Authenticate Orion Platform users with SAML v2

This topic applies to all Orion Platform products.

Starting with Orion Platform 2018.4, you can log in to the Orion Web Console using the Security Assertion Markup Language (SAML) v2 single sign-on protocol. SAML v2 is the protocol used for exchanging authentication and authorization data between the security domain (Identity Provider) and the service provider.

Orion Platform 2018.4 introduces the support for the following identity providers:

  • Active Directory Federation Services (AD FS)
  • Okta

How to configure SAML v2 authentication in the Orion Platform

  1. Configure the single sign-on login provider (AD FS or Okta) to be able to communicate with the Orion Platform.
  2. Configure the Identity Provider in the Orion Web Console.
  3. Create SAML single users or SAML group user accounts for users who log in to the Orion Web Console using SAML v2 authentication.

Configure Active Directory Federation Services for single sign-on login to the Orion Web Console

Mapping AD FS to the Orion Platform requires that:

  • AD FS is configured on the server.
  • A token encryption certificate is available.
  • Service endpoint URL for the relying party trust is configured.

Step 1: Configure the Relying Party Trust

  1. In the Windows Server Manager, click Tools, and then select AD FS Management.
  2. Under Actions, click Add Relying Party Trust.
  3. On the Welcome page, choose Claims aware and click Start.
  4. On the Select Data Source page, click Enter data about the relying party manually, and click Next.
  5. On the Specify Display Name page, type a name in Display name. Under Notes, type a description for this party trust, and click Next.
  6. Ensure that the encryption certificate for the relying party trust is empty, and then click Next.

    Orion Platform 2018.4 does not support this certificate. Providing the certificate might cause issues.

    Screenshots property of © 2019 Microsoft.

  7. On the Configure URL page, do the following:

    1. Select the Enable support for the SAML 2.0 WebSSO protocol box.

    2. Under Relying party SAML 2.0 SSO service URL, type the Security Assertion Markup Language (SAML) service endpoint URL for this relying party trust, such as https://hostname.domain/Orion/SamlLogin.aspx, and then click Next.

      The Orion Web Console must be configured to support https.

  8. On the Configure Identifiers page, specify one or more identifiers for this relying party, such as http://hostname, click Add to add them to the list, and then click Next.
  9. On the Choose Access Control Policy select a policy and click Next. For more information, see Access Control Policies in Windows Server 2016 AD FS (© 2018 Microsoft, available at https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-in-ad-fs, obtained on August 2, 2018).
  10. Complete the wizard.

Step 2: Configure Claim Rules for the Relying Party Trust

When you have created the Relying Party Trust, configure Claim Rules:

  1. Right-click the created Relying Party Trust and select Edit Claim Issuance Policy.
  2. Click Add Rule.
  3. From the drop-down, select Send LDAP Attributes as Claims, and click Next.
  4. Fill in the Claim rule name and pick Active Directory as an Attribute store.
  5. Next fill the Mapping of LDAP attributes as follows:
    LDAP AttributeOutgoing Claim Type
    User-Principal-Name Name ID
    Given-NameFirstName
    Surname LastName
    E-Mail-AddressesEmail
    Token-Groups - Qualified by Long Domain NameOrionGroups
  6. You have configured your AD FS to match the Orion Platform requirements. Specify the Identity Provider in the Orion Web Console.

Step 3: Configure Additional Website

This step applies only if you have deployed additional web servers.

  1. In AD FS Management, right-click Relying Party Trusts, and select Properties.
  2. Select the Endpoints tab and click the Add SAML button.
  3. Set the following values and click OK.
    Field Value
    Endpoint type SAML Assertion Consumer
    BindingPOST
    Index

    Select a value higher than existing indexes.

    Trusted URL Your SAML login URL, such as https://hostname.domain/Orion/SAMLLogin.aspx
  4. Click Apply and then click OK.

    The additional website is configured for SAML configuration in the Orion Platform.

Step 4: Export the token-signing certificate from the AD FS server

  1. Open AD FS and navigate to Service > Certificates.
  2. Click the Token-signing certificate.
  3. In the Actions section, click View Certificate.
  4. Click the Details tab, click Copy to File, and then click Next.
  5. Select Base-64 encoded X.509 (.CER), and click Next.
  6. Click Browse, select a location, enter a file name, and then click Save.
  7. Click Next, and then click Finish.

Configure Okta for single sign-on login to the Orion Web Console

If prompted to switch to the Classic UI, switch to the Classic UI.

  1. Log in to your Okta organization with administrative privileges.

  2. Click on the blue Admin button.

  3. Click Add Applications > Create New App.

  4. Select the SAML 2.0 option and click Create.

  5. In General Settings, type the SAML Application Name in the App name field, and click Next.

  6. In the Configure SAML Setting section, make the following changes:

    1. In the General section, paste the SAMLLoging URL of your Orion Web Console into the Single sign on URL.

      Example: https://hostname.domain/Orion/SAMLLogin.aspx

    2. Enter the address of your Orion Web Console to Audience URI (SP Entity ID)

      Example: http://hostname

    3. In the Attribute Statements section, add following attribute statements:

      Name Name format Value
      Email Unspecified user.email
      FirstName Unspecified user.firstName
      LastName Unspecified user.lastName
    4. Add following to the Group Attributes Statements:

      Name Name format Filter Value
      OrionGroups Unspecified Regex .*
  7. If you have deployed an additional web server, configure the additional website:

    1. Select the Allow this app to request other SSO URLs box.
    2. In the Requestable SSO URLs, click Add Another, and provide the additional web server URL into the URL field. For example: https://hostname.domain/Orion/SAMLLogin.aspx
    3. In the Index box, provide appropriate index value.
  8. Click Next, and then click Finish.
  9. Specify users to access the Orion Web Console through SAML login:
    1. In Okta, click Assignments > Assign, and select Assign to People.
    2. Select users and click Assign.
    3. When you have selected all users, click Done.

Now configure the identity provider in the Orion Web Console.

    Click the View Setup Instruction button in the section with Sign on methods and leave the tab open. You will need this information to configure the Identity Provider in the Orion Web Console.

Configure your Identity Provider in the Orion Web Console

  1. Log in to the Orion Web Console using an administrator account.
  2. Click Settings > All Settings.
  3. In the User Accounts section, click SAML Configuration.
  4. Click Add Identity Provider.
  5. In the Enter Orion URL step, make sure that the hostname of the Orion Web Console server is correct, and click Next.

    Verify that the hostname of the server hosting your main website and/or additional website:

    1. Log in to the Orion Web Console hosted on your main Orion Platform server using an administrator account.
    2. Click Settings > All Settings, and then click Web Console Settings.
    3. Make sure that the Orion Web Server Address field is empty or that the hostname is the same as you can see on the Prepare Identity Provider page.
    4. If you have deployed additional web servers, review the additional web server hostname. Repeat steps b-c for the Orion Web Console hosted on the additional web server.
  6. In Prepare IdP step, copy to clipboard the Single Sign-on URL you need to use when configuring Okta or AD FS, and use the URL accordingly.
  7. In the Configure step, fill in the information according to the Identity Provider:
    • Identity Provider Name - Name: specify how the identity provider will be displayed on the login page.

    • SSO Target URL (Endpoint)

      Okta format: https://dev-140035.oktapreview.com/app/solarwindsdev140035_appName_1/xyz/sso/saml

      AD FS format: https://hostname.domain/adfs/ls

    • Issuer (Entity ID)

      Okta format: http://www.okta.com/exkfpjshx3ZUPjCfB0h7

      AD FS format: http://hostname.local/adfs/services/trust

    • Public Certificate - Certificate in Base64 form
      Where do I get the certificate for AD FS?

  8. Click Next and save the configuration.

When logging to the Orion Web Console, users now see an additional button Log In with Okta or Log In with AD FS, based on the Identity Provider you have defined. To enable users to log in using single sign-on, create SAML users or SAML user groups for the users.

Create a SAML user in the Orion Platform

  1. Log in to the Orion Web Console using an account with Administrator privileges.

  2. Click Settings > All Settings > Manage Accounts.

  3. Click Add New Account, and select SAML individual account or SAML group account.

  4. For Name ID, provide the same user name you specified in the Identity Provider (AD FS or Okta). The Name ID and Identity Provider Name must match.

  5. Specify what the user can access, do and the default menu bars and complete the wizard.

Users now can log in to the Orion Web Console by clicking the Login with Okta/AD FS button on the login page and providing their Okta or AD FS credentials.

Create SAML user groups in the Orion Platform

  1. Log in to the Orion Web Console using an account with Administrator privileges.

  2. Click Settings > All Settings > Manage Accounts.

  3. Click the SAML Groups tab and click Add New Group Account.

  4. Provide the name for the group. Use the following format for the name: hostname.domain\Group Name.

    The SAML Group and the Identity Provider Group Name must match.

  5. Specify what the user can access, do and the default menu bars and complete the wizard.

Members of the SAML group can now log in to the Orion Web Console by clicking the Login with Okta/AD FS button on the login page and providing their Okta or AD FS credentials.

Troubleshoot SAML Login

If users cannot log in using SAML login, review the SAML log to find out more details. By default, the log is located at

C:\ProgramData\SolarWinds\Logs\Orion\SAML.log.

Test your SAML configuration

  1. Click Settings > All Settings > SAML Configuration, and then click Test Configuration.
  2. To test SAML configuration on the computer you have the Orion Web Console open, click Test Configuration.
  3. To test whether SAML login works correctly for other users on other computers, click Copy and send the link to the user who is attempting to log in using the SAML protocol from another computer. If the output is unsuccessful, instruct the user to copy it and send it to the administrator.
  4. The Test SAML configuration page opens with the results of the test. You can see the test sent to your Identity Provider and its response. Use the response to troubleshoot the issue or send it to your administrator.

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment. You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.