VMware Identity Manager Integration with Active Directory Federation Services 2.0



Similar documents
Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

CONFIGURATION GUIDE WITH MICROSOFT ACTIVE DIRECTORY FEDERATION SERVER

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox

Configuring Single Sign-on from the VMware Identity Manager Service to Amazon Web Services

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

Contents. Introduction. Prerequisites. Requirements. Components Used

ADFS Integration Guidelines

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace

Security Assertion Markup Language (SAML) Site Manager Setup

Microsoft Office 365 Using SAML Integration Guide

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

CA Nimsoft Service Desk

AWS Management Portal for vcenter. User Guide

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Active Directory Federation Services

Setting Up Resources in VMware Identity Manager

VMware Identity Manager Administration

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services

Integration with Active Directory

ThinPrint GPO Configuration for Location-Based Printing

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

ADFS for. LogMeIn and join.me authentication

SURFconext for SharePoint 2010 Setup guide

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

VMware User Environment Manager

ACTIVID APPLIANCE AND MICROSOFT AD FS

AvePoint Meetings for SharePoint On-Premises. Installation and Configuration Guide

Getting Started with Database-as-a-Service

Configuring Active Directory with AD FS and SAML for Brainloop Secure Dataroom Setup Guide

T his feature is add-on service available to Enterprise accounts.

Lifesize Cloud Table of Contents

VMware vcenter Support Assistant 5.1.1

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Installing and Configuring vcenter Multi-Hypervisor Manager

VMware Identity Manager Administration

SafeNet Authentication Service

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

Reconfiguration of VMware vcenter Update Manager

Configuring Multiple ACE Management Servers VMware ACE 2.0

Microsoft Dynamics CRM Server 2011 software requirements

vcenter Configuration Manager Backup and Disaster Recovery Guide VCM 5.3

Obtaining SSL Certificates for VMware View Servers

Fairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG R001.

360 Online authentication

Installing and Configuring vcloud Connector

Wavecrest Certificate

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

VMware vcenter Configuration Manager and VMware vcenter Application Discovery Manager Integration Guide

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Management Pack for vrealize Infrastructure Navigator

Installing and Configuring vcloud Connector

Configuration Task 3: (Optional) As part of configuration, you can deploy rules. For more information, see "Deploy Inbox Rules" below.

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

VMware Virtual Desktop Manager User Authentication Guide

Active Directory Solution 1.0 Guide

How to Migrate Citrix XenApp to VMware Horizon 6 TECHNICAL WHITE PAPER

VMware Identity Manager Connector Installation and Configuration

Using the vcenter Orchestrator Plug-In for Microsoft Active Directory

EVault Endpoint Protection 7.0 Single Sign-On Configuration

White Paper. Fabasoft Folio Thin Client Support. Fabasoft Folio 2015 Update Rollup 2

Request Manager Installation and Configuration Guide

Reconfiguring VMware vsphere Update Manager

Obtaining SSL Certificates for VMware Horizon View Servers

AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation

Copyright

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

OneLogin Integration User Guide

SOLARWINDS ORION. Patch Manager Evaluation Guide for ConfigMgr 2012

Getting Started with Database Provisioning

Getting Started with ESXi Embedded

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Reconfiguring VMware vsphere Update Manager

VMware vcenter Configuration Manager Backup and Disaster Recovery Guide vcenter Configuration Manager 5.4.1

etoken Enterprise For: SSL SSL with etoken

Installing and Configuring vcenter Support Assistant

SAM Context-Based Authentication Using Juniper SA Integration Guide

VERALAB LDAP Configuration Guide

Setup Guide for AD FS 3.0 on the Apprenda Platform

Flexible Identity Federation

Scenarios for Setting Up SSL Certificates for View

Shavlik Patch for Microsoft System Center

vcloud Director User's Guide

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

How to Configure a Secure Connection to Microsoft SQL Server

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Coveo Platform 7.0. Microsoft SharePoint Connector Guide

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Integration Guide. SafeNet Authentication Service. Using SAS with Web Application Proxy. Technical Manual Template

Please evaluate this documentation on the following site:

LAB 1: Installing Active Directory Federation Services

VMware vcenter Server 5.5 Deployment Guide TECHNICAL MARKETING DOCUMENTATION V 1.0/NOVEMBER 2013/JUSTIN KING

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

RSA SecurID Software Token 1.0 for Android Administrator s Guide

AD RMS Step-by-Step Guide

Transcription:

VMware Identity Manager Integration with Active Directory Federation Services 2.0 VMware Identity Manager J ULY 2015 V 2

Table of Contents Active Directory Federation Services... 2 Configuring AD FS Instance in VMware Identity Manager... 3 Add and Configure AD FS in the Service... 3 Add Authentication Methods to Policy Rules... 4 Obtain the VMware Identity Manager Service Provider Metadata File... 4 Integrating VMware Identity Manager Service with AD FS... 5 Configure AD FS... 6 Configure AD FS Relying Party Trust... 9 Configure AD FS Relying Party Email Claims... 9 Configure AD FS Relying Party Username Claim... 10 /1

Introduction The VMware Identity Manager service attempts to authenticate users based on several configurations you make. For example, when you configure the authentication methods, the default access policy set, network ranges, and the identity provider instances The VMware Identity Manager is the identity provider instances that you use with service that creates an innetwork federation authority that communicates with the service using SAML 2.0 assertions. The identity provider instances authenticate the user with Active Directory within the enterprise network (using existing network security). Active Directory password, Kerberos, Certificate, and RSA SecurID authentication methods are supported by VMware Identity Manager by default. Some customers would like to protect access to the VMware Identity Manager service by using other authentication methods or using identity systems already deployed in the customer network. However, many of the existing authentication solutions do not have native built-in SAML support and thus these methods cannot integrate with the VMware Identity Manager service. In some cases the authentication solutions can communicate in other ways with the Active Directory Federation Services (AD FS). This can be a potential workaround to achieve the desired authentication solution to integrate the VMware Identity Manager service with AD FS. Active Directory Federation Services Active Directory Federation Services (AD FS) is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. AD FS uses a claims-based access control authorization model to maintain application security and implement federated identity. Claims-based authentication is the process of authenticating users based on a set of claims about their identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate users by other means and is trusted by the entity doing the claims-based authentication. The following table shows the parallels between VMware Identity Manager and Microsoft technologies. ADFS 20 SAML 2.0 DESCRIPTION Security Token Assertion Collection of XML-formatted security information describing users, which is created and consumed during a federated access request. Claim Provider Identity Provider (IdP) Partner in a federation that creates security tokens for users Relying Party Service Provider (SP) Partner in a federation that consumes security tokens for providing access to applications Claims Assertion Attributes Data about users that is sent inside security tokens /2

Configuring AD FS Instance in VMware Identity Manager You can configure the service to use AD FS as the third-party identity provider instance for authentication. Complete the following tasks prior to using the administration console to add the identity provider instance. Prerequisites Verify that the third-party instances are SAML 2.0 compliant and that the service can reach the thirdparty instance. AD FS 2.0 is an evolution of AD FS 1.0 and supports both active (WS-Trust) and passive (WS- Federation and SAML 2.0). Obtain the AD FS metadata information to add when you configure the identity provider in the VMware Identity Manager administration console. The metadata information you obtain from the third-part instance is either the URL to the metadata or the actual metadata. The URL to this metadata is https://adfs.yourdomain.com/federationmetadata/2007-06/federationmetadata.xml. In the administration console, configure the network ranges that you want to direct to this identity provider instance for authentication. Go to the Identity & Access Management tab and select Setup > Network Ranges. For more information about adding network ranges, see the VMware Identity Manager Administration Guide. Add and Configure AD FS in the Service 1. Log in to the VMware Identity Manager administration console. 2. In the Identity & Access Management tab, select Manage > Identity Providers. 3. Click Add Identity Provider and edit the form settings. FORM ITEM DESCRIPTION Identity Provider Name Enter a name for this identity provider instance SAML Metadata a. Enter the URL or the xml content of the Federation metadata from the AD FS server to establish trust with the identity provider. b. Click Process IdP Metadata. The ID format mapping from the SAML response displays. c. Select the user mapping values in the service for the ID formats displayed. You can add custom third-party name ID formats and map them to the user values in the service d. (Optional) Select the NameIDPolicy response identifier string format. Users Select the VMware Identity Manager directories of the users that can authenticate using this identity provider. Network The existing network ranges configured in the service are listed. Select the network ranges for the users, based on their IP addresses, that you want to direct to this identity provider instance for authentication. Authentication Methods Add the authentication methods that your AD FS installation supports. See the list of supported SAML authentications, https://msdn.microsoft.com/enus/library/hh599318.aspx. Select the SAML authentication context class that supports the authentication method. 4. Click Save. What to do next Copy and save the VMware Identity Manager service provider metadata that is required to configure the third-party identity provider instance. This metadata is available either on the identity provider page in the SAML Signing Certificate section or from the Settings page in the Catalog tab. Add the authentication method of the AD FS identity provider to the services default access policy. /3

Add Authentication Methods to Policy Rules The authentication method you added when you configured the AD FS identity provider instance must be added to the default policy rules. 1. In the administration console Identity & Access Management tab, select Manage > Policies. 2. Click the default policy to open the policy page to edit. 3. In the Policy Rules section, select the rule to edit. 4. To configure the authentication order, in the then the user must authenticate using the following method drop down menu, select the AD FS authentication method as the authentication method to apply first. 5. If you configure another authentication method, continue to select them in the order they should be applied. 6. Click Save and click Save again on the Policy page. Obtain the VMware Identity Manager Service Provider Metadata File 1. In the administration console, go to the Catalog tab, and click Settings > SAML Metadata. 2. Click Service Provider (SP) metadata. Copy and save the metadata that displays. This information is imported when you configure AD FS relying party trust relationship with the service. /4

Integrating VMware Identity Manager Service with AD FS Configure the third party identity provider instance by applying the SAML information from the VMware Identity Manager service. Note: You must be an administrator on your Active Directory server. Installing AD FS Note: This guide does not go into detail about how to properly set up AD FS in the best possible scenario. The directions in this guide assume that AD FS is already correctly configured. This guide can be used to quickly get an AD FS instance up and running for testing purposes only. 1. Download the AD FS 2.0 executable file to your computer. 2. Open the AdfsSetup.exe file to start the AD FS installation wizard. 3. On the Server Role dialog box, select Federation Server and click Next. /5

4. On the Install Prerequisite Software dialog box, click Next to install the required prerequisites. 5. On the completed the AD FS2.0 Setup Wizard dialog box, check Start the AD FS 20 Management snap-in when this wizard closes and click Finish. Configure AD FS When the installation is complete, the AD FS 2.0 management page should open. If it does not open, go to Start > Administrative Tools > AD FS 2.0 Management. 1. In the Overview page, click AD FS 2.0 Federation Server Configuration Wizard. /6

2. To configure a new AD FS server, select Create a New Federal Service and click Next. 3. In the Select Stand-Alone or Farm Deployment dialog box, select Stand-alone federation server. This option is for testing and evaluation purposes. This option does not provide for high availability and load balancing. 4. Specify the Federation Service name. The configuration wizard retrieves the SSL certificate bound to the Default Web Site in IIS and uses the subject name specified there. If you use a wildcard certificate, you must enter the Federation Service name. /7

5. Continue through the configuration wizard and click Close when complete. Now you can use the AD FS to build trust relationships with claims-aware applications and with federated partners. /8

Configure AD FS Relying Party Trust After the configuration is complete, you add a relying party trust to the AD FS configuration database. The relying party trust defines how the Federation Service recognizes the relying party and issues claims to it. 1. Open the AD FS 2.0 Management console and navigate to Trust Relationships > Relying Party Trusts. 2. Select Add a Relying Party Trust. The configuration wizard appears. 3. Click Start. 4. On the Select Data Source page, select Import data about the relying part from a file. 5. Import the VMware Identity Provider service provider metadata XML file that you copied and saved previously. See the Obtain the VMware Identity Manager Service Provider Metadata File section in this guide. 6. On the Specify Display Name page in the Display name field, enter a name for the VMware Identity Manager service and in the Notes text box, type a description of this relying party trust. Click Next. 7. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party. Click Next. 8. On the Ready to Add Trust page, clear the Open the Claims when this finishes check box and click Next to save your relying party trust information. 9. On the Finish page, click Close. The Relying Party appears in the window. Configure AD FS Relying Party Email Claims To configure what to pass to VMware Identity Manager in the SAML, you add claim rules.. 1. Right-click on the relying party trust that you created and select Edit Claims Rules. 2. In the Issuance Transform Rules tab, click Add Rule and select Send LDAP Attributes as Claims as the template. Click Next. 3. Enter the claim rule name. For example, enter Get Attribute. This rule pulls user attributes from the LDAP. a. For Attribute store, select Active Directory. b. In the Mapping of LDAP attributes to outgoing claim types section, select the LDAP attributes E-Mail Addresses and the Outgoing Claim Type E-Mail Address. 4. Click OK and then click Finish to configure the AD FS identity provider to include VMware Identity Provider service as a relying party. In the Edit Rule Default Claims page, before you click OK, you can click View Rule Language to see the parameters. An example of the code follows. c:[type ==c:[type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.value); /9

Add Transformation Rule The Transformation rule transforms the attributes that are retrieved from LDAP in the Get Attributes rule into the desired SAML format. 1. Click Add Rule and select Send Claims Using a Custom Rule as the template. Click Next. 2. Enter the claim rule name. For example, enter Transformation. 3. Click View Rule Language to edit the existing rule. 4. Replace the existing rule that displays with the rule listed below. Change the spnamequalifier field to match your VMware Identity Manager installation. c:[type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.issuer, OriginalIssuer = c.originalissuer, Value = c.value, ValueType = c.valuetype, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:saml:1.1:nameid-format:emailaddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifi er"] = "yourcompany.vmwareidentity.com"); 5. Click Finish. Configure AD FS Relying Party Username Claim To configure what to pass to VMware Identity Manager in the SAML, you add claim rules. 1. Right-click on the relying party trust that you created and select Edit Claims Rules. 2. In the Issuance Transform Rules tab, select Add Rule. 3. Select Send LDAP Attributes as Claims as the template for the claim rule to create. Click Next. 4. Add the Get Attribute rule. This rule pulls user attributes from the LDAP. In the Configure Claim Rule page, enter the claim rule name as Get Attributes. c. For Attribute store, select Active Directory. d. In the Mapping of LDAP attributes to outgoing claim types section, select the LDAP attributes SAM Account Name and the Outgoing Claim Type E-Mail Address. 5. Click OK and then click Finish to configure the AD FS identity provider to include VMware Identity Provider service as a relying party. In the Edit Rule Default Claims page, before you click OK, you can click View Rule Language to see the parameters. An example of the code follows. c:[type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";samaccountname;{0}", param = c.value); Add Transformation Rule The Transformation rule transforms the attributes that are retrieved from LDAP in the Get Attributes rule into the desired SAML format. 1. Click Add Rule and select Send Claims Using a Custom Rule as the template. Click Next. 2. Enter the claim rule name. For example, enter Transformation. /10

3. Click View Rule Language to edit the existing rule. 4. Replace the existing rule that displays with the rule listed below. Change the spnamequalifier field to match your VMware Identity Manager installation. c:[type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.issuer, OriginalIssuer = c.originalissuer, Value = c.value, ValueType = c.valuetype, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:saml:1.1:nameid-format:unspecified", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifi er"] = "yourcompany.vmwareidentity.com"); 5. Click Finish. Edit AD FS Identity Provider in the Service When mapped samaccountname (Window s username) is used instead of the email address, you must modify the IdP metadata xml file of AD FS before and verify that the service issues a request for the username instead of email. 1. Log in to the VMware Identity Manager administration console. 2. In the Identity & Access Management tab, select Manage > Identity Providers. 3. Select the AD FS identity provider and edit the following form settings. FORM ITEM DESCRIPTION SAML Metadata a. Inside the IDPSSODescriptor element, replace the three NameIDFormat entries with this single entry urn:oasis:names:tc:saml:1.1:nameid-format:unspecified. Note: Both the service provider entity and the identity provider entities are defined in the AD FS metadata xml file. Make sure that you update the IDPSSODescriptor element. b. In the Name ID Format field, replace the Name ID Format content with urn:oasis:names:tc:saml:1.1:nameid-format:unspecified. The Name ID Value should be username. 4. Click Save. /11

/12 VMware Identity Manager Integration with Active Directory Federation Services 2.0

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright 2015 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information