This topic describes configuring Active Directory Federation Services (AD FS) as your identity provider (IDP) in VMware Tanzu Operations Manager (Ops Manager) and AD FS.

Configure SAML Integration in Ops Manager

You can use AD FS as your SAML IDP for Ops Manager and VMware Tanzu Application Service for VMs (TAS for VMs).

• To use AD FS as your SAML IDP for Ops Manager, follow these procedures:

  • Configure SAML Integration in Ops Manager
  • Configure SAML Integration in AD FS

• To use AD FS as your SAML IDP for TAS for VMs, follow these procedures:

  • Configure SAML Integration in TAS for VMs
  • Configure SAML Integration in AD FS

Configure SAML Integration in Ops Manager

To configure Ops Manager to use AD FS as your SAML IDP:

1. Download your IDP metadata from https://AD-FS-HOSTNAME/federationmetadata/2007-06/federationmetadata.xml, where AD-FS-HOSTNAME is the hostname of your AD FS deployment.

2. Follow the procedure in Use an Identity Provider in the BOSH Director configuration topic for your IaaS:

   • Configuring BOSH Director on AWS
   • Configuring BOSH Director on Azure
   • Configuring BOSH Director on GCP
   • Configuring BOSH Director on OpenStack
   • Configuring BOSH Director on vSphere

Note: You can set up SAML access for Ops Manager during the initial Ops Manager installation or later by navigating to Settings in the user menu in the Ops Manager Installation Dashboard, configuring the Authentication Method pane, and then clicking Review Pending Changes and Apply Changes.

Configure SAML Integration in TAS for VMs

To configure TAS for VMs to use AD FS as your SAML IDP:

1. Download your IDP metadata from https://AD-FS-HOSTNAME/federationmetadata/2007-06/federationmetadata.xml, where AD-FS-HOSTNAME is the hostname of your AD FS deployment.

2. Follow the procedure in Configure Ops Manager as a Service Provider for SAML in Configuring Authentication and Enterprise SSO for TAS for VMs.

Configure SAML Integration in AD FS

To designate Ops Manager as your SAML service provider (SP) in AD FS:

1. Download your SP metadata from https://login.SYSTEM-DOMAIN/saml/metadata, where SYSTEM-DOMAIN is the system domain of your Ops Manager deployment.

2. Open your ADFS Management console.

3. To add a relying party trust:

   1. Select Actions.
   2. Click Add Relying Party Trust….
   3. On the Welcome step, click Start.
   4. Select Import data about the relying party from a file.
   5. Choose the downloaded SP metadata file.
   6. Click Next.
   7. Enter a Display name for the new relying party trust.
   8. Click Next.
   9. Leave the default multi-factor authentication selection.
   10. Click Next.
   11. Select Permit all users to access this relying party.
   12. Click Next.
   13. Review your settings.
   14. Click Next.
   15. Click Close to finish the wizard.

4. To modify your relying party trust:

   1. Double-click the new relying party trust.
   2. Select the Encryption tab.
   3. Click Remove to remove the encryption certificate you imported.
   4. Select the Advanced tab.
   5. For the Secure hash algorithm, select SHA256.

5. (Optional) If you are using a self-signed certificate and want to deactivate CRL checks:

   1. Open Windows Powershell as an Administrator.

   2. Run:

      set-ADFSRelyingPartyTrust -TargetName "RELYING-PARTY-TRUST" -SigningCertificateRevocationCheck None
      

      Where RELYING-PARTY-TRUST is the relying party trust for which you want to deactivate CRL checks.

6. To add claim rules for your relying party trust, select your relying party trust and click Edit Claim Rules….

7. In the Issuance Transform Rules tab, create two claim rules:

   1. Click Add Rule.
   2. For Claim rule template, select Send LDAP Attributes as Claims.
   3. Click Next.
   4. Enter a Claim rule name.
   5. For Attribute store, select Active Directory.
   6. For LDAP Attribute, select E-Mail-Addresses. If you do not have the email attribute configured for users, you can select User-Principle-Name.
   7. For Outgoing Claim Type, select E-Mail Address.
   8. Click Finish.
      
      
   9. Click Add Rule.
   10. For Claim rule template, select Transform an Incoming Claim.
   11. Click Next.
   12. Enter a Claim rule name.
   13. For Incoming claim type, select E-Mail Address.
   14. For Outgoing claim type, select Name ID.
   15. For Outgoing name ID format, select Email.
   16. Click Finish.

8. To permit access to users based on a security group:

   1. Select the Issuance Authorization Rules tab.
   2. Click Add Rule.
   3. For Claim rule template, select Permit or Deny Users Based on an Incoming Claim.
   4. Click Next.
   5. Enter a Claim rule name.
   6. For Incoming claim type, select Group SID.
   7. Click Browse.
   8. Locate the security group in your domain of which Ops Manager developers are a part.
   9. Click OK.
   10. Ensure Permit access to users with this incoming claim is selected.
   11. Click Finish.