ADFS SAML SSO Integration
CloudCenter does not authenticate directly to LDAP or AD.
CloudCenter only interacts with LDAP/AD through a SSO IDentity Provider (IDP) that supports SAML 2.0 protocol (for example, Ping Identity, ADFS, Shibboleth, and so forth).
To implement SSO using CloudCenter:
- You must then configure the CCM to re-direct the authentication to the SSO IDP.
- You must also map some additional user custom properties (returned by the SAML IDP) to the user activation profile.
- Once you complete all these steps successfully, CloudCenter automatically assigns the proper user group membership and additional roles and permissions.
A CCM instance supports Security Assertion Markup Language (SAML) 2.0 SSO through Spring Security SAML Extension.
The can be set up SAML integration at the root level or the tenant level. To accurately configure this integration, you must have the following information for the root tenant or sub-tenant (as applicable to your deployment):
Domain and Portal Verification
Verify and ensure that the following information is accurate:
- The timezone and time of the CCM (and by association all other appliances) matches the AD Domain Controllers.
- The logon for the FQDN portal page (for example, https://cloud.core.enterpise.com) is accurate.
Contact CloudCenter Support for additional information.
SAML Authentication Configuration
To configure a tenant to use SSO, follow this procedure:
- Create a tenant (see Sub-Tenant Configuration)
- Short Name – give a string without white spaces and special characters.
- External Id – enter the ID of the organization in the external system with which the tenant is associated.
- Tenant – the CCM server domain name alias for the tenant. This will serve as the end point of the Service Provider (SP) from the SSO perspective.
- Login as the newly created tenant admin and create an Activation Profile.
Click the Vendor Info tab and select the newly created activation profile as Default Activation Profile.
Enter the information in the IDP Settings:
IDP Name (sample name is indicative of supporting AD domain)
IDP Metadata URL – to establish the mutual trust between the CloudCenter platform and the IDP (currently, this does not support HTTPS, so use HTTP).
IDP Metadata File (if applicable)
- Enter the information in the SP Settings:
- Entity ID – the target domain name for this authentication (should be DNS name of logon page)
- Default SSO Binding should be left at post
- Logout Target URL – If logging into your company's SAML page, you must specify the URL of the page that you want the logged in users to be redirected to when they log out of the SAML page (could be same as Entity ID)
- Enter the information in the Attribute Mappings sections – These are the fields from the IDP that will be mapped to user attributes within the CloudCenter platform. If you are unsure about these fields, please contact your IDP administrator. At a minimum, you need to provide the first name, last name, email address, and external User ID.
- Enter the First Name Mapping (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname)
- Enter the Last Name Mapping (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname)
- Enter the Email Mapping (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)
- Enter the User Group Mapping (http://schemas.xmlsoap.org/claims/Group)
- Download the Metadata file.
- Click Submit.
ADFS Trust Settings
To configure the ADFS trust settings and to edit the corresponding claim rules, follow this procedure.
In the AD FS Manager, under AD FS > Trust Relationships > Relying Party Trusts, click Add Relying Party Trust to open the Add Relying Party Trust Wizard.
On the Welcome page, click Start.
On the Select Import Data from a file page, browse for and select the sp-xxxxx.xml file.
Provide a Display name.
On the Configure Multi-factor Authentication Now? page, select I do not want to configure multi-factor authentication settings for this relying party trust at this time.
- Click Next.
On the Choose Issuance Authorization Rules page, select either Permit all users to access this relying party.
On the Ready to Add Trust page, enter the properties of the new Relaying Party Trust and click Next to save your relying party trust information.
On the Finish page, click Close. This action automatically displays the Edit Claim Rules box.
On the Advanced tab, in the Secure hash algorithm list, select SHA-1, and then click OK.
Click the trust in the list where you want to create a claim rule.
Right-click the selected trust, and then click Edit Claim Rules.
On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims from the list, and then click Next.
On the Configure Rule page under Claim rule name type Get Attributes in the display name field.
Under the Mapping of LDAP attributes to outgoing claim types select the following LDAP Attribute and corresponding Outgoing Claim Type types from the drop-down lists.
Given-Name = Given Name
Surname = Surname
E-Mail-Addresses = E-Mail Address
Token-Groups - Unqualified Names = Group
Add another rule, to the Transform an Incoming Claim template – on the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim from the list, and then click Next.
- Name the rule as SAM to NameID and map the following values:
Incoming claim type = E-Mail Address
Outgoing claim type = Name ID
Outgoing name ID format = Email
You have now configured the ADFS SAML SSO integration.
- No labels