forked from pivotal-cf/docs-ops-guide
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathadfs-sso-configuration.html.md.erb
98 lines (71 loc) · 5.4 KB
/
adfs-sso-configuration.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
---
title: Configuring ADFS as an Identity Provider
owner: Identity
---
This topic describes the process of configuring Active Directory Federation Services (ADFS) as your identity provider (IdP) in <%= vars.first_product_name %> and ADFS.
## <a id='idp'></a> Configure SAML Integration in <%= vars.product_name %>
You can use ADFS as your SAML IdP for Ops Manager and Pivotal Application Service (PAS):
* If you want to use ADFS as your SAML IdP for Ops Manager, do the following:
* [Configure SAML Integration in Ops Manager](#ops-man)
* [Configure SAML Integration in ADFS](#adfs)
* If you want to use ADFS as your SAML IdP for PAS, do the following:
* [Configure SAML Integration in PAS](#pas)
* [Configure SAML Integration in ADFS](#adfs)
### <a id='ops-man'></a> Configure SAML Integration in Ops Manager
To configure Ops Manager to use ADFS as your SAML IdP, do the following:
1. Download your IdP metadata from `https://YOUR-ADFS-HOSTNAME/federationmetadata/2007-06/federationmetadata.xml`.
1. Perform the steps in the _Use an Identity Provider_ section of the BOSH Director configuration topic for you IaaS:
* [Configuring BOSH Director on AWS](../om/aws/config-manual.html#idp)
* [Configuring BOSH Director on Azure Manually](../om/azure/config-manual.html#idp)
* [Configuring BOSH Director on GCP](../om/gcp/config-manual.html#idp)
* [Configuring BOSH Director on OpenStack](../om/openstack/config.html#idp)
* [Configuring BOSH Director on vSphere](../om/vsphere/config.html#idp)
<p class="note"><strong>Note:</strong> You can set up SAML access for Ops Manager during the initial <%= vars.product_name %> installation or later by navigating to <strong>Settings</strong> in the user menu on the Ops Manager Installation Dashboard, configuring the <strong>Authentication Method</strong> pane, and then clicking <strong>Review Pending Changes</strong> and <strong>Apply Changes</strong>.</p>
### <a id='pas'></a> Configure SAML Integration in PAS
To configure PAS to use ADFS as your SAML IdP, do the following:
1. Download your IdP metadata from `https://YOUR-ADFS-HOSTNAME/federationmetadata/2007-06/federationmetadata.xml`.
1. Perform the steps in the [Configure <%= vars.product_name %> as a Service Provider for SAML
](./auth-sso.html#configure-pcf-for-saml) section of the _Configuring Authentication and Enterprise SSO for PAS_ topic.
## <a id='adfs'></a> Configure SAML Integration in ADFS
To designate <%= vars.product_name %> as your SAML service provider (SP) in ADFS, do the following:
1. Download your SP metadata from `https://login.YOUR-SYSTEM-DOMAIN/saml/metadata`.
1. Open your **ADFS Management** console and add a relying party trust as follows:
1. Click **Add Relying Party Trust...** in the **Actions** pane.
1. On the Welcome step, click **Start**.
1. Select **Import data about the relying party from a file**, import the downloaded SP metadata file, and click **Next**.
1. Enter a **Display name** for the new relying party trust and click **Next**.
1. Leave the default multi-factor authentication selection and click **Next**.
1. Select **Permit all users to access this relying party** and click **Next**.
1. Review your settings and click **Next**.
1. Click **Close** to finish the wizard.
1. Modify your relying party trust as follows:
1. Double-click the new relying party trust.
1. Select the **Encryption** tab and click **Remove** to remove the encryption certificate you imported.
1. In the **Advanced** tab, select **SHA256** for the **Secure hash algorithm**.
1. (Optional) If you are using a self-signed certificate and want to disable CRL checks, do the following:
1. Open **Windows Powershell** as an Administrator.
1. Execute the following command: `set-ADFSRelyingPartyTrust -TargetName "RELYING-PARTY-TRUST" -SigningCertificateRevocationCheck None`
1. To add claim rules for your relying party trust, select your relying party trust and click **Edit Claim Rules…**.
1. In the **Issuance Transform Rules** tab, create two claim rules as follows:
1. Click **Add Rule**.
1. Select **Send LDAP Attributes as Claims** for **Claim rule template** and click **Next**.
1. Enter a **Claim rule name**.
1. Select **Active Directory** for **Attribute store**.
1. Select **E-Mail-Addresses** for **LDAP Attribute** and **E-Mail Address** for **Outgoing Claim Type**. Alternatively, if you do not have the email attribute configured for users, you can select **User-Principle-Name** under **LDAP Attribute**.
1. Click **Finish**.
<br><br>
1. Click **Add Rule**.
1. Select **Transform an Incoming Claim** for **Claim rule template** and click **Next**.
1. Enter a **Claim rule name**.
1. Select **E-Mail Address** for **Incoming claim type**.
1. Select **Name ID** for **Outgoing claim type**.
1. Select **Email** for **Outgoing name ID format**.
1. Click **Finish**.
1. To permit access to users based on a security group, navigate to the **Issuance Authorization Rules** tab and create an authorization claim rule as follows:
1. Click **Add Rule**.
1. Select **Permit or Deny Users Based on an Incoming Claim** for **Claim rule template** and click **Next**.
1. Enter a **Claim rule name**.
1. Select **Group SID** for **Incoming claim type**.
1. Click **Browse** and locate the security group in your domain that <%= vars.product_name %> developers are a part of and click **OK**.
1. Ensure **Permit access to users with this incoming claim** is selected.
1. Click **Finish**.