Configuring ADFS as an Identity Provider

Page last updated:

This topic describes the process of configuring Active Directory Federation Services (ADFS) as your identity provider (IdP) in Pivotal Cloud Foundry (PCF) and ADFS.

Configure SAML Integration in PCF

You can use ADFS as your SAML IdP for Ops Manager and Elastic Runtime:

Configure SAML Integration in Ops Manager

To configure Ops Manager to use ADFS as your SAML IdP, do the following:

  1. Download your IdP metadata from https://YOUR-ADFS-HOSTNAME/federationmetadata/2007-06/federationmetadata.xml.

  2. Perform the steps in the Use an Identity Provider section of the Ops Manager Director configuration topic for you IaaS:

Note: You can set up SAML access for Ops Manager during the initial PCF installation or later by navigating to Settings in the user menu on the Ops Manager Installation Dashboard, configuring the Authentication Method pane, and then clicking Apply Changes.

Configure SAML Integration in Elastic Runtime

To configure Elastic Runtime to use ADFS as your SAML IdP, do the following:

  1. Download your IdP metadata from https://YOUR-ADFS-HOSTNAME/federationmetadata/2007-06/federationmetadata.xml.

  2. Perform the steps in the Configure PCF as a Service Provider for SAML section of the Configuring Authentication and Enterprise SSO for Elastic Runtime topic.

Configure SAML Integration in ADFS

To designate PCF as your SAML service provider (SP) in ADFS, do the following:

  1. Download your SP metadata from https://login.YOUR-SYSTEM-DOMAIN/saml/metadata.

  2. Open your ADFS Management console and add a relying party trust as follows:

    1. Click Add Relying Party Trust… in the Actions pane.
    2. On the Welcome step, click Start.
    3. Select Import data about the relying party from a file, import the downloaded SP metadata file, and click Next.
    4. Enter a Display name for the new relying party trust and click Next.
    5. Leave the default multi-factor authentication selection and click Next.
    6. Select Permit all users to access this relying party and click Next.
    7. Review your settings and click Next.
    8. Click Close to finish the wizard.
  3. Modify your relying party trust as follows:

    1. Double-click the new relying party trust.
    2. Select the Encryption tab and click Remove to remove the encryption certificate you imported.
    3. In the Advanced tab, select SHA-1 for the Secure hash algorithm.
  4. (Optional) If you are using a self-signed certificate and want to disable CRL checks, do the following:

    1. Open Windows Powershell as an Administrator.
    2. Execute the following command: set-ADFSRelyingPartyTrust -TargetName "RELYING-PARTY-TRUST" -SigningCertificateRevocationCheck None
  5. To add claim rules for your relying party trust, select your relying party trust and click Edit Claim Rules….

  6. In the Issuance Transform Rules tab, create two claim rules as follows:

    1. Click Add Rule.
    2. Select Send LDAP Attributes as Claims for Claim rule template and click Next.
    3. Enter a Claim rule name.
    4. Select Active Directory for Attribute store.
    5. Select E-Mail-Addresses for LDAP Attribute and E-Mail Address for Outgoing Claim Type. Alternatively, if you do not have the email attribute configured for users, you can select User-Principle-Name under LDAP Attribute.
    6. Click Finish.

    7. Click Add Rule.
    8. Select Transform an Incoming Claim for Claim rule template and click Next.
    9. Enter a Claim rule name.
    10. Select E-Mail Address for Incoming claim type.
    11. Select Name ID for Outgoing claim type.
    12. Select Email for Outgoing name ID format.
    13. Click Finish.
  7. To permit access to users based on a security group, navigate to the Issuance Authorization Rules tab and create an authorization claim rule as follows:

    1. Click Add Rule.
    2. Select Permit or Deny Users Based on an Incoming Claim for Claim rule template and click Next.
    3. Enter a Claim rule name.
    4. Select Group SID for Incoming claim type.
    5. Click Browse and locate the security group in your domain that PCF developers are a part of and click OK.
    6. Ensure Permit access to users with this incoming claim is selected.
    7. Click Finish.
Create a pull request or raise an issue on the source for this page in GitHub