CloudCenter 4.8 has reached End of Life (EOL) as of November 14, 2018. See End of Support Notices for additional context.

ADFS SAML SSO Integration

Overview

CloudCenter does not authenticate directly to LDAP or AD.

CloudCenter only interacts with LDAP/AD through a SSO IDentity Provider (IDP) that supports SAML 2.0 protocol (for example, Ping Identity, ADFS, Shibboleth, and so forth).

To implement SSO using CloudCenter:

  1. You must then configure the CCM to re-direct the authentication to the SSO IDP.
  2. You must also map some additional user custom properties (returned by the SAML IDP) to the user activation profile.
  3. Once you complete all these steps successfully, CloudCenter automatically assigns the proper user group membership and additional roles and permissions.

A CCM instance supports Security Assertion Markup Language (SAML) 2.0 SSO through Spring Security SAML Extension.

The SysAdmin can be set up SAML integration at the root level or the tenant level. To accurately configure this integration, you must have the following information for the root tenant or sub-tenant (as applicable to your deployment):

Domain and Portal Verification

Verify and ensure that the following information is accurate:

  • The timezone and time of the CCM (and by association all other appliances) matches the AD Domain Controllers.

  • The logon for the FQDN portal page (for example, https://cloud.core.enterpise.com) is accurate.

CloudCenter Support

Contact CloudCenter Support for additional information.

SAML Authentication Configuration

To configure a tenant to use SSO, follow this procedure:

  1. Create a tenant (see Sub-Tenant Configuration)

    1. Short Name – give a string without white spaces and special characters.

    2. External Id – enter the ID of the organization in the external system with which the tenant is associated.

    3. Tenant – the CCM server domain name alias for the tenant. This will serve as the end point of the Service Provider (SP) from the SSO perspective.

  2. Login as the newly created tenant admin and create an Activation Profile.

  3. Click the Vendor Info tab and select the newly created activation profile as Default Activation Profile.

  4. Login as Sys Admin (see Admin Users > Login as a System Admin), click the Manage Vendor Admins tab and select the Authentication Settings action dropdown for this tenant.
  5. Enter the information in the IDP Settings:

    1. IDP Name (sample name is indicative of supporting AD domain)

    2. IDP Metadata URL – to establish the mutual trust between the CloudCenter platform and the IDP (currently, this does not support HTTPS, so use HTTP).

    3. IDP Metadata File (if applicable)

  6. Enter the information in the SP Settings:

    1.  Entity ID – the target domain name for this authentication (should be DNS name of logon page)   

    2. Default SSO Binding should be left at post   

    3. Logout Target URL – If logging into your company's SAML page, you must specify the URL of the page that you want the logged in users to be redirected to when they log out of the SAML page (could be same as Entity ID) 

  7. Enter the information in the Attribute Mappings sections – These are the fields from the IDP that will be mapped to user attributes within the CloudCenter platform. If you are unsure about these fields, please contact your IDP administrator. At a minimum, you need to provide the first name, last name, and email address. 

    1. Enter the First Name Mapping (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname)    

    2. Enter the Last Name Mapping (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname)  

    3. Enter the Email Mapping (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress) 

    4. Enter the User Group Mapping (http://schemas.xmlsoap.org/claims/Group) 

    5. Download the Metadata file.

    Optional

    If automating the placement of SSO self-care users, enter the unique identifier for 1st and 2nd level Vendor External ID attributes. For example:

    1. Enter the 1st Level Vendor External ID mapping (company)

    2. Enter the 2nd Level Vendor External ID mapping (department)

    Company and department are user-level attributes in the directory server.

    Be aware that values (configured for users with these attributes) are compared against the External ID value set in the subtenant for the placement of a new user who is signing into the CloudCenter platform.

  8. Click Submit.

ADFS Trust Settings

To configure the ADFS trust settings and to edit the corresponding claim rules, follow this procedure.

  1. In the AD FS Manager, under AD FS > Trust Relationships > Relying Party Trusts, click Add Relying Party Trust to open the Add Relying Party Trust Wizard.

  2. On the Welcome page, click Start.

  3. On the Select Import Data from a file page, browse for and select the sp-xxxxx.xml file.

  4. Click Next.

  5. Provide a Display name.

  6. Click Next.

  7. On the Configure Multi-factor Authentication Now? page, select I do not want to configure multi-factor authentication settings for this relying party trust at this time.

  8. Click Next.
  9. On the Choose Issuance Authorization Rules page, select either Permit all users to access this relying party.

  10. Click Next.

  11. On the Ready to Add Trust page, enter the properties of the new Relaying Party Trust and click Next to save your relying party trust information.

  12. On the Finish page, click Close. This action automatically displays the Edit Claim Rules box.

  13. Click Properties.

  14. On the Advanced tab, in the Secure hash algorithm list, select SHA-1, and then click OK.

  15. Click the trust in the list where you want to create a claim rule.

  16. Right-click the selected trust, and then click Edit Claim Rules.

  17. On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims from the list, and then click Next.

  18. On the Configure Rule page under Claim rule name type Get Attributes in the display name field.

  19. Under the Mapping of LDAP attributes to outgoing claim types select the following LDAP Attribute and corresponding Outgoing Claim Type types from the drop-down lists.

    1. Given-Name Given Name

    2. Surname = Surname

    3. E-Mail-Addresses =  E-Mail Address

    4. Token-Groups - Unqualified Names = Group

    5. Company = Company

    6. Department = Department

      Company and Department are optional types and are only required if the 1st and 2nd level vendor External ID’s are configured in Step 7 (above when you enter information in the Attribute Mappings section).

  20. Click OK.

  21. Add another rule, to the Transform an Incoming Claim template – on the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim from the list, and then click Next.

  22. Name the rule as SAM to NameID and map the following values:

    1. Incoming claim type = E-Mail Address

    2. Outgoing claim type = Name ID

    3. Outgoing name ID format Email

  23. Click OK.

You have now configured the ADFS SAML SSO integration.

  • No labels
© 2017-2019 Cisco Systems, Inc. All rights reserved