Configuring Active Directory Federation Services as an Identity Provider

Note: Pivotal Platform is now part of VMware Tanzu. In v1.12 and later, Pivotal Single Sign‑On is named Single Sign‑On for VMware Tanzu.

This topic describes how to set up Active Directory Federation Services (AD FS) as your identity provider by configuring SAML integration.

Set Up SAML with the SSO Operator Dashboard

  1. Log in to the SSO Operator Dashboard at https://p-identity.SYSTEM-DOMAIN as a Plan Administrator.
  2. Select your plan and click Manage Identity Providers on the drop-down menu.

    The information depicted in this screenshot is described in the step above.

  3. Click Configure SAML Service Provider.

    The information depicted in this screenshot is described in the step above.

  4. (Optional) Select Perform signed authentication requests to enforce single sign-on private key signature and identity provider validation.

    The information depicted in this screenshot is described in the step above.

  5. (Optional) Select Require signed assertions to validate the origin of signed responses.

  6. Click Download Metadata to download the service provider metadata.

  7. Click Save.

Set Up SAML in AD FS

  1. Open the AD FS Management console.

  2. Click Add Relying Party Trust… in the Actions pane.

  3. On the Welcome step, click Start.

    The information depicted in this screenshot is described in the step above.

  4. Select Import data about the relying party from a file, enter the path to the downloaded service provider metadata, and click Next.

    The information depicted in this screenshot is described in the step above.

  5. Enter a name for Display name and click Next.

    The information depicted in this screenshot is described in the step above.

  6. Leave the default multi-factor authentication selection and click Next.

    The information depicted in this screenshot is described in the step above.

  7. Select Permit all users to access this relying party and click Next.

    The information depicted in this screenshot is described in the step above.

  8. Review your settings and click Next.

  9. Click Close to finish the wizard.

  10. The claim rule editor should open by default. If it does not, select your Relying Party Trust and click Edit Claim Rules… in the Actions pane.

  11. Create two claim rules by following these steps:

    1. Click Add Rule.
    2. Select Send LDAP Attributes as Claims for Claim rule template and click Next.

      The information depicted in this screenshot is described in the step above.

    3. Enter a Claim rule name.

    4. Select Active Directory for Attribute store.

    5. Select E-Mail-Addresses for LDAP Attribute and select E-mail Address for Outgoing Claim Type.

    6. Click Finish.

      The information depicted in this screenshot is described in the steps above.

    7. Click Add Rule.

    8. Select Transform an Incoming Claim for Claim rule template and click Next.

      The information depicted in this screenshot is described in the steps above.

    9. Enter a Claim rule name.

    10. Select E-Mail Address for Incoming claim type.

    11. Select Name ID for Outgoing claim type

    12. Select Email for Outgoing name ID format.

    13. Click Finish.

    The information depicted in this screenshot is described in the steps above.

  12. Double-click on the new Relying Party Trust to open the properties.

  13. Select the Encryption tab and click Remove to remove the encryption certificate.

    The information depicted in this screenshot is described in the step above.

  14. Select the Advanced tab and select the SHA algorithm for the Secure hash algorithm that matches the SHA Algorithm configured for VMware Tanzu Application Service for VMs.

    The information depicted in this screenshot is described in the step above.

  15. (Optional) If you are using a self-signed certificate, disable CRL checks by following these steps:

    1. Open Windows Powershell as an Administrator.
    2. Execute the following command:
      > set-ADFSRelyingPartyTrust -TargetName "< Relying Party Trust >" -SigningCertificateRevocationCheck None
  16. (Optional) If you are using a self-signed certificate, add it to the AD FS trust store. Obtain the Ops Manager certificate from https://OPS_MANAGER_IP/api/v0/security/root_ca_certificate and add this CA certificate to the AD FS trust store, so AD FS can trust the “Service Provider Key Certificate” certificate signed by OpsManager ROOT CA.

  17. (Optional) To specify any application or group attributes that you want to map to users in the ID token, click Edit Claim Rules… and configure Send LDAP Attributes as Claims. For more information, see the next section.

Setting Up Groups in SAML from AD FS

  1. Right-click your Relying Party Trust and select Edit Claim Rules….

The information depicted in this screenshot is described in the step above.

  1. Select Add Rule.

  2. Select Send Group Membership as a Claim and click Next.

    The information depicted in this screenshot is described in the step above.

  3. Enter the Claim rule name.

  4. Click Browse to select your User’s group.

  5. Select Group as your Outgoing claim type.

  6. Set your Outgoing claim value to match your group’s name.

  7. Click Finish.

    The information depicted in this screenshot is described in the steps above.

  8. To save these configurations and use the default SAML assertion of http://schemas.xmlsoap.org/claims/Group, click OK. If you want to pass the claims assertion as a custom value “groups” in the SAML assertion, continue to the Create Custom Value Groups procedure below.

Create Custom Value “groups”

  1. Select your newly created rule and click Edit Rule.

    The information depicted in this screenshot is described in the step above.

  2. Click View Rule Language.

  3. Copy the text in the Claim rule language field to a notepad or other location. You need this text for the next steps.

  4. Exit the Edit Rule menu. Select the rule you just added and click Remove Rule.

  5. Click Add Rule.

  6. Select Send Claims Using a Custom Rule from the Claim rule template dropdown.

  7. Click Next.

    The information depicted in this screenshot is described in the steps above.

  8. Paste in the text you previously copied in step 3 from the removed rule. Edit the Type so that it only says “groups”.

    The information depicted in this screenshot is described in the step above.

  9. Click OK to finish making your changes and save the changes you made.