Single Sign On (SSO) Setup

Overview

Some enterprises have their own Active Directory (AD) or other similar setup and prefer to use those credentials to login into the external applications and platforms. The CloudCenter Suite does not support direct AD authentication, and instead supports integration using a Single Sign On (SSO) setup between the Suite Admin as a Service Provider (SP) and a customer's Identity Provider (IdP) such as ADFS.

Requirements

You should have already configured the Base URL Configuration for the root tenant in order to use this functionality. This URL is used to download the service provider metadata. You can retrieve the data by clicking on the URL and accessing the metadata for the IdP attributes.

The CloudCenter Suite only supports AD through a SSO IdP that supports SAML 2.0 protocol (for example, Ping Identity, ADFS, Shibboleth, and so forth).

Each tenant can point to its own SSO:

  • Tenant Admins can configure each tenant to have a dedicated alias hostname and use an external IdP to authenticate its users.

  • Each tenant and user has a Tenant Login ID to associate with an external organization and user.

Handling Deleted Users

If you delete a user from the IdP database, the deleted user cannot log into the CloudCenter Suite, but any configuration and associated dependencies continue to remain in the Suite Admin.

High-Level Process

To configure SSO, perform this procedure.

  1. Navigate to the Suite Admin Dashboard > Admin.

  2. Click Single Sign On in the left tree pane to display the Single Sign On page.

  3. Toggle the switch to enable (disabled by default) users to use Single Logout.

    If you do not enable single log out, be aware that users cannot logout until the token expires.

  4. Configure the IdP URL for the Metadata in the IdP Settings section using HTTP or HTTPS protocol.

  5. Toggle the switch if you prefer users to have a Single Logout from the IdP to log out of each session.

    SSO Sessions in different browsers are independent of each other. Enabling the Single Logout switch does not terminate all sessions.

    By terminating the current SSO or IdP session, you are only terminating that session on that browser. The remaining sessions remain active until their JWT token expires or the user explicitly logs out of each session.

  6. Provide the IdP mapping attributes to connect the Suite Admin properties to the IdP properties.

  7. Click Save to save your changes.

ADFS SAML SSO – Sample Integration and Setup

This flow provides the required information to setup ADFS in Windows 2016 for a vSphere environment. 

This is a sample setup flow and you can adapt the information to your environment based on your requirements.

Setup ADFS in Your Environment

To setup ADFS in Windows 2016 for a vSphere environment, follow these steps.

  1. Create a new Windows 2016 VM in your vSphere environment.

    You can clone a new VM using the base_windows2016 template from CliqrTemplate.

    To use this template, you must login using administrator credentials – contact CloudCenter Suite Support to obtain the administrator credentials.

  2. Login into the administrator account using the default password. 

  3. Configure the VM Network settings.

    1. Access Control panel > Network and Internet (View network status and tasks) > Change adapter settings and right click Ethernet0.

    2. Select Properties.

    3. Select Internet Protocol Version 4 > Properties as reflected in the following screenshot.

    4. Assign the static IP address, default gateway, subnet mask, and DNS.

  4. Change the hostname.

    1. Access Server Manager > Local Server.

    2. Update the computer/host name.

    3. Enable Remote Desktop and turn off IE Enhanced Security.

    4. Save your changes and restart the VM for the changes to apply.

  5. Synchronize the System Date and Time.

  6. Install Active Directory Domain Services.

    1. Access Server Manager > Manage > Add Roles and Features as reflected in the following screenshot.

    2. Select the type of Installation as reflected in the following screenshot.

    3. Select the destination server as reflected in the following screenshot.

    4. Select Active Directory Domain Services as reflected in the following screenshot.

    5. Follow the default configuration steps.

  7. Configure the AD DS.

    1. Create new forest and provide a Root domain name as reflected in the following screenshot.

    2. Update the password for DSRM as reflected in the following screenshot.

    3. Complete the remaining fields using the default settings as reflected in the following screenshot.

    4. Save your configuration and restart the VM.

  8. Install a DNS Server.

      1. Access Server Manager > Manage > Add Roles and Features > DNS Install.

      2. Complete the configuration using the default values for the remaining fields.

  9. Install the Web Server (IIS Manager)

    1. Access Server Manager > Manage > Add Roles and Features > IIS Manager Install.

    2. Complete the configuration using the default values for the remaining fields.

    3. From the Windows Start menu, go to Run (or press Window + R keys, for MACs press Command + R keys) to open the Run window.

    4. Type inetmgr, and click OK. This will open the IIS Manager as reflected in the following screenshot.

    5. Click the IIS server name (below the Start Page option in the left pane) as reflected in the following screenshot

    6. Create Self signed certificate by accessing Create server certificates > New self-signed as reflected in the following screenshot.

    7. Enable HTTPS (Bindings) and select HTTPS as reflected in the following screenshot

    8. Select the certificate created in the above step as the SSL certificate as reflected in the following screenshot.

    9. Click OK and close the window.

  10. Install ADFS (connect ADFS to ADDS).

    1. Access Server Manager > Manage > Add Roles and Features > ADDS Install as reflected in the following screenshot.

    2. Select Create the first federation server.
      1. Select the SSL Cert from the drop down and provide the ADFS display name (any) as reflected in the following screenshot.
      2. Select the Use an existing domain user account... button as reflected in the following screenshot.
      3. Complete the installation using the default values for the remaining fields.
    3. After the installation completes, in the same wizard, click the link to configure ADFS as reflected in the following screenshot.

  11. Enable IpdInitiatedSingleSignOn:

    1. Access PowerShell

    2. Enable IPD initiated single sign-on and verify using the following commands.

      # Set-AdfsProperties -EnableIdPInitiatedSignOnPage $true
      # Get-AdfsProperties
  12. Verify the AD FS installation:
    1. Check if you can download the metadata using the following URL format.

      https://<IP_Address>/FederationMetadata/2007-06/FederationMetadata.xml


    2. Check if you can access the Single Sign On (SSO) page using the following URL format.

      https://<IP_Address>/adfs/ls/IdpInitiatedSignon.aspx

You have now setup ADFS in Windows 2016 for a vSphere environment.

Establish a Third-Party Trust for SSO

You must establish a trust between the service provider and ADFS to ensure SSO. To perform this task, add the Suite Admin to the third-party trust using its metadata file by following these steps.

For ADFS to authenticate, the Base URL must match the IP address and port number in the metadata file.

When you configure the Suite Admin to Enable SSO, enter the IP address and port number of your Suite Admin in the Base URL Configuration.


  1. Access ADFS  and right-click Relying Party Trusts as reflected in the following screenshot
  2. Select the Add Relying Party Trust... option as reflected in the following screenshot.
  3. Download the Suite Admin's metadata file using the following URL and save it on the local disk of your Windows server. 

    The tenant_host_name and port_number are the defined in tenant's Base URL Configuration.

    https://<tenant_host_name>:<port_number>/suite-saml/saml/metadata
  4. Upload the metadata file to the Relying Party Trust by following these steps.
    1. Add Relying Party Trusts as reflected in the following screenshot.

    2. Specify a display name as reflected in the following screenshot.

    3. Select an access control policy as reflected in the following screenshot.
    4. Review the configuration and add the trust as reflected in the following screenshot.
    5. The trust addition is reflected in the following screenshot as reflected in the following screenshot.

You have now established a trust between the service provider and ADFS.

Adding Claims

To setup claim rules (LDAP and Transform rules) so you can transform the IdP properties to suite properties and vice versa, follow this procedure.

  1. Create rule 1: Send LDAP attributes as claims – When you use the Send LDAP Attributes as Claims rule template, you can select attributes from an LDAP attribute store, such as Active Directory or ADDS to send their values as claims to the relying party. This rule essentially maps specific LDAP attributes from an attribute store that you define to a set of outgoing claims that can be used for authorization.

    1. Edit the claim issuance policy (displayed in the following screenshot).

    2. Choose the rule type (displayed in the following screenshot).

    3. Edit the rule (displayed in the following screenshot).

  2. Create Rule 2: Transform an Incoming Claim – By using the Transform an Incoming Claim rule template in ADFS, you can select an incoming claim, change its claim type, and optionally change its claim value.

    1. Edit the claim issuance policy (displayed in the following screenshot).

    2. Specify the database (displayed in the following screenshot).

    3. Edit the rule (displayed in the following screenshot).

    4. Make note of the following items so you can use the same information in the Suite Admin SSO Configuration page.

      1. Access the claims sent to the relying party (displayed in the following screenshot).

      2. LDAP attribute mapping to outgoing claim types (displayed in the following screenshot).

      3. AD paths in exactly as listed in the Claim rule language (displayed in the following screenshot).

You have now setup claim rules to transform the IdP properties to suite properties and vice versa.

Update the Local host to Resolve ADFS and Tenant Hostname

To make domain name of ADFS to be resolvable, add it to /etc/hosts file.

# sudo vi /etc/hosts
<IP_address_adfs> win-qa-adfs.cpsg.qa.saml.com
<Kubernetes_IP_address> <tenant_host_name>

Creating a New User in ADDS

The system time for the ADFS server and the Suite Admin server must be synchronized before authentication.

If the time difference between these two systems are different, then the authentication might fail.


To create a new user in ADDS, follow this procedure.

  1. From the Server Manager, go to Active Directory Users and Computers (displayed in the following screenshot).

  2. Create a new user (displayed in the following screenshot).
  3. Enter the following details: 

    1. First Name

    2. Last Name

    3. User logon name

  4. Click Next > Enter the password and finish the user creation.

  5. Right-click and access the properties for the created user.

  6. Enter the email – this information is used for authentication when this user tries login from the ADFS

Sample Flow to Setup SSO from the Suite Admin

To set up SSO from the Suite Admin, perform this procedure.

  1. After the Initial Administrator Setup, login into Suite Admin as the root user. 

  2. Locate the base URL for this server.

  3. Go to Base URL page in the Configuration menu and enter the Base URL from Step 2.

  4. For private clouds, enter the port for the node port service (leave it blank for public clouds). 

  5. Save your changes.

  6. Set up ADFS as listed in the ADFS SAML SSO – Sample Integration and Setup above.

  7. Once you configure Suite Admin with ADFS, note the details to map each field in the Suite Admin as listed in the previous sections.

  8. Create one user in ADFS as listed in the previous sections.

  9. Login into Suite Admin as the root user and access the SSO Setup page in the Suite Admin UI. 

  10. Enable SSO.

  11. Enter the appropriate IdP metadata details in each field as identified in the Accessing Claims section above.

  12. Open the https://<IP_Address>/FederationMetadata/2007-06/FederationMetadata.xml link.

  13. From this file, get the information for the First Name, Last Name, Email, User Group, and Tenant Id based on the appropriate mapping provided in the Creating a New User in ADDS section above. The following path are merely some examples – you  must find the actual values when creating the user and claim mappings.

  14. Populate the SSO fields, and click Save.

  15. Logout and execute the BASE URL. The expected outcome is that the Base URL will redirect the user to the ADFS page https://<IP_Address>/adfs/ls/IdpInitiatedSignon.aspx

    The Suite Admin login page is not displayed when you execute the Base URL, instead the configured ADFS sign on page is displayed.

  16. Enter the username/password of the user created in ADFS. Click the Submit/Login button. The expected outcome is that the user can login to the Suite Admin and view the Product Dashboard page base on this user's permission level (see Understand User Levels for details).

  17. To generate certificates for the new domain, follow these steps:

    1. Install the certbot tool by running the following command to get the certbot package.

      brew install certbot
    2. Use AWS Route53 to create a domain name for the IP. 

      sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d '<preferreddomain.name.com>'
    3. Once this command is executed, you see a message similar to the following message:

      Please deploy a DNS TXT record under the name_acme-challenge.pujt.oneqaciscocpsgtesting.com with the following value: FU5........................JWR4gy.......gno
    4. Before continuing, verify that the record is deployed.

    5. Now in AWS Route53, add this information again in the record.

    6. Wait for 2-3 minutes for it to replicate so that the record can be reached by letsencrypt.org.

    7. Now press Enter so the private key and certs are created and a message similar to the following message is presented to you.

      - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/user.oneqaciscocpsgtesting.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/user.oneqaciscocpsgtesting.com/privkey.pem Your cert will expire on 2019-03-04. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
    8. Copy the certs and then use this information to create the Base URL Configuration.

      You do not need to create this user in Suite admin, as the authentication is performed by ADFS.

You have now configured the ADFS SAML SSO integration.

  • No labels
© 2017-2019 Cisco Systems, Inc. All rights reserved