-
Notifications
You must be signed in to change notification settings - Fork 40
/
Copy pathadfs-sso-configuration.html.md.erb
118 lines (91 loc) · 6.01 KB
/
adfs-sso-configuration.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
---
title: Configuring AD FS as an Identity Provider
owner: Identity
---
This topic describes configuring Active Directory Federation Services (AD FS) as your identity provider (IDP) in <%= vars.platform_name %> and AD FS.
## <a id='idp'></a> Configure SAML Integration in <%= vars.platform_name %>
You can use AD FS as your SAML IDP for <%= vars.ops_manager_full %> and <%= vars.app_runtime_full %> (<%= vars.app_runtime_abbr %>).
* To use AD FS as your SAML IDP for <%= vars.ops_manager %>, follow these procedures:
* [Configure SAML Integration in <%= vars.ops_manager %>](#ops-man)
* [Configure SAML Integration in AD FS](#adfs)
* To use AD FS as your SAML IDP for <%= vars.app_runtime_abbr %>, follow these procedures:
* [Configure SAML Integration in <%= vars.app_runtime_abbr %>](#pas)
* [Configure SAML Integration in AD FS](#adfs)
### <a id='ops-man'></a> Configure SAML Integration in <%= vars.ops_manager %>
To configure <%= vars.ops_manager %> to use AD FS as your SAML IDP:
1. Download your IDP metadata from `https://AD-FS-HOSTNAME/federationmetadata/2007-06/federationmetadata.xml`, where `AD-FS-HOSTNAME` is the hostname of your AD FS deployment.
1. Follow the procedure in _Use an Identity Provider_ in the BOSH Director configuration topic for your IaaS:
* [Configuring BOSH Director on AWS](/platform/ops-manager/<%= vars.current_major_version %>/aws/config-manual.html#idp)
* [Configuring BOSH Director on Azure Manually](/platform/ops-manager/<%= vars.current_major_version %>/azure/config-manual.html#idp)
* [Configuring BOSH Director on GCP](/platform/ops-manager/<%= vars.current_major_version %>/gcp/config-manual.html#idp)
* [Configuring BOSH Director on OpenStack](/platform/ops-manager/<%= vars.current_major_version %>/openstack/config.html#idp)
* [Configuring BOSH Director on vSphere](/platform/ops-manager/<%= vars.current_major_version %>/vsphere/config.html#idp)
<p class="note"><strong>Note:</strong> You can set up SAML access for <%= vars.ops_manager %> during the initial <%= vars.platform_name %> installation or later by navigating to <strong>Settings</strong> in the user menu in the <%= vars.ops_manager %> Installation Dashboard, configuring the <strong>Authentication Method</strong> pane, and then clicking <strong>Review Pending Changes</strong> and <strong>Apply Changes</strong>.</p>
### <a id='pas'></a> Configure SAML Integration in <%= vars.app_runtime_abbr %>
To configure <%= vars.app_runtime_abbr %> to use AD FS as your SAML IDP:
1. Download your IDP metadata from `https://AD-FS-HOSTNAME/federationmetadata/2007-06/federationmetadata.xml`, where `AD-FS-HOSTNAME` is the hostname of your AD FS deployment.
1. Follow the procedure in [Configure <%= vars.platform_name %> as a Service Provider for SAML](auth-sso.html#configure-pcf-for-saml) in _Configuring Authentication and Enterprise SSO for <%= vars.app_runtime_abbr %>_.
## <a id='adfs'></a> Configure SAML Integration in AD FS
To designate <%= vars.platform_name %> as your SAML service provider (SP) in AD FS:
1. Download your SP metadata from `https://login.SYSTEM-DOMAIN/saml/metadata`, where `SYSTEM-DOMAIN` is the system domain of your <%= vars.platform_name %> deployment.
1. Open your **ADFS Management** console.
1. To add a relying party trust:
1. Select **Actions**.
1. Click **Add Relying Party Trust...**.
1. On the Welcome step, click **Start**.
1. Select **Import data about the relying party from a file**.
1. Choose the downloaded SP metadata file.
1. Click **Next**.
1. Enter a **Display name** for the new relying party trust.
1. Click **Next**.
1. Leave the default multi-factor authentication selection.
1. Click **Next**.
1. Select **Permit all users to access this relying party**.
1. Click **Next**.
1. Review your settings.
1. Click **Next**.
1. Click **Close** to finish the wizard.
1. To modify your relying party trust:
1. Double-click the new relying party trust.
1. Select the **Encryption** tab.
1. Click **Remove** to remove the encryption certificate you imported.
1. Select the **Advanced** tab.
1. For the **Secure hash algorithm**, select **SHA256**.
1. (Optional) If you are using a self-signed certificate and want to disable CRL checks:
1. Open **Windows Powershell** as an Administrator.
1. Run:
```
set-ADFSRelyingPartyTrust -TargetName "RELYING-PARTY-TRUST" -SigningCertificateRevocationCheck None
```
Where `RELYING-PARTY-TRUST` is the relying party trust for which you want to disable CRL checks.
1. To add claim rules for your relying party trust, select your relying party trust and click **Edit Claim Rules...**.
1. In the **Issuance Transform Rules** tab, create two claim rules:
1. Click **Add Rule**.
1. For **Claim rule template**, select **Send LDAP Attributes as Claims**.
1. Click **Next**.
1. Enter a **Claim rule name**.
1. For **Attribute store**, select **Active Directory**.
1. For **LDAP Attribute**, select **E-Mail-Addresses**. If you do not have the email attribute configured for users, you can select **User-Principle-Name**.
1. For **Outgoing Claim Type**, select **E-Mail Address**.
1. Click **Finish**.
<br><br>
1. Click **Add Rule**.
1. For **Claim rule template**, select **Transform an Incoming Claim**.
1. Click **Next**.
1. Enter a **Claim rule name**.
1. For **Incoming claim type**, select **E-Mail Address**.
1. For **Outgoing claim type**, select **Name ID**.
1. For **Outgoing name ID format**, select **Email**.
1. Click **Finish**.
1. To permit access to users based on a security group:
1. Select the **Issuance Authorization Rules** tab.
1. Click **Add Rule**.
1. For **Claim rule template**, select **Permit or Deny Users Based on an Incoming Claim**.
1. Click **Next**.
1. Enter a **Claim rule name**.
1. For **Incoming claim type**, select **Group SID**.
1. Click **Browse**.
1. Locate the security group in your domain of which <%= vars.platform_name %> developers are a part.
1. Click **OK**.
1. Ensure **Permit access to users with this incoming claim** is selected.
1. Click **Finish**.