Documentation is now available for the Fall 2020 Update release!

Active Directory Federation Services (ADFS)

Describes how to configure SSO integration with Active Directory Federation Services (ADFS).

Leave Feedback

Introduction

SSO integration configuration is done with both ADFS and OpsRamp. The configuration sets up redirects to the custom branded URL.

Prerequisite

  • Partners must register with OpsRamp to receive OpsRamp login credentials.
  • Provide your custom branding URL (such as <yourwebsitename>.opsramp.com).

ADFS configuration

ADFS configuration involves the following:

  1. Adding the relying party trust identifier.
  2. Editing the claim rules for the relying party trust.
  3. Adding rules.
  4. Editing the claims rules for the claims provider.
  5. Exporting the certificate.

Step 1: Add relying party trust identifiers

To add the relying party trust identifier:

  1. From ADFS, go to Tools > AD FS Management.
  2. From AD FS > Trust Relationships > Relying Party Trusts, select Add Relying Party Trust Wizard and click Start to start the wizard configuration.
    1. On Specify Display Name, provide a unique display name and click Next.
    2. On Choose Profile, select the AD FS profile and click Next.
    3. On Configure Certificate, clear the Token encryption certificate field and click Next.
    4. On Configure URL, check Enable support for the SAML 2.0 WebSSO protocol and provide the following URL subdomain: https://yoursubdomain.opsramp.com/samlResponse.do to replace the subdomain with your custom branding and click Next.
    5. On Configure Identifiers screen, select Relying party trust identifier and click Next.
    6. Review the settings and click Next.
  3. Click Close to complete the wizard configuration.
  4. From the left pane, expand Trust Relationships menu, right-click on Relying Party Trusts and select Properties.
  5. On the Advanced tab, select SHA-1 from the Secure hash algorithm drop-down options, and click OK.
Relying Party Properties

Relying Party Properties

Step 2: Edit claim rules for relying party trusts

To edit the claim rules for the relying party trusts:

  1. From ADFS, go to Trust Relationships > Relying Party Trusts, and select Edit Claim Rules….
    Edit Claim Rules

    Edit Claim Rules

  2. Select the Issuance Transform Rules tab, select your Account Name, and click Add Rule.
  3. In the Edit Transform Claim Rule Wizard wizard, provide the following:
    1. On Select Rule Template > Choose Rule Type, set Claim rule template to Send LDAP Attributes as Claims, and click Next.
    2. On Configure Rule > Configure Claim Rule, provide the following information, and click Finish.
      • Claim rule name: Get Attributes
      • Attribute store: Active Directory
      • Mapping of LDAP attributes to outgoing claim types (This step creates user information in OpsRamp):
        • LDAP attributes: Outgoing Claim Type
        • Email Addresses: email address
        • Display Name: first and last name
  4. On Claim rule template, select Transform an Incoming Claim, and click Next.
  5. On Configure Rule, provide the following details:
    • Claim rule name: Name ID Transform
    • Incoming claim type: E-mail
    • Outgoing claim type: Name ID
    • Outgoing name ID format: E-mail
  6. Click Finish and OK.
Add Transform Claim Rule Wizard

Add Transform Claim Rule Wizards

Step 3: Add rules

Rules are added to map the login name of the user to the EmailID field in OpsRamp.

To add a rule:

  1. Go to Trust Relationships > Relying Party Trusts and click Edit Claim Rules.
  2. Select the Issuance Transform Rules tab, select your Account Name, and click Add Rule.
  3. In the wizard, provide the following settings:
    • Send LDAP Attributes: Claims
    • Claim rule name: AccountName to NameID
    • LDAP Attribute: SAM-Account Name
    • Outgoing Claim Type: NameID
  4. Click Finish
AccountName to NameID

AccountName to NameID

Step 4: Edit the claims rules for claims provider

To edit the claim rules for the claims provider:

  1. Go to AD FS > Trust Relationships > Claims Provider Trusts.
  2. Select Active Directory > Edit Claim Rules and click Add Rule.
  3. From the Claim rule template drop-down menu, select Pass Through or Filter an Incoming Claim and click Next.
  4. On the Configure Rule screen, provide the following details.
    • Claim rule name: Name ID Rule
    • Incoming claim type: Name ID
    • Incoming name ID format: E-mail
  5.  Click Finish
NameID Rule

NameID Rule

Step 5: Export the certificate

To export the certificate:

  1. Go to ADFS > Service > Certificates.
  2. Select Token-signing > View Certificate… and click the Details tab.
  3. Click CopyFile and click OK.
  4. On Certificate Export Wizard > Export File format, select DER encoded BINARY X.509 (.CER) format and click Next.
  5. Choose a location to save your certificate and click Next.
  6. Click Finish and OK.

To use SSL Shopper to convert the certificate from DER to PEM format:

  1. Log into sslshopper.com.
  2. Click SSL Converter - Convert SSL Certificates to different formats.
  3. Select the following options and click Convert Certificate:
    • Type of Current Certificate: DER/BINARY
    • Type To Convert To: Standard PEM

OpsRamp configuration

To configure SSO integration, from the console:

  1. From All Clients, select a client.
  2. Go to Setup > Integrations > Integrations.
  3. From Available Integrations, select SSO > Active Directory Federation Service and click Install.
  4. Provide the following:
    • Issuer URL: Identity provider Issuer URL
    • Redirection URL: SAML EndPoints for HTTP
    • Logout URL: URL for logging out
    • Certificate: x.509 Certificate
  5. Click Install.

To configure attribute mapping:

  1. Go to Setup > Integrations > Integrations.
  2. From the list of Installed Integrations, click Active Directory Federation Service.
  3. On the User Provision tab, verify that Provision Type is enabled as JIT.
  4. On the Map Attributes tab, select the OpsRamp Property drop-down and provide the following mandatory settings:
    • Primary Email
    • First Name
    • Last Name