An NSX Advanced Load Balancer virtual service’s ability to act as a service provider is key to support of Security Assertion Markup Language (SAML). To fulfill this role, the NSX Advanced Load Balancer virtual service sends authentication requests to an identity provider (IDP), responses from which govern user access to back-end applications running in NSX Advanced Load Balancer pools. Multiple third-party integrations have been implemented by NSX Advanced Load Balancer to give customers a choice of IDP. This section outlines the steps necessary to enable ADFS as IDP.

NSX Advanced Load Balancer as SP and ADFS as IDP



Prerequisite Steps

  1. Set up the ADFS server and the service account for it.

  2. Ensure the SSL certificate has been installed and that the server is accessible over HTTPS, with an FQDN name the same as the CN in the certificate.

  3. Test your ADFS server by following this URI: https://<adfs_fqdn>/adfs/fs/federationserverservice.asmx It will render the output as shown in the image below.



Configuring ADFS As IDP

  1. Open the ADFS management console.

  2. Under Trust Relationships, right click Relying party trusts and select Add Relying Party Trust.

  3. The Add Relying Party Trust Wizard will open; click Start.

  4. Select the Enter data about the relying party manually option and click Next.

  5. On the next screen, provide Display Name and click Next.

  6. Select the AD FS profile option and click Next.

  7. Click Next on Configure Certificate tab.

  8. On the Configure URL screen, select Enable support for the SAML 2.0 WebSSO protocol and enter the SP URL as shown below. This must match the SSO URL on SP.



  9. Enter the Relying party trust identifier. It must be same as the entity ID on your SP.

  10. Choose the first option as shown below and click Next.



  11. Select the Permit all users to access this relying party option and click Next.

  12. Click Next on Ready to Trust tab.

  13. Click Close.

  14. The Edit Claim Rules wizard will appear. Click Add Rule.

  15. Make a selection from the Claim rule template drop-down menu and click Next.

  16. On the Configure Claim Rule screen, add the name, choose the Attribute store and add the mapping of required attributes as shown in the screenshot below.



  17. Click OK. Click Apply and click OK again.

  18. Right click the App name and select Properties from the drop-down menu.

  19. Select the Endpoints tab and add the SSO URL as shown in the screenshot below. This must match the SSO URL on SP.



Check the Identifier to make sure it is correct and match the Entity ID. Now your IDP is ready.

Metadata can be downloaded from this link:https://<adfs_fqdn>/FederationMetadata/2007-06/FederationMetadata.xml

Once configuration is complete on ADFS, configure an NSX Advanced Load Balancer virtual service to act as service provider by following the instructions given in the SAML Configuration on NSX Advanced Load Balancer in this guide.