ADFS SAML SSO Integration
CloudCenter does not authenticate directly to LDAP or AD.
CloudCenter only interacts with LDAP/AD through a SSO IDentity Provider (IDP) that supports SAML 2.0 protocol (for example, Ping Identity, ADFS, Shibboleth, and so forth).
To implement SSO using CloudCenter:
You must then configure the CCM to re-direct the authentication to the SSO IDP.
You must also map some additional user custom properties (returned by the SAML IDP) to the user activation profile.
Once you complete all these steps successfully, CloudCenter automatically assigns the proper user group membership and additional roles and permissions.
A CCM instance supports Security Assertion Markup Language (SAML) 2.0 SSO through Spring Security SAML Extension.
The Sys Admin (see Admin Users > Login as a System Admin) can be set up SAML integration at the root level or the tenant level. To accurately configure this integration, you must have the following information for the root tenant or sub-tenant (as applicable to your deployment):
Domain and Portal Verification
Verify and ensure that the following information is accurate:
The timezone and time of the CCM (and by association all other appliances) matches the AD Domain Controllers.
The logon for the FQDN portal page (for example, https://cloud.core.enterprise.com) is accurate.
Contact CloudCenter Support for additional information.
SAML Authentication Configuration
To configure a tenant to use SSO, follow this procedure:
Create a tenant (see Tenant Information)
Short Name – give a string without spaces and special characters.
External Id – enter the ID of the organization in the external system with which the tenant is associated.
Tenant – the CCM server domain name alias for the tenant. This will serve as the end point of the Service Provider (SP) from the SSO perspective.
Login as the newly created tenant admin and create an Activation Profile.
Click the Vendor Info tab and select the newly created activation profile as Default Activation Profile.
click the Manage Vendor Admins tab and select the Vendor Authentication Settings action dropdown for this tenant, as shown in the following screenshot.
Enter the information in the IDP Settings:
IDP Name (sample name is indicative of supporting AD domain)
IDP Metadata URL – to establish the mutual trust between the CloudCenter platform and the IDP (currently, this does not support HTTPS, so use HTTP).
IDP Metadata File (if applicable)
Enter the information in the SP Settings:
Entity ID – the target domain name for this authentication (should be DNS name of logon page)
Default SSO Binding should be left at post
Logout Target URL – If logging into your company's SAML page, you must specify the URL of the page that you want the logged in users to be redirected to when they log out of the SAML page (could be same as Entity ID)
Enter the information in the Attribute Mappings sections – These are the fields from the IDP that will be mapped to user attributes within the CloudCenter platform. If you are unsure about these fields, please contact your IDP administrator. At a minimum, you need to provide the first name, last name, and email address. The URI mapping in the following image and the URIs listed in the following steps are based on Windows 2012 R2. This information must be fetched from the claim descriptions on ADFS. The following screenshot shows a sample claim description.
Enter the First Name Mapping ()
Enter the Last Name Mapping ()
Enter the Email Mapping ()
Enter the User Group Mapping ()
Download the Metadata file.
If automating the placement of SSO self-care users, enter the unique identifier for 1st and 2nd level Vendor External ID attributes. For example:
Enter the 1st Level Vendor External ID mapping (company)
Enter the 2nd Level Vendor External ID mapping (department)
Company and department are user-level attributes in the directory server.
Be aware that values (configured for users with these attributes) are compared against the External ID value set in the subtenant for the placement of a new user who is signing into the CloudCenter platform.
ADFS Trust Settings
To configure the ADFS trust settings and to edit the corresponding claim rules, follow this procedure.
In the ADFS Manager, under ADFS > Trust Relationships > Relying Party Trusts, click Add Relying Party Trust to open the Add Relying Party Trust Wizard.
On the Welcome page, click Start.
On the Select Import Data from a file page, browse for and select the sp-xxxxx.xml file.
Provide a Display name.
On the Configure Multi-factor Authentication Now? page, select I do not want to configure multi-factor authentication settings for this relying party trust at this time.
- Click Next.
On the Choose Issuance Authorization Rules page, select either Permit all users to access this relying party.
On the Ready to Add Trust page, enter the properties of the new Relaying Party Trust and click Next to save your relying party trust information.
On the Finish page, click Close. This action automatically displays the Edit Claim Rules box.
Click the trust in the list where you want to create a claim rule.
Right-click the selected trust, and then click Edit Claim Rules.
On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims from the list, and then click Next.
On the Configure Rule page under Claim rule name type Get Attributes in the display name field.
Under the Mapping of LDAP attributes to outgoing claim types select the following LDAP Attribute and corresponding Outgoing Claim Type types from the drop-down lists.
Given-Name = Given Name
Surname = Surname
E-Mail-Addresses = E-Mail Address
Token-Groups - Unqualified Names = Group
Company = Company
Department = Department
Company and Department are optional types and are only required if the 1st and 2nd level vendor External ID’s are configured in Step 7 (above when you enter information in the Attribute Mappings section).
The following screenshot shows sample selections.
Add another rule, to the Transform an Incoming Claim template – on the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim from the list, and then click Next.
Name the rule as SAM to NameID and map the following values:
Incoming claim type = E-Mail Address
Outgoing claim type = Name ID
Outgoing name ID format = Email
The following screenshot shows sample mappings.
You have now configured the ADFS SAML SSO integration.
- No labels