The latest version of Prism Central (v5.8) brought a bunch of new features. One of these features is the support for using an external Identity Provider (IDP) instead of or along side LDAP (Active Directory or OpenLDAP).
For this post I'll be configuring ADFS for SSO to Prism Central.
To make this whole process easier, grab the Federation XML from your ADFS site.
Head on over to
https://federationURLHere/federationmetadata/2007-06/federationmetadata.xml and download the XML. You will need to substitute in your Federation URL (eg. sts.corp.com). This will download an XML document which contains the settings Prism Central needs to setup the connection.
Crete an A record for your Prism Central VM (eg. prism.domain.local).
Prism Central Configuration
Before you go any further, click on the link at the bottom of the Authentication window that says "Download Metadata". This will download another XML for use later when we need to configure ADFS so keep this safe for the time being.
Now we can give our configuration a name (this name will be shown on the Prism Central login page) - I went with something super original, ADFS, and then click on the radio button for "Upload Metadata". Once you click the radio button you'll see an Import Metadata button. You do have the option to configure this manually if you can't get the metadata for whatever reason.
you can now go ahead and setup your Role Mappings for this new Authentication type. Note: When using IDP as opposed to LDAP, you cannot map roles to groups. Role mapping is done to an individual user not a group. For ADFS, this needs to be the users UPN.
Now that the Prism Central config is done, we can switch over to our ADFS server and configure the connector to Prism Central.
Adding a Relaying Party Trust
The connection between ADFS and Prism Central is defined using a Relying Party Trust (RPT).
Creating Claim Rules
Once the relying party trust has been created, you can create the claim rules and update the RPT with minor changes that aren't set by the wizard. By default the claim rule editor opens once you created the trust.
- To create a new rule, click on Add Rule. Create a Send LDAP Attributes as Claims rule.
- On the next screen, using Active Directory as your attribute store, do the following:
Fort the most part, the ADFS config is now complete and should work when you go to Prism Central and select Login with ADFS. However I did notice that when logging in, it was sending the IP address of Prism Central to login to (which is fine on the same network). However, I wanted to adjust the trust so that the correct URL was sent and so I wouldn't get SSL cert errors.
Adjusting the Trust Settings
Now switch to the Endpoints tab. You'll notice that the SAML Assertion Consumer Endpoint is set to the IP address of the Prism Central VM. Highlight the SAML Assertion Consumer Endpoint and click edit.
Click Ok to close the trust editor and give it a few minutes for Federation Sync to occur.
And there you have it. You can now login to Prism Central with ADFS.