SSO integration configuration is done with both ADFS and OpsRamp. The configuration sets up redirects to the custom branded URL.
Prerequisite
- Partners must register with OpsRamp to get OpsRamp login credentials.
- Provide your custom branding URL (such as
<yourwebsitename>.opsramp.com
).
ADFS configuration
ADFS configuration involves the following:
- Adding the relying party trust identifier.
- Editing the claim rules for the relying party trust.
- Adding rules.
- Editing the claims rules for the claims provider.
- Exporting the certificate.
Step 1: Add relying party trust identifiers
To add the relying party trust identifier:
- From ADFS, go to Tools > AD FS Management.
- From AD FS > Trust Relationships > Relying Party Trusts, select Add Relying Party Trust Wizard and
click Start to start the wizard configuration.
- On Specify Display Name, provide a unique display name and click Next.
- On Choose Profile, select the AD FS profile and click Next.
- On Configure Certificate, clear the Token encryption certificate field and click Next.
- On Configure URL, check Enable support for the SAML 2.0 WebSSO protocol and
enter the following URL subdomain:
https://yoursubdomain.opsramp.com/samlResponse.do
to replace the subdomain with your custom branding and click Next. - On Configure Identifiers screen, select Relying party trust identifier and click Next.
- Review the settings and click Next.
- Click Close to complete the wizard configuration.
- From the left pane, expand Trust Relationships menu, right-click Relying Party Trusts and select Properties.
- On the Advanced tab, select
SHA-1
from the Secure hash algorithm drop-down options, and click OK.
Step 2: Edit claim rules for relying party trusts
To edit the claim rules for the relying party trusts:
From ADFS, go to Trust Relationships > Relying Party Trusts, and select Edit Claim Rules..
Select the Issuance Transform Rules tab, select your Account Name, and click Add Rule.
In the Edit Transform Claim Rule Wizard wizard, enter:
- On Select Rule Template > Choose Rule Type, set Claim rule template to Send LDAP Attributes as Claims, and click Next.
- On Configure Rule > Configure Claim Rule, enter the following information, and click Finish.
- Claim rule name: Get Attributes
- Attribute store: Active Directory
- Mapping of LDAP attributes to outgoing claim types (This step creates user information in OpsRamp):
- LDAP attributes: Outgoing Claim Type
- Email Addresses: email address
- Display Name: first and last name
On Claim rule template, select Transform an Incoming Claim, and click Next.
On Configure Rule, enter the following details:
- Claim rule name: Name ID Transform
- Incoming claim type: E-mail
- Outgoing claim type: Name ID
- Outgoing name ID format: E-mail
Click Finish and OK.
Step 3: Add rules
Rules are added to map the login name of the user to the EmailID
field in OpsRamp.
To add a rule:
- Go to Trust Relationships > Relying Party Trusts and click Edit Claim Rules.
- Select the Issuance Transform Rules tab, select your Account Name, and click Add Rule.
- In the wizard, enter the following settings:
- Send LDAP Attributes: Claims
- Claim rule name: AccountName to NameID
- LDAP Attribute: SAM-Account Name
- Outgoing Claim Type: NameID
- Click Finish
Step 4: Edit the claims rules for claims provider
To edit the claim rules for the claims provider:
- Go to AD FS > Trust Relationships > Claims Provider Trusts.
- Select Active Directory > Edit Claim Rules and click Add Rule.
- From the Claim rule template drop-down menu, select Pass Through or Filter an Incoming Claim and click Next.
- On the Configure Rule screen, enter the following details.
- Claim rule name: Name ID Rule
- Incoming claim type: Name ID
- Incoming name ID format: E-mail
- Click Finish
Step 5: Export the certificate
To export the certificate:
Go to ADFS > Service > Certificates.
Select Token-signing > View Certificate... and click the Details tab.
Click CopyFile and click OK.
On Certificate Export Wizard > Export File format, select DER encoded BINARY X.509 (.CER) format and click Next.
Choose a location to save your certificate and click Next.
Click Finish and OK.
To use SSL Shopper to convert the certificate from DER to PEM format:
- Log into sslshopper.com.
- Click SSL Converter - Convert SSL Certificates to different formats.
- Select the following options and click Convert Certificate:
- Type of Current Certificate:
DER/BINARY
- Type To Convert To:
Standard PEM
- Type of Current Certificate:
OpsRamp configuration
To configure SSO integration:
From All Clients, select a client.
Navigate to Setup > Account.
Select the Integrations and Apps tab.
The Installed Integrations page, where all the installed applications are displayed. Note: If there are no installed applications, it will navigate to the Available Integrations and Apps page.
Click + ADD on the Installed Integrations page. The Available Integrations and Apps page displays all the available applications along with the newly created application with the version.
Search for the Active Directory Federation Service using the search option available. Alternatively, use the All Categories option to search.
Click +Add on the Active Directory Federation Service tile.
Enter the following information in the Configuration page:
- Metadata XML: Upload the XML file. This file will have all the information related to Issuer URL, Redirection URL, Logout URL, and Certificate. After you upload the Metadata XML file, these fields are automatically populated.
Alternatively, you can enter the information in the fields manually. - Issuer URL: Identity provider Issuer URL
- Redirection URL: SAML EndPoints for HTTP
- Logout URL: URL for logging out
- Certificate: x.509 Certificate
- Metadata XML: Upload the XML file. This file will have all the information related to Issuer URL, Redirection URL, Logout URL, and Certificate. After you upload the Metadata XML file, these fields are automatically populated.
Provision Username as: There are two ways to provision a user. Select the appropriate option:
Identify Provider’s Name Identifier option is selected by default. The user which is created in the SSO portal will reflect in OpsRamp.
Identify Provider’s Name Identifier with OpsRamp tenant-unique prefix: This option allows you to:
- Create usernames with a unique 3-digit alphanumeric prefix, that is generated automatically by the system.
- Install the same identity provider across multiple OpsRamp tenants.
Note: Once you enable this option and install the integration, you cannot revert your changes.
Example: There are three partners, Partner P1, P2, and P3. Each partner has usernames created with unique 3-digit alphanumeric prefix, like g0z.username1 for partner P1, p0w.username1 for partner P2, and t9q.username1 for partner P3.
Click Next.
In the Inbound page:
User Provision:- Select the following details and click Update User Provision:
- Provision Type: If you select provision type as JIT, JIT user is created during user login.
- Default Role: The required user role.
Define the following Map Attributes:
Note: The OpsRamp properties Primary Email, First Name, Last Name, and Role are required.
- Click +Add in the Map Attributes section.
- From the Add Map Attributes window, enter the following information:
User:
- Select OpsRamp Entity as User and OpsRamp Property as Role.
Role mapping is required for User and User Group.
- ADFS Entity: Enter the value.
- ADFS Property: Enter the value.
Similarly, do the role mapping for Primary Email, First Name, and Last Name..
Under Property Values: - ADFS Property Value: Enter the value that is coming from Azure side (from the payload).
- OpsRamp Property Value: Select the appropriate role corresponding to the ADFS Property Value.
- Click Save. The mapping is saved and displayed.
To add more property values click +Property Value.
User the Filter option to filter the map attributes.
Similarly, map attributes for other entities.
Note: If mapping for Time Zone is not provided, then organization timezone is considered by default.
User Group:
- Select OpsRamp Entity as User Group and OpsRamp Property as Role.
- ADFS Entity: Enter the value.
- ADFS Property: Enter the value.
Similarly, do the role mapping for Primary Email, First Name, and Last Name..
Under Property Values: - ADFS Property Value: Enter the value that is coming from Azure side (from the payload).
- OpsRamp Property Value: Select the appropriate role corresponding to the ADFS Property Value.
- Click Save. The mapping is saved and displayed.
To add more property values click +Property Value. - Click Add Map Attributes.
- Click the three dots (menu icon) available at the end of each row to edit or delete a map attribute.
If the Role is not configured in Map Attributes section, the Default Role provided in the User Provision section is considered for SSO.
- Click Finish. The integration is installed.