This topic describes configuring Active Directory Federation Services (AD FS) as your identity provider (IDP) in VMware Tanzu Operations Manager (Ops Manager) and AD FS.
You can use AD FS as your SAML IDP for Ops Manager and VMware Tanzu Application Service for VMs (TAS for VMs).
To use AD FS as your SAML IDP for Ops Manager, follow these procedures:
To use AD FS as your SAML IDP for TAS for VMs, follow these procedures:
To configure Ops Manager to use AD FS as your SAML IDP:
Download your IDP metadata from https://AD-FS-HOSTNAME/federationmetadata/2007-06/federationmetadata.xml
, where AD-FS-HOSTNAME
is the hostname of your AD FS deployment.
Follow the procedure in Use an Identity Provider in the BOSH Director configuration topic for your IaaS:
Note: You can set up SAML access for Ops Manager during the initial Ops Manager installation or later by navigating to Settings in the user menu in the Ops Manager Installation Dashboard, configuring the Authentication Method pane, and then clicking Review Pending Changes and Apply Changes.
To configure TAS for VMs to use AD FS as your SAML IDP:
Download your IDP metadata from https://AD-FS-HOSTNAME/federationmetadata/2007-06/federationmetadata.xml
, where AD-FS-HOSTNAME
is the hostname of your AD FS deployment.
Follow the procedure in Configure Ops Manager as a Service Provider for SAML in Configuring Authentication and Enterprise SSO for TAS for VMs.
To designate Ops Manager as your SAML service provider (SP) in AD FS:
Download your SP metadata from https://login.SYSTEM-DOMAIN/saml/metadata
, where SYSTEM-DOMAIN
is the system domain of your Ops Manager deployment.
Open your ADFS Management console.
To add a relying party trust:
To modify your relying party trust:
(Optional) If you are using a self-signed certificate and want to deactivate CRL checks:
Run:
set-ADFSRelyingPartyTrust -TargetName "RELYING-PARTY-TRUST" -SigningCertificateRevocationCheck None
Where RELYING-PARTY-TRUST
is the relying party trust for which you want to deactivate CRL checks.
To add claim rules for your relying party trust, select your relying party trust and click Edit Claim Rules….
In the Issuance Transform Rules tab, create two claim rules:
To permit access to users based on a security group: