tech note--configuring adfs single sign-on...tech note--configuring adfs single sign-on 5. on the...

Tech Note--Configuring ADFS Single Sign-On Symantec CloudSOC Tech Note

Tech Note--Configuring ADFS Single Sign-On

Copyright statement Copyright (c) Broadcom. All Rights Reserved.

The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.

Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com. Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein, neither does it convey any license under its patent rights nor the rights of others.

2 of 21

http://www.broadcom.com/

http://www.broadcom.com/


Table of Contents

Introduction

Prerequisites

Configuring ADFS single sign-on

Create relying party trust

Configure claim rules

Configure single logout

Download metadata from ADFS

Configure ADFS as IDP

Importing users and groups

Download the export utility

Export users and groups from Active Directory

Import users into CloudSOC

Import groups into CloudSOC

Configuring CloudSOC to force single-sign-on

Using ADFS single sign-on

SP-initiated single sign-on

IDP Initiated SSO

Removing ADFS as an IDP

Revision history

3 of 21


Introduction

This Tech Note describes how to set up Active Directory Federation Service (ADFS) as an Identity Provider (IDP) at CloudSOC™. ADFS provides single sign on (SSO) capability for web applications in the cloud as well as on your premises behind a firewall. After you set up ADFS as an IDP, your users can:

● Sign in to CloudSOC using ADFS (SP initiated SSO).

● Access CloudSOC from ADFS (IDP initiated SSO).

Prerequisites

ADFS must be set up and running on a server that is accessible through a public url.

Configuring ADFS single sign-on

Perform the procedures in the following sections in sequence. Then proceed to the section Importing users and groups.

Create relying party trust

To add a new Relying Party Trust:

1. Open Server Manager.

2. Select Tools, and then select ADFS Management.

3. Expand the Trust Relationship folder.

4. Right click the Relying Party Trust folder and select Add new Relying Party Trust.

The Add Relying Party Wizard opens as shown in the following figure.

4 of 21


5. Use the wizard to configure a new relying party trust as described in the following table. For each Steps page in the wizard, follow the directions in the matching row in the table.

Steps Page Directions And then...

Welcome Leave as-is. Click Start.

Select Data Source

Select “Enter the data about relying party manually.”

Click Next.

Specify Display Name

Enter a name for the relying party trust. Click Next.

Choose Profile Select ADFS Profile. Click Next.

Configure Certificate

Leave certificate options as they are. Click Next.

Configure URL Mark “Enable support for the Saml 2.0 WebSSO Protocol” and enter one of the following URLs in the “Relying party SAML 2.0 SSO service URL” text box: For the US-based production cloud: https://app.elastica.net/saml2/acs/ For the EU-based production cloud: https://app.eu.elastica.net/saml2/acs/

Click Next.

5 of 21


Steps Page Directions And then...

Configure Identifiers

Type or paste one of the following URLs in the Relying party trust identifier box and click Add to add it to the list below it (note the “/” forward slash at the end of the URL): For the US-based production cloud: https://app.elastica.net/ For the EU-based production cloud: https://app.eu.elastica.net/

Click Next.

Configure Multi-factor Authentication Now?

Select “I do not want to configure multi-factor authentication for this relying party trust.”

Click Next.

Choose Issuance Authorization Rules

Select “Permit all users to access this relying party.” Click Next.

Ready to Add Trust

Review the settings on all tabs. Click Next.

Finish Mark the checkbox for “Open the Edit Claim Rules dialogue…”

Click Close.

CloudSOC is now set up as an application on ADFS. Proceed to the section 1.2 Configure Claim Rules to define Claim Rules for CloudSOC.

6 of 21


Configure claim rules

1. On the Edit Claim Rules wizard, select Send LDAP Attributes as Claims and click Next.

2. Name the Claim Rule and select Active Directory from Attribute Store menu.

7 of 21


3. Add claim rules according to the following table:

LDAP Attribute Outgoing Claim Type

User-Principal-Name Name ID

User-Principal-Name UPN

Given-Name Given Name

Surname Surname

E-Mail-Addresses Primary SID

Note: Make sure that the value given to the UPN claim is the same as the value given to the primary SID claim as shown in the following example:

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">

<saml:AttributeValue xsi:type="xs:string">

[email protected] </saml:AttributeValue>

</saml:Attribute>

<saml:Attribute

Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid">

<saml:AttributeValue xsi:type="xs:string">

[email protected] </saml:AttributeValue>

</saml:Attribute>

4. Click OK.

8 of 21


5. On the General tab, use mail attribute as a secondary ID.

Configure single logout

1. Double click relying party trust and click the Endpoint tab.

2. Click Add SAML.

3. Enter the Endpoint settings shown in the following table.

Endpoint type: SAML Logout

Binding: Redirect

Trusted URL: https://<your-adfs-server-url>/adfs/ls/?wa=wsignout1.0

Response URL: For the US-based production cloud: https://app.elastica.net/saml2/ls/ For the EU-based production cloud: https://app.eu.elastica.net/saml2/ls/

9 of 21


4. Proceed to the section 2. Configure ADFS SSO in CloudSOC to setup ADFS on CloudSOC.

10 of 21


Download metadata from ADFS

Download the Metadata file provided by your ADFS server from the following URL:

https://<your-adfs-server-url>/federationmetadata/2007-06/federationmetadata.xml

where <your-adfs-server-url> is the address where your Active Directory Federation Service is running. If you don’t know the address, contact your IT support center for help.

Configure ADFS as IDP

1. Login to CloudSOC with your administrator credentials.

2. Click your user name on the CloudSOC menu bar and select Settings, then click the Single Sign-on tab.

3. Select ADFS from the menu.

11 of 21


4. Select a Secure Hash Algorithm as shown in the following. We recommend that you select SHA-256 for stronger security.

5. If your ADFS implementation requires CloudSOC to sign authentication requests, mark the Signed request checkbox as shown in the following.

To determine if your ADFS implementation requires signed authentication requests, open powershell with administrator rights and run this command:

“(get-adfsproperties).signedsamlrequestsrequired”

6. Upload the Metadata that you downloaded from the ADFS server.

7. Click Configure to complete the setup of ADFS as the IDP at CloudSOC.

8. Download either the SHA-1 or SHA-256 certificate, depending which one you chose in step 4.

12 of 21


9. In ADFS server, open Server Manager and select Tools, and then select ADFS Management.

10. From Relying Party Trust, double-click CloudSOC, click the Advanced tab, and select the hash algorithm that you chose in step 4.

13 of 21


11. Add the CloudSOC certificate on the Encryption and Signature tabs.

Importing users and groups

To import users and groups, perform the procedures in the following sections in sequence.

Download the export utility

After configuring ADFS, download the export utility:

1. In CloudSOC, open the Settings page and click the Single Sign-on tab.

2. Click Download Export Utility as shown in the following.

3. Save the downloaded file on your machine.

14 of 21


Export users and groups from Active Directory

The export utility exports users and groups from Active Directory and writes them in CSV files in a format compatible with CloudSOC.

1. Start Windows Powershell using the Run as Administrator option.

2. Navigate to the directory containing the export utility and execute it with the following command:

.\export_utility.ps1 -Export_Path <directory> {-OU <name>}

Where:

● <directory> is the path to the directory where the utility writes the output files

● <name> is the name of the name of the OU to export. If omitted, the utility exports the groups and users of all OUs.

For example:

.\export_utility.ps1 -Export_Path C:/ADFS -OU "Finance"

The utility exports users and groups to the files users.csv and groups.csv in the specified directory. The utility also creates the files users-fail.csv and groups-fail.csv to contain users and groups that it cannot import to CloudSOC.

15 of 21


Import users into CloudSOC

To import users:

1. From the CloudSOC menu bar, select Users, and then select Users to open the Users tab as shown in the following.

2. On the Users tab, click Import. The Import Users panel opens from the right.

3. Navigate to the users.csv file you created in 3.2 Export Users and Groups from Active Directory. By default, the file is created in the C:\ directory.

16 of 21


4. Click Upload File to upload the csv file.

CloudSOC sends you an email to confirm the successful import of users.

5. Refresh the users page to see the new users in the users list.

Import groups into CloudSOC

To import groups:

1. From the CloudSOC menu bar, select Users, and then select Groups to open the Groups tab as shown in the following figure.

17 of 21


2. On the Groups tab, click Import.

3. Navigate to the groups.csv that was created by export_utility.ps1.

By default, the groups.csv file is created in the C:\directory.

4. Click Upload File to import the groups into CloudSOC.

CloudSOC sends you an email to confirm the successful import of groups.

5. Refresh the groups page to see the newly imported groups.

Configuring CloudSOC to force single-sign-on

You can configure CloudSOC so that cloud service users no longer have the option of authenticating directly with CloudSOC; they can only authenticate with your single sign-on service.

Important: We recommend that you enable this feature only after you confirm that single sign-on is correctly configured and that both IDP-initiated and SP-initiated logins work properly. Otherwise you might be locked out of your CloudSOC administrator accounts.

1. In CloudSOC, go to the gear icon on the top right corner, then click the Single Sign-On tab.

18 of 21


2. Mark the checkbox for Force all users to login through SSO as shown in the following.

Using ADFS single sign-on

SP-initiated single sign-on

1. Go to login and select Single Sign On. Enter your email address and sign in.

CloudSOC redirects you to the ADFS sign in page.

2. Enter your AD credentials and click Sign in.

After a successful login, ADFS redirects you to the CloudSOC Dashboard.

19 of 21


IDP Initiated SSO

CloudSOC supports IDP initiated login from ADFS. Users only need to login to ADFS server, after successful authentication from ADFS server users can visit CloudSOC. Perform the following steps to perform IDP initiated login from ADFS.

1. Open the ADFS login page by visiting the following URL, then select CloudSOC from the menu:

https://<your-adfs-server-url>/adfs/ls/idpinitiatedsignon/

where <your-adfs-server-url> is the address of server on which Active Directory Federation Service is running. If you don’t know the address, contact your IT support department.

2. Enter your AD credentials and sign in.

On successful authentication from ADFS, you are redirected to CloudSOC.

20 of 21


Removing ADFS as an IDP

Removing ADFS as an IDP disables your users from using Single Sign On (both Service Provider and IDP initiated) and Single Logout on CloudSOC. To Remove ADFS as an IDP:

1. Login to CloudSOC as SysAdmin and open the Settings page.

2. Open the Single Sign-on tab and click Remove.

CloudSOC removes ADFS as an IDP.

Revision history

Date Version Description

25 Sept 2015 1.0 Initial Release

19 April 2016 1.1 Add EU cloud URLs

14 June 2016 1.2 Update for enhancements in 2.67

7 November 2016 1.3 Remove extraneous spaces from CloudSOC URLs, add note about UPN claim matching the primary SID claim

23 January 2017 1.4 Update for SHA-256 enhancements in 2.78

11 August 2017 2.0 Address force single sign-on feature

5 October 2017 2.1 Address signed request feature

22 February 2018 2.2 Recommend SHA-256 secure hash algorithm

28 September 2020 2.3 Changed "Elastica" to "CloudSOC"

21 of 21

tech note--configuring adfs single sign-on...tech note--configuring adfs single sign-on 5. on the...

Documents