You can configure Active Directory Federation Services (AD FS) as your identity provider (IDP) in VMware Tanzu Operations Manager and AD FS.
You can use AD FS as your SAML IDP for Tanzu Operations Manager and VMware Tanzu Application Service for VMs (TAS for VMs).
To use AD FS as your SAML IDP for Tanzu Operations Manager, follow these procedures:
To use AD FS as your SAML IDP for TAS for VMs, follow these procedures:
To configure Tanzu Operations Manager to use AD FS as your SAML IDP:
Download your IDP metadata from https://AD-FS-HOSTNAME/federationmetadata/2007-06/federationmetadata.xml
, where AD-FS-HOSTNAME
is the hostname of your AD FS deployment.
Follow the procedure in Use an Identity Provider in the BOSH Director configuration topic for your IaaS:
You can set up SAML access for Tanzu Operations Manager during the initial Tanzu Operations Manager installation or later by navigating to Settings in the user menu in the Tanzu Operations Manager Installation Dashboard, configuring the Authentication Method pane, and then clicking Review Pending Changes and Apply Changes.
To configure TAS for VMs to use AD FS as your SAML IDP:
Download your IDP metadata from https://AD-FS-HOSTNAME/federationmetadata/2007-06/federationmetadata.xml
, where AD-FS-HOSTNAME
is the hostname of your AD FS deployment.
Follow the procedure in Configure TAS for VMs as a Service Provider for SAML in Configuring authentication and enterprise SSO for TAS for VMs.
To designate Tanzu Operations Manager as your SAML service provider (SP) in AD FS:
Download your SP metadata from https://login.SYSTEM-DOMAIN/saml/metadata
, where SYSTEM-DOMAIN
is the system domain of your Tanzu Operations Manager deployment.
Open your ADFS Management console.
To add a relying party trust:
To modify your relying party trust:
(Optional) If you are using a self-signed certificate and want to deactivate CRL checks:
Run:
set-ADFSRelyingPartyTrust -TargetName "RELYING-PARTY-TRUST" -SigningCertificateRevocationCheck None
Where RELYING-PARTY-TRUST
is the relying party trust for which you want to deactivate CRL checks.
To add claim rules for your relying party trust, select your relying party trust and click Edit Claim Rules….
In the Issuance Transform Rules tab, create two claim rules: