Configure SAML SSO with ADFS
Platform9 supports Single Sign On with Microsoft Active Directory Federation Services (ADFS). This tutorial describes the procedure for configuring ADFS as a SAML Identity Provider in Platform9 Managed OpenStack.
The following components must be installed, and properly configured prior to attempting Platform9 SSO integration with ADFS.
- Windows Server
- Active Directory
- Active Directory Federation Services
Step 1. Create Relying Party Trust
- Open the ADFS management console
- Click on the top level folder (ADFS 2.0) and click Add Relying Party Trust from the Actions menu.
- Click Start to begin configuring a Relying Party Trust
- Choose to Import data about the relying party published online or on a local network. Then click Next.
- Enter the Federation metadata address. Then click Next.
Set it to:
- Optionally change the Display name. Then click Next.
- Choose I do not want to configure multi-factor authentication settings for this relying party trust at this time. Then click Next.
- Choose Permit all users access to this relying party. Then click Next.
Review the Relying Party Trust configuration, and click Next. Leave Open the Edit Claim Rules dialog... box checked, and click Close.
Step 2. Add Outgoing Claim Rules
Add Outgoing Claim Rules as needed. These attributes are added to the SAML Assertion Response, and sent to the Platform9 environment via HTTP POST. They can be used to create mappings in OpenStack. These mappings provide a way to associate ADFS users to resources in OpenStack. At a minimum, the attributes FirstName and LastName of the user are needed.
Step 3. Complete remaining SSO setup instructions
Follow this article to complete your single sign-on configuration.
Please provide Platform9 a copy of the ADFS metadata, or a publicly accessible URL where we can access the metadata, when requesting SSO to be enabled in your environment. The ADFS metadata can be found at:
June 01, 2016