William Beckett

Prism Central - Configure SAML Authentication using ADFS

The latest version of Prism Central (v5.8) brought a bunch of new features. One of these features is the support for using an external Identity Provider (IDP) instead of or along side LDAP (Active Directory or OpenLDAP).

For this post I'll be configuring ADFS for SSO to Prism Central.

Preliminary work

To make this whole process easier, grab the Federation XML from your ADFS site.
Head on over to https://federationURLHere/federationmetadata/2007-06/federationmetadata.xml and download the XML. You will need to substitute in your Federation URL (eg. sts.corp.com). This will download an XML document which contains the settings Prism Central needs to setup the connection.

Crete an A record for your Prism Central VM (eg. prism.domain.local).

Prism Central Configuration

  1. Once you have the XML, in Prism Central, head to the gear icon and select Authentication.

    acli prompt

Before you go any further, click on the link at the bottom of the Authentication window that says "Download Metadata". This will download another XML for use later when we need to configure ADFS so keep this safe for the time being.

  1. Now go ahead and click the New IDP button so we can configure the Prism Central side of things.

    acli prompt

  2. Now we can give our configuration a name (this name will be shown on the Prism Central login page) - I went with something super original, ADFS, and then click on the radio button for "Upload Metadata". Once you click the radio button you'll see an Import Metadata button. You do have the option to configure this manually if you can't get the metadata for whatever reason.

    acli prompt

  3. Click the Import Metadata button and select the FederationMatadata.xml you downloaded earlier from your federation URL.

    acli prompt

acli prompt
  1. Once the XMl has been uploaded, click Save.
    you'll be taken back to the Authentication Configuration page where you can see your configured IDP Authentication, in this case ADFS.

    acli prompt

  2. you can now go ahead and setup your Role Mappings for this new Authentication type. Note: When using IDP as opposed to LDAP, you cannot map roles to groups. Role mapping is done to an individual user not a group. For ADFS, this needs to be the users UPN.

    role mapping

Now that the Prism Central config is done, we can switch over to our ADFS server and configure the connector to Prism Central.

ADFS Configuration

Adding a Relaying Party Trust

The connection between ADFS and Prism Central is defined using a Relying Party Trust (RPT).

  1. Select the Relying Party Trusts folder from AD FS Management, and add a new Standard Relying Party Trust from the Actions sidebar. This starts the configuration wizard for a new trust.

    New Party Trust

  2. In the Select Data Source screen, select Import data from the relaying party from a file.

    Import Metadata

  3. Choose the metadata file that was downloaded from Prism Central.

    Choose Metadata

  4. On the next screen, specify a display name.

    Name

  5. You may configure multi-factor authentication on this next screen, but this is beyond the scope of this guide.

    MFA

  6. On the next screen, select the Permit all users to access this relying party radio button.

    Auth

  7. On the next two screens, the wizard will display an overview of your settings. On the final screen use the Close button to exit and open the Claim Rules editor.

    Finished

Creating Claim Rules

Once the relying party trust has been created, you can create the claim rules and update the RPT with minor changes that aren't set by the wizard. By default the claim rule editor opens once you created the trust.

  1. To create a new rule, click on Add Rule. Create a Send LDAP Attributes as Claims rule.

    Claim
  2. On the next screen, using Active Directory as your attribute store, do the following:
    1. From the LDAP Attribute column, select User-Principal-Name.
    2. From the Outgoing Claim Type, select Name ID.

      Claim
    3. Click on OK to save the new rule.

Fort the most part, the ADFS config is now complete and should work when you go to Prism Central and select Login with ADFS. However I did notice that when logging in, it was sending the IP address of Prism Central to login to (which is fine on the same network). However, I wanted to adjust the trust so that the correct URL was sent and so I wouldn't get SSL cert errors.

Adjusting the Trust Settings

  1. With the ADFS Management screen still open, highlight your Prism Central trust and click properties in the action pane.

    Edit Rule

  2. Switch to the Identifiers tab and add a new relying party identifier (this will be your DNS record for Prism Central).

    Ientifiers

  3. Now switch to the Endpoints tab. You'll notice that the SAML Assertion Consumer Endpoint is set to the IP address of the Prism Central VM. Highlight the SAML Assertion Consumer Endpoint and click edit.

    Edit Endpoint

  4. Now, under the Trusted URL, enter your Prism Central DNS address instead of the IP address.

    Edit Endpoint

  5. Click Ok to close the trust editor and give it a few minutes for Federation Sync to occur.

  6. Head on over to Prism Central in your web browser and you should now see a Login with ADFS (or whatever you called it in Prism Central) button above the username/password fields.

    Prism UI

And there you have it. You can now login to Prism Central with ADFS.