
}
location /post_logout/ {
return 200 "You have been logged out.\n";
default_type text/plain;
}
}
server {
# Simple test upstream server
listen 8080;
location / {
return 200 "Hello, $http_name!\nEmail: $http_email\nAD FS sub: $http_sub\n";
default_type text/plain;
}
}
}-
Open
https://demo.example.com/in a browser. You will be automatically redirected to the AD FS sign-in page. -
Enter valid AD FS credentials of a user who has access the application. Upon successful sign-in, AD FS redirects you back to NGINX Plus, and you will see the proxied application content (for example, “Hello, Jane Doe!”).
-
Navigate to
https://demo.example.com/logout. NGINX Plus initiates an RP‑initiated logout; AD FS ends the session and redirects back tohttps://demo.example.com/post_logout/. -
Refresh
https://demo.example.com/again. You should be redirected to AD FS for a fresh sign‑in, proving the session has been terminated.
If you are running NGINX Plus R33 and earlier or if you still need the njs-based solution, refer to the Legacy njs-based Microsoft AD FS Guide for details. The solution uses the nginx-openid-connect GitHub repository and NGINX JavaScript files.
-
Version 2 (August 2025) – Added RP‑initiated logout (logout_uri, post_logout_uri, logout_token_hint) and userinfo support.
-
Version 1 (March 2025) – Initial version (NGINX Plus Release 34)