Configuring AD FS as an Identity Provider

Page last updated:

This topic describes configuring Active Directory Federation Services (AD FS) as your identity provider (IDP) in Pivotal Platform and AD FS.

Configure SAML Integration in Pivotal Platform

You can use AD FS as your SAML IDP for Pivotal Operations Manager and Pivotal Application Service (PAS).

Configure SAML Integration in Ops Manager

To configure Ops Manager to use AD FS as your SAML IDP:

  1. Download your IDP metadata from https://AD-FS-HOSTNAME/federationmetadata/2007-06/federationmetadata.xml, where AD-FS-HOSTNAME is the hostname of your AD FS deployment.

  2. Follow the procedure in Use an Identity Provider in the BOSH Director configuration topic for your IaaS:

Note: You can set up SAML access for Ops Manager during the initial Pivotal Platform installation or later by navigating to Settings in the user menu in the Ops Manager Installation Dashboard, configuring the Authentication Method pane, and then clicking Review Pending Changes and Apply Changes.

Configure SAML Integration in PAS

To configure PAS to use AD FS as your SAML IDP:

  1. Download your IDP metadata from https://AD-FS-HOSTNAME/federationmetadata/2007-06/federationmetadata.xml, where AD-FS-HOSTNAME is the hostname of your AD FS deployment.

  2. Follow the procedure in Configure Pivotal Platform as a Service Provider for SAML in Configuring Authentication and Enterprise SSO for PAS.

Configure SAML Integration in AD FS

To designate Pivotal Platform as your SAML service provider (SP) in AD FS:

  1. Download your SP metadata from https://login.SYSTEM-DOMAIN/saml/metadata, where SYSTEM-DOMAIN is the system domain of your Pivotal Platform deployment.

  2. Open your ADFS Management console.

  3. To add a relying party trust:

    1. Select Actions.
    2. Click Add Relying Party Trust….
    3. On the Welcome step, click Start.
    4. Select Import data about the relying party from a file.
    5. Choose the downloaded SP metadata file.
    6. Click Next.
    7. Enter a Display name for the new relying party trust.
    8. Click Next.
    9. Leave the default multi-factor authentication selection.
    10. Click Next.
    11. Select Permit all users to access this relying party.
    12. Click Next.
    13. Review your settings.
    14. Click Next.
    15. Click Close to finish the wizard.
  4. To modify your relying party trust:

    1. Double-click the new relying party trust.
    2. Select the Encryption tab.
    3. Click Remove to remove the encryption certificate you imported.
    4. Select the Advanced tab.
    5. For the Secure hash algorithm, select SHA256.
  5. (Optional) If you are using a self-signed certificate and want to disable CRL checks:

    1. Open Windows Powershell as an Administrator.
    2. Run:
      set-ADFSRelyingPartyTrust -TargetName "RELYING-PARTY-TRUST" -SigningCertificateRevocationCheck None
    

    Where RELYING-PARTY-TRUST is the relying party trust for which you want to disable CRL checks.

  6. To add claim rules for your relying party trust, select your relying party trust and click Edit Claim Rules….

  7. In the Issuance Transform Rules tab, create two claim rules:

    1. Click Add Rule.
    2. For Claim rule template, select Send LDAP Attributes as Claims.
    3. Click Next.
    4. Enter a Claim rule name.
    5. For Attribute store, select Active Directory.
    6. For LDAP Attribute, select E-Mail-Addresses. If you do not have the email attribute configured for users, you can select User-Principle-Name.
    7. For Outgoing Claim Type, select E-Mail Address.
    8. Click Finish.

    9. Click Add Rule.
    10. For Claim rule template, select Transform an Incoming Claim.
    11. Click Next.
    12. Enter a Claim rule name.
    13. For Incoming claim type, select E-Mail Address.
    14. For Outgoing claim type, select Name ID.
    15. For Outgoing name ID format, select Email.
    16. Click Finish.
  8. To permit access to users based on a security group:

    1. Select the Issuance Authorization Rules tab.
    2. Click Add Rule.
    3. For Claim rule template, select Permit or Deny Users Based on an Incoming Claim.
    4. Click Next.
    5. Enter a Claim rule name.
    6. For Incoming claim type, select Group SID.
    7. Click Browse.
    8. Locate the security group in your domain of which Pivotal Platform developers are a part.
    9. Click OK.
    10. Ensure Permit access to users with this incoming claim is selected.
    11. Click Finish.