Step by step guide to configure Microsoft ADFS as a OIDC Identity Provider within Visma
Follow the steps below to configure ADFS as a OIDC Identity Provider within Visma. Keep Authentication Settings open in your browser while you access your ADFS server. You'll need to return to the Single Sign-On page to complete the configuration steps.
Prerequisites
Microsoft Active Directory 3.0 with ADFS
Administrator in Active Directory
All of your users under your account in Visma will need a pre-existing account in ADFS with exactly the same email address.
Configure Visma Single Sign-On app in ADFS
Sign in into Authentication Settings. On the Single Sign-On page go to section 1.Configure URIs in ADFS. This is the Visma Single Sign-On information you’ll need to provide to ADFS to configure Visma as a service provider. Copy the Redirect URI value.
From ADFS Server, select Start > Administrative Tools > ADFS Management.
Under Actions, click Add Application Group.
On the Welcome step, input the Application name and click Next.
On the Native application step, in the Redirect URI field, paste the URI that you copied from the Authentication Settings Single Sign-On page, and press Add.
Then copy the Client Identifier that you will use further. Continue by pressing Next.
On the Configure Web API step, input the Client Identifier value that you copied in the previous step, into the Identifier field and press Add, then Next.
On the Apply Access Control Policy step choose your desired access policy and click Next.
On the Configure Application Permission step check the boxes for email, openid and profile scopes and click Next.
On the Summary step check your configuration and click Next if everything looks good, then click Close.
Go back to Authentication Settings to continue the Single Sign-On setup
On the Single Sign-On page go to section 2.Configure OpenID Connect Client.
For the Authority field you need to input the URL used to access the ADFS instance, to which you add “/adfs” at the end.
For the Client ID field, you need to paste the Client Identifier that you copied on step 6, from ADFS setup.
Now go to section 3.Advanced Configuration where you can decide if you wish to Just in time provision users when they sign with ADFS into Visma.
Click Save
Testing Single Sign-On after Visma has made its configuration
To make sure SSO is working, go to your Visma My Domain e.g. https://example.my.connect.visma.com directly, and then click the Sign in with ADFS button.
Once you have verified that the SSO is working, you can go to Policies and disable Visma credentials, so that your users are straight away redirected to your ADFS.