Documentation forOrion Platform

Configure Active Directory Federation Services for single sign-on login to the Orion Web Console

This topic applies to all Orion Platform products.

When configuring Active Directory Federation Services (AD FS) to communicate with your Orion Web Console, you will be working with both AD FS and Orion Web Console at the same time. You need to copy information from one system into the other.

  1. Orion Web Console: Prepare the identity provider URL and URI
  2. AD FS: Configure AD FS to communicate with the Orion Web Console
  3. Orion Web Console: complete the identity provider configuration
  4. Orion Web Console: define SAML users or SAML user groups

Task 1: Prepare the identity provider in the Orion Web Console

  1. Log in to the Orion Web Console hosted on your main Orion Platform server using an administrator account.

  2. Click Settings > All Settings.

  3. In the User Accounts section, click SAML Configuration.

  4. Click Add Identity Provider.

  5. In the Enter Orion URL step, check that the external URLs are correct and adjust them if necessary.

    Orion Web Console External URL

    This is the URL of your Orion server or its DNS alias.

    Additional Web Console external URLs

    If you have additional polling engines deployed, check the URL(s) for the servers hosting the additional web console. The field should contain one of the following:

    • The address of the server hosting your Additional Web Console

      Example: https://WIN-1234567890A

    • The DNS alias of the server hosting the Additional Web Console

      Example: https://orion

    • No input

      Clear the suggested URL. When you try to log in to the Additional Web Console using SAML authentication, you'll be redirected to the primary Orion Web Console

    These URLs are used to generate the URL and URI you copy into your identity provider settings.

  6. The Prepare IdP step provides the Audience URI and SSO Service URLs to be copied and pasted into the AD FS configuration.

    Keep the browser open, and continue in AD FS.

    If you have deployed additional web servers, the SSO Service URLs section includes more URLs - one for the primary Orion Web Console and one for each additional web server.

Task 2: Configure AD FS to communicate with the Orion Platform

Mapping AD FS to the Orion Platform requires that:

  • AD FS is configured on the server.
  • A token encryption certificate is available.
  • Service endpoint URL for the relying party trust is configured.

Step 1: Configure the Relying Party Trust

  1. In the Windows Server Manager, click Tools, and then select AD FS Management.

  2. Under Actions, click Add Relying Party Trust.

  3. On the Welcome page, choose Claims aware and click Start.

  4. On the Select Data Source page, click Enter data about the relying party manually, and click Next.

  5. On the Specify Display Name page, type a name in Display name. Under Notes, type a description for this party trust, and click Next.

  6. Ensure that the encryption certificate for the relying party trust is empty, and then click Next.

    Orion Platform 2018.4 does not support this certificate. Providing the certificate might cause issues.

    Screenshots property of © 2019 Microsoft.

  7. On the Configure URL page, do the following:

    1. Select the Enable support for the SAML 2.0 Web SSO protocol box.

    2. Under Relying party SAML 2.0 SSO service URL, paste the SSO Service URL from the Orion Web Console into Security Assertion Markup Language (SAML) service endpoint URL, such as https://hostname.domain/Orion/SamlLogin.aspx, and then click Next.

      The Orion Web Console must be configured to support https.

  8. Under Relying party trust identifier on the Configure Identifiers page, paste the Audience URI from the Orion Web Console.

    Example Audience URI: http://hostname

    You can add one or more identifiers for this relying party. When you add all required identifiers, click Next.

  9. On the Choose Access Control Policy select a policy and click Next. For more information, see Access Control Policies in Windows Server 2016 AD FS (© 2018 Microsoft, available at https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-in-ad-fs, obtained on August 2, 2018).

  10. Complete the wizard.

Step 2: Configure Claim Rules for the Relying Party Trust

When you have created the Relying Party Trust, configure Claim Rules:

  1. Right-click the created Relying Party Trust and select Edit Claim Issuance Policy.

  2. Click Add Rule.

  3. From the drop-down, select Send LDAP Attributes as Claims, and click Next.

  4. Fill in the Claim rule name and pick Active Directory as an Attribute store.

  5. Next fill the Mapping of LDAP attributes as follows:

    LDAP Attribute Outgoing Claim Type
    User-Principal-Name Name ID
    Given-Name FirstName
    Surname LastName
    E-Mail-Addresses Email
    Token-Groups - Qualified by Long Domain Name OrionGroups
  6. You have configured your AD FS to match the Orion Platform requirements. If you have an additional website deployed, configure the additional website. Otherwise, continue by exporting the certificate.

Step 3: Configure Additional Website

This step applies only if you have deployed additional web servers.

  1. In AD FS Management, right-click Relying Party Trusts, and select Properties.

  2. Select the Endpoints tab and click the Add SAML button.

  3. Set the following values and click OK.

    Field Value
    Endpoint type SAML Assertion Consumer
    Binding POST
    Index

    Select a value higher than existing indexes.

    Trusted URL

    Your SAML login URL, such as https://hostname.domain/Orion/SAMLLogin.aspx

    This is the URL for your additional web server. Copy it from SSO Service URLs in the Orion Web Console.

  4. Click Apply and then click OK.

    The additional website is configured for SAML configuration in the Orion Platform.

Step 4: Export the token-signing certificate from the AD FS server

You need this certificate to complete the identity provider configuration in the Orion Web Console.

  1. Open AD FS and navigate to Service > Certificates.

  2. Click the Token-signing certificate.

  3. In the Actions section, click View Certificate.

  4. Click the Details tab, click Copy to File, and then click Next.

  5. Select Base-64 encoded X.509 (.CER), and click Next.

  6. Click Browse, select a location, enter a file name, and then click Save.

  7. Click Next, and then click Finish.

Task 3: Complete the identity provider configuration in the Orion Web Console

  1. Switch back to the Orion Web Console. You have the Add Identity Provider wizard open on the Prepare IdP step. Click Next.

  2. In the Configure step, enter your Identity Provider details:

    • Identity Provider Name: specify how the identity provider will be displayed on the login page.

      Example provider name: AD FS

    • SSO Target URL: enter the URL manually, using the example format.

      Example format: https://hostname.domain/adfs/ls

    • Issuer (Entity ID): paste the Issuer URI.

      1. Open AD FS, navigate to Service and right-click it.
      2. Select Edit Federation Service Properties, copy Federation Service Identifier, and paste is into Issuer (Entity ID).

      Example format: http://hostname.local/adfs/services/trust

    • Public Certificate - Certificate in Base64 form
      Where do I get the certificate for AD FS?

      Open the exported certificate in a text editor and copy it, starting with BEGIN CERTIFICATE and ending with the END CERTIFICATE line.

  3. Save the configuration.

    When logging to the Orion Web Console, users now see an additional button Log In with <Identity Provider Name>. To enable users to log in using single sign-on, create SAML users or SAML user groups for the users.

Task 4: Define users for SAML login in the Orion Web Console

  1. Log in to the Orion Web Console using an account with Administrator privileges.

  2. Click Settings > All Settings, and then click Manage Accounts in the User Accounts section.

  3. Click Add New Account.

  4. Define the SAML individual user or group.

    Create SAML individual user account

    1. Select SAML individual account.
    2. Provide Name ID. Use the Active Directory user name, such as example.user@domain.
    3. Specify what the user can access and do, and then complete the wizard.

    Create SAML group account

    1. Select SAML group account.
    2. Provide Group ID. Use domain\Group Name
    3. Specify what users in the group can access and do, and complete the wizard.

    Your users can now log in. You can also test the login in Orion SAML Configuration.

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment. You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.