Configuring Active Directory Federation Services as an Identity Provider

Note: Pivotal Platform is now part of VMware Tanzu. In v1.12 and later, Pivotal Single Sign‑On is named Single Sign‑On for VMware Tanzu Application Service.

Page last updated:

This topic describes how to set up Active Directory Federation Services (AD FS) as your identity provider by configuring SAML integration.

Overview

To set up AD FS as your identity provider through SAML integration:

  1. Set up SAML in Single Sign‑On
  2. Set up SAML in AD FS
  3. Create Claim Rules
  4. (Optional) Disable CRL Checks
  5. Set up Groups in SAML from AD FS
  6. Create Custom Value Groups

Set up SAML in Single Sign‑On

To set up SAML in Single Sign‑On, follow the steps in Configure SAML Settings.

Set up SAML in AD FS

To set up SAML in AD FS:

  1. Open the AD FS Management console.

  2. Click Add Relying Party Trust… in the Actions pane.

  3. On the Welcome step, click Start.

    Screenshot of the "Welcome" step of
the window titled "Add Relying Party Trust Wizard". A red box is drawn around the "Start" button to
show where it is. The "Start" button is in the lower-right of the window to the
right of the "Previous" button and to the left of the "Cancel" button. The body of the window has
several paragraphs of text and starts with "Welcome to the Add Relying Party Trust Wizard..."

  4. Select Import data about the relying party from a file, enter the path to the downloaded service provider metadata, and click Next.

    Screenshot of the "Select Data Source"
step of the window titled "Add Relying Party Trust Wizard". Red boxes are drawn around the "Import
data about the relying party from a file" radio button, the "Federation metadata file location"
field, and the "Browse" button to show where they are. The "Import data about the relying party from
a file" radio button is below the line of text that starts with "Example". The "Browse" button is to
the right of the "Federation metadata file location" field. The body of the window has several
paragraphs of text and begins with "Select an option that this wizard...".
The "Previous", "Next" and "Cancel" buttons are at the bottom right.

  5. Enter a name for Display name and click Next.

    Screenshot of the "Specify Display Name"
step of the window titled "Add Relying Party Trust Wizard". A red box is drawn around the
"Display name" text field. A text field labeled "Notes:" is below.
The "Previous", "Next" and "Cancel" buttons are at the bottom right.

  6. Leave the default multi-factor authentication selection and click Next.

    Screenshot of the "Configure Multi-factor
Authentication Now?" step of the window titled "Add Relying Party Trust Wizard". There is a list of
multi-factor authentication requirement statuses. Each status reads "Not configured". Below it, a
red box is drawn around the "I do not want to configure multi-factor authentication settings for
this relying party trust at this time." radio button. Below that is the "Configure multi-factor
authentication settings for this relying party trust." radio button.
The "Previous", "Next" and "Cancel" buttons are at the bottom right.

  7. Select Permit all users to access this relying party and click Next.

    Screenshot of the "Choose Issuance
Authorization Rules" step of the window titled "Add Relying Party Trust Wizard".
There is a description of issuance authorization rules. A red box is drawn around the "Permit all
users to access this relying party" radio button, which is selected. Below it is a radio button
labeled "Deny all users access to this relying party."
The "Previous", "Next" and "Cancel" buttons are at the bottom right.

  8. Review your settings and click Next.

  9. Click Close to finish the wizard.

  10. The claim rule editor should open by default. If it does not, select your Relying Party Trust and click Edit Claim Rules… in the Actions pane.

Create Claim Rules

To create two claim rules:

  1. Click Add Rule.

  2. Select Send LDAP Attributes as Claims for Claim rule template and click Next.

    Screenshot of the "Choose Rule Type" step
of the window titled "Add Transform Claim Rule Wizard".
A red box is drawn around a "Claim rule template:" dropdown with the option "Send LDAP Attributes
Claims" selected.
Below is a description of the selected claim rule template.
The "Previous", "Next" and "Cancel" buttons are at the bottom right.

  3. Enter a Claim rule name.

  4. Select Active Directory for Attribute store.

  5. Select E-Mail-Addresses for LDAP Attribute and select E-mail Address for Outgoing Claim Type.

  6. Click Finish.

    Screenshot of the "Choose Rule Type"
step of the window titled "Add Transform Claim Rule Wizard". There is a "Claim rule name:" dropdown
with the option "LDAP email" selected.
Below that is an "Attribute store:" dropdown with the option "Active Directory" selected.
Below that are "LDAP Attribute" and "Outgoing Claim Type" dropdowns.
The "LDAP Attribute" dropdown has the option "Email Addresses" selected.
The "Outgoing Claim Type" dropdown has the option "Email Address" selected.
Red boxes are drawn around all the "Claim rule name:" field and all the dropdowns.
"Previous", "Finish" and "Cancel" buttons are at the bottom right.

  7. Click Add Rule.

  8. Select Transform an Incoming Claim from the Claim rule template dropdown and click Next.

    Screenshot of the "Select Rule Template"
step of the window titled "Add Transform Claim Rule Wizard". A red box is drawn around a
"Claim rule template:" dropdown with the option "Transform an Incoming Claim" selected.
Below that is a description of the selected claim rule template.
"Previous", "Next" and "Cancel" buttons are at the bottom right.

  9. Enter a Claim rule name.

  10. Select E-Mail Address for Incoming claim type.

  11. Select Name ID for Outgoing claim type

  12. Select Email for Outgoing name ID format.

  13. Click Finish.

    Screenshot of the "Configure
Claim Rule" step of the window titled "Add Transform Claim Rule Wizard".
There is a red box drawn around a "Claim rule name:" field with "NameID" filled in.
Below that a red box is drawn around the dropdowns "Incoming claim type:",
"Incoming name ID format:", "Outgoing claim type:", and "Outgoing name ID format".
Below that are the radio buttons "Pass through all claim values", "Replace an incoming claim value
with a different outgoing claim value", and "Replace incoming e-mail suffix claims with a new
e-mail suffix".
The "Pass through all claim values" radio button is selected.
"Previous", "Finish" and "Cancel" buttons are at the bottom right.

  14. Double-click the new Relying Party Trust to open the properties.

  15. Select the Encryption tab and click Remove to remove the encryption certificate.

    Screenshot of the "Encryption" tab of the
window titled "ADFS PCF SSO Properties". There is a red box drawn around the "Encryption" tab.
Below that are encryption certificate details.
Below that are "Browse...", "View...", and "Remove" buttons.
There is a red box drawn around the "Remove" button.
"OK", "Cancel" and "Apply" buttons are at the bottom right.

  16. Select the Advanced tab and select the SHA algorithm for the Secure hash algorithm that matches the SHA Algorithm configured for VMware Tanzu Application Service for VMs.

    Screenshot of the "Advanced" tab of the window
titled "ADFS PCF SSO Properties".
There is a red box drawn around the "Advanced" tab.
Below that is dropdown labeled "Secure hash algorithm:" with the option "SHA-1" selected.
"OK", "Cancel" and "Apply" buttons are at the bottom right.

(Optional) Disable CRL Checks

If you are using a self-signed certificate, disable CRL checks:

  1. Open Windows Powershell as an admin.

  2. Disable the CRL checks by running: set-ADFSRelyingPartyTrust -TargetName "< Relying Party Trust >" -SigningCertificateRevocationCheck None

  3. (Optional) If you are using a self-signed certificate, add it to the AD FS trust store. Obtain the Ops Manager certificate from https://OPS_MANAGER_IP/api/v0/security/root_ca_certificate and add this CA certificate to the AD FS trust store, so AD FS can trust the “Service Provider Key Certificate” certificate signed by Ops Manager ROOT CA.

  4. (Optional) To specify any application or group attributes that you want to map to users in the ID token, click Edit Claim Rules… and configure Send LDAP Attributes as Claims. For more information, see the next section.

Set up Groups in SAML from AD FS

To set up groups in SAML from AD FS:

  1. Right-click your Relying Party Trust and select Edit Claim Rules….

Screenshot of a context menu.
    "Edit Claim Rules..." is highlighted.

  1. Select Add Rule.

  2. Select Send Group Membership as a Claim and click Next.

    Screenshot of the
"Choose Rule Type" step of the window titled "Add Transform Claim Rule Wizard".
There is a "Claim rule template:" dropdown with the option "Send Group Membership as a Claim"
selected.
Below is a description of the claim rule template.
"Previous", "Next" and "Cancel" buttons are at the bottom right.

  3. Enter the Claim rule name.

  4. Click Browse to select your User’s group.

  5. Select Group as your Outgoing claim type.

  6. Set your Outgoing claim value to match your group’s name.

  7. Click Finish.

    Screenshot of the "Select Group" window.
There is a "Select the object type:" field with an "Object Types..." button.
Below that is a "From this location:" field with a "Locations..." button.
Below that is an "Enter the object name to select" field with a "Check Names" button.
"Advanced...", "OK", and "Cancel" buttons are at the bottom of the window.

  8. To save these configurations and use the default SAML assertion of http://schemas.xmlsoap.org/claims/Group, click OK. If you want to pass the claims assertion as a custom value “groups” in the SAML assertion, continue to the Create Custom Value Groups procedure below.

Create Custom Value Groups

To create custom value groups:

  1. Select your newly created rule and click Edit Rule.

    Screenshot of the "Issuance Transform Rules" tab
of the window titled "Edit Claim Rules for PWS Demo Login". There is a list of transform rules.
A rule named "MYGROUP" is selected.
Below the list are "Add Rule...", "Edit Rule...", and "Remove Rule..." buttons.
"OK", "Cancel" and "Apply" buttons are at the bottom right.

  2. Click View Rule Language.

  3. Copy the text in the Claim rule language field to a notepad or other location. You need this text for the next steps.

  4. Exit the Edit Rule menu. Select the rule you just added and click Remove Rule.

  5. Click Add Rule.

  6. Select Send Claims Using a Custom Rule from the Claim rule template dropdown.

  7. Click Next.

    Screenshot of the
"Choose Rule Type" step of the window titled "Add Transform Claim Rule Wizard".
There is a "Claim rule template:" dropdown with the option "Send Claims Using a Custom Rule"
selected.
Below that is a description of the selected claim rule.
"Previous", "Next" and "Cancel" buttons are at the bottom right.

  8. Paste in the text you previously copied in step 3 from the removed rule. Edit the Type so that it only says “groups”.

    Screenshot of an "Edit Rule" window.
It has a "Claim rule name:" field containing the text "MYGROUP".
Below that is a "Custom rule:" field containing an example rule.
"OK" and "Cancel" buttons are at the bottom of the window.

  9. Click OK to finish making your changes and save the changes you made.