Enable Active Directory Federation Services (ADFS) SSO with Tanzu CloudHealth

Provide an AD FS Token Signing Certificate in Base-64 PEM Format and AD FS SSO Sign-In Endpoint to Tanzu CloudHealth.

In order to start authenticating via Active Directory Federation Services (AD FS), provide an AD FS Token Signing Certificate in Base-64 PEM Format and AD FS SSO Sign-In Endpoint to Tanzu CloudHealth.

Tanzu CloudHealth will generate an SSO endpoint and contact you to activate and test the connection.

Note

Tanzu CloudHealth does not support mixed-mode authentication. Once you configure SAML SSO through an IdP in the Tanzu CloudHealth Platform, you can only invite users through that IdP. You will no longer be able to send user invitations through the Tanzu CloudHealth Platform.

Step 1: Get Token Signing Certificate

  1. In AD FS Management, from the left menu, select Service > Certificates.
  2. Right-click the Token-signing certificate and select View Certificate.
  3. In the Certificate dialog box, select the Details tab and click Copy to File. Then click OK.
  4. Complete the Certificate Export Wizard as follows. a. On the Export File Format page, select Base-64 encoded X.509 (.CER). b. On the File to Export page, specify a filename. c. Confirm the export options and click Finish.

Step 2: Get SSO Sign-In Endpoint for AD FS

  1. In AD FS Management, from the left menu, select Service > Endpoints.
  2. Verify the endpoint structure, which should resemble https://_<yourdomainname>_.com/adfs/ls.

Step 3: Send Information to Tanzu CloudHealth

Reach out to the Tanzu CloudHealth Support team (mailto:[email protected]) to create a ticket and provide the following information:

  • Your customer tenant name.
  • Contact for AD FS setup within your organization.
  • Open the exported token signing certificate in a text editor. Copy and paste this PEM formatted certificate into the body of the ticket email.
  • Your SSO sign-in endpoint.

Step 4: Complete Setup and Test Connection

After receiving your ticket, Tanzu CloudHealth Support will provide you an activated metadata URL that contains information for completing the setup.

For example, for a customer called smidgetswidgets.com sample endpoint data is formatted as follows:

  • Connection Name - smidgetswidgets-com
  • Callback URL - 
    https://cloudhealthtech.com/auth0.com/login/callback?connection=smidgetswidgets-com
  • Audience URI - 
    urn:auth0:cloudhealthtech:smidgetswidgets-com
  • Metadata - 
    https://cloudhealthtech.auth0.com/samlp/metadata?connection=smidgetswidgets-com

Add Relying Party Trust

Complete the Add Relying Party Trust wizard as follows:

  1. In the AD FS Management console, click Add Relying Party Trust.
  2. On the Select Data Source page, select Import data about the relying party published online or on a local network. Then paste the Metadata URL that you received from Tanzu CloudHealth.
  3. Specify your display name.
  4. Retain the default option to not configure multi-factor authentication.
  5. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party.
  6. On the Ready to Add Trust page, navigate to the Identifiers tab. Confirm that the Audience URI that you received from Tanzu CloudHealth appears in the Relying party identifiers field. Then, navigate to the Endpoints tab and confirm that the endpoints you received from Tanzu CloudHealth appear there.
  7. Select the option to edit claim rules and click Close. The wizard closes and the Edit Claim Rules dialog box appears.

Edit Claim Rules

Claim rules pass information from AD to Tanzu CloudHealth. Complete the Edit Claim Rules wizard as follows:

  1. Click Add Rule.
  2. From the Claim rule template dropdown, select Send LDAP Attributes as Claims. This rule allows fields from AD to be sent to Tanzu CloudHealth. Configure this rule to send user email and display name for login.
  3. On the rule configuration page, name the rule and populate the fields as follows:
    • E-Mail-Addresses: email
    • Display-Name: name Fields are case sensitive. Do not select the prepopulated E-mail Address option.
  4. In the Edit Claim Rules dialog box, click Add Rule to create roles claim rules. Rules pass Tanzu CloudHealth roles for the users. Ensure that there exist three security groups in AD for each user type: Admin, Power, and Standard.
  5. From the Claim rule template dropdown, select Send Group Membership as Claim.
  6. On the rule configuration page, name the rule and browse for the cht-admin group, then select a group. Ensure that your outgoing claim type is roles (all lowercase).
  7. Repeat steps 4 through 6 for the two other groups: cloudhealth-power and cloudhealth-standard.

Result: SSO is active in your account. Users are controlled completely outside of Tanzu CloudHealth via AD security groups.

check-circle-line exclamation-circle-line close-line
Scroll to top icon