You can configure Active Directory Federation Services (AD FS) as your identity provider (IDP) in VMware Tanzu Operations Manager and AD FS.

You can use AD FS as your SAML IDP for Tanzu Operations Manager and VMware Tanzu Application Service for VMs (TAS for VMs).

• To use AD FS as your SAML IDP for Tanzu Operations Manager, follow these procedures:

  • Configure SAML integration in Tanzu Operations Manager.
  • Configure SAML integration in AD FS.

• To use AD FS as your SAML IDP for TAS for VMs, follow these procedures:

  • Configure SAML integration in TAS for VMs.
  • Configure SAML integration in AD FS.

Configure SAML integration in Tanzu Operations Manager

To configure Tanzu Operations Manager to use AD FS as your SAML IDP:

1. Download your IDP metadata from https://AD-FS-HOSTNAME/federationmetadata/2007-06/federationmetadata.xml, where AD-FS-HOSTNAME is the hostname of your AD FS deployment.

2. Follow the procedure in Use an Identity Provider in the BOSH Director configuration topic for your IaaS:

   • Configuring BOSH Director on AWS
   • Configuring BOSH Director on Azure
   • Configuring BOSH Director on GCP
   • Configuring BOSH Director on OpenStack
   • Configuring BOSH Director on vSphere

You can set up SAML access for Tanzu Operations Manager during the initial Tanzu Operations Manager installation or later by navigating to Settings in the user menu in the Tanzu Operations Manager Installation Dashboard, configuring the Authentication Method pane, and then clicking Review Pending Changes and Apply Changes.

Configure SAML integration in TAS for VMs

To configure TAS for VMs to use AD FS as your SAML IDP:

1. Download your IDP metadata from https://AD-FS-HOSTNAME/federationmetadata/2007-06/federationmetadata.xml, where AD-FS-HOSTNAME is the hostname of your AD FS deployment.

2. Follow the procedure in Configure TAS for VMs as a Service Provider for SAML in Configuring authentication and enterprise SSO for TAS for VMs.

Configure SAML integration in AD FS

To designate Tanzu Operations Manager as your SAML service provider (SP) in AD FS:

1. Download your SP metadata from https://login.SYSTEM-DOMAIN/saml/metadata, where SYSTEM-DOMAIN is the system domain of your Tanzu Operations Manager deployment.

2. Open your ADFS Management console.

3. To add a relying party trust:

   1. Select Actions, and click Add Relying Party Trust.
   2. On the Welcome step, click Start.
   3. Select Import data about the relying party from a file.
   4. Choose the downloaded SP metadata file, and click Next.
   5. Enter a Display name for the new relying party trust, and click Next.
   6. Leave the default multi-factor authentication selection, and click Next.
   7. Select Permit all users to access this relying party, and click Next.
   8. Review your settings.
   9. Click Next.
   10. Click Close to finish the wizard.

4. To modify your relying party trust:

   1. Double-click the new relying party trust.
   2. Select the Encryption tab.
   3. Click Remove to remove the encryption certificate you imported.
   4. Select the Advanced tab.
   5. For the Secure hash algorithm, select SHA256.

5. (Optional) If you are using a self-signed certificate and you want to deactivate CRL checks:

   1. Open Windows Powershell as an Administrator.

   2. Run:

      set-ADFSRelyingPartyTrust -TargetName "RELYING-PARTY-TRUST" -SigningCertificateRevocationCheck None
      

      Where RELYING-PARTY-TRUST is the relying party trust for which you want to deactivate CRL checks.

6. To add claim rules for your relying party trust, select your relying party trust and click Edit Claim Rules.

7. In the Issuance Transform Rules tab, create two claim rules:

   1. Click Add Rule.
   2. For Claim rule template, select Send LDAP Attributes as Claims.
   3. Click Next.
   4. Enter a Claim rule name.
   5. For Attribute store, select Active Directory.
   6. For LDAP Attribute, select E-Mail-Addresses. If you do not have the email attribute configured for users, you can select User-Principle-Name.
   7. For Outgoing Claim Type, select E-Mail Address.
   8. Click Finish.
      
      
   9. Click Add Rule.
   10. For Claim rule template, select Transform an Incoming Claim.
   11. Click Next.
   12. Enter a Claim rule name.
   13. For Incoming claim type, select E-Mail Address.
   14. For Outgoing claim type, select Name ID.
   15. For Outgoing name ID format, select Email.
   16. Click Finish.
8. To permit access to users based on a security group:
   1. Select the Issuance Authorization Rules tab.
   2. Click Add Rule.
   3. For Claim rule template, select Permit or Deny Users Based on an Incoming Claim.
   4. Click Next.
   5. Enter a Claim rule name.
   6. For Incoming claim type, select Group SID.
   7. Click Browse.
   8. Locate the security group in your domain of which Tanzu Operations Manager developers are a part.
   9. Click OK.
   10. Ensure Permit access to users with this incoming claim is selected.
   11. Click Finish.