OAuth 2

Configure Pureservice authentication with OAuth 2

*The setup required outside of Pureservice is recommended to be done by someone with relevant knowledge to avoid misconfiguration. Pureservice Support may be able to assist, but this part of the setup is your own responsibility.

Configuring ADFS

1. Add OAuth 2 client
   1. Open Powershell on the ADFS server
   2. Run the following command: Add-AdfsClient -RedirectUri “https://YOUR-PURESERVICE-URL/login/oauth” -ClientId “A-KEY-OF-YOUR-CHOICE” -Name “Pureservice OAuth2”
      (You can easily generate a random key here: https://www.guidgenerator.com/online-guid-generator.aspx

Configuring Azure

1. Log in to Azure, navigate to “Azure Active Directory” and “App Registrations”.
2. To create a new Application, select “New registration”.
   1. Give it a relevant name
   2. Enter the reply URL for your Pureservice as the Redirect URI, this can be found in Pureservice Administrator settings -> Security -> Authentication -> Either Agent or End user authentication -> Set type to OAuth 2 and copy the URL after Use the following reply URL:.
   3. Click “Register”
3. Go to “Certificates & secrets” and create a new “Client secret”. The key will be shown only once after saving, so make sure you copy it to the clipboard and save it for later in the setup!

*When setting up both Agent and End user authentication for your Pureservice, then the other Redirect URI need to be added after the creation of the app. This is found in the “Authentication” settings for the app.

Configuring Pureservice

1. Go to the Pureservice Agent Console and open the Administrator, go to Security -> Authentication and select the relevant site (Agent authentication for the Agent Console and Enduser authentication for Selfservice)
2. Set the Type to “OAuth 2”
3. Set the Authorization URL. This can be found in Azure under “Endpoints” as the “OAuth 2.0 authorization endpoint (v1)”-value.
4. Set the Token URL. This can be found in Azure under “Endpoints” as the “Oauth 2.0 token endpoint (v1)”-value.
5. Optional: Set the Logout URL. Use the same value as in the previous step, but replace “token” at the end with “logout”.
6. Set the Client ID to the same as “Application (client) ID” this can be found in the Application’s settings/properties (Overview) site in Azure below the Display name.
7. Set the Client secret to the same key that was generated earlier (Step 3 of “Configuring Azure” or step 1b of “Configuring ADFS”).
8. Set the Claim key to the URI corresponding to the AD attribute you use as usernames in Pureservice
   1. Copy XML link for “Federation metadata document” and open this in a browser. This can be found in Azure under “Endpoints”.
   2. Find the XML node “ClaimTypesOffered” and copy the URI value of the relevant attribute.
      1. If the users’ usernames in Pureservice is their userPrincipalName attribute in AD, then the following “ClaimType” can be used: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
9. Leave the Scope and Resource fields in Pureservice blank for Azure.
10. Leave the Certificate validation as “X.509 Certificate from metadata URL” and enter the Metadata URL that is mentioned in step 8a.
11. Optional: Enable Bypass SSO. This will allow users to log in “manually” with their Pureservice usernames and passwords while also having the option of using the OAuth 2 Single SignOn.