Configure Active Directory Federation Services for single sign-on login to the SolarWinds Platform Web Console
This topic applies to all SolarWinds Platform products.
When configuring Active Directory Federation Services (AD FS) to communicate with your SolarWinds Platform Web Console, you will be working with both AD FS and SolarWinds Platform Web Console at the same time. You need to copy information from one system into the other.
Task 1: Prepare the identity provider in the SolarWinds Platform Web Console
-
Log in to the SolarWinds Platform Web Console hosted on your main SolarWinds Platform server using an administrator account.
-
Click Settings > All Settings.
-
In the User Accounts section, click SAML Configuration.
-
In the Enter Orion URL step, check that the external URLs are correct and adjust them if necessary.
SolarWinds Platform Web Console External URL
This is the URL of your SolarWinds Platform server or its DNS alias.
Additional Web Console external URLs
If you have additional polling engines deployed, check the URL(s) for the servers hosting the additional web console. The field should contain one of the following:
-
The address of the server hosting your Additional Web Console
Example:
https://WIN-1234567890A
-
The DNS alias of the server hosting the Additional Web Console
Example:
https://orion
-
No input
Clear the suggested URL. When you try to log in to the Additional Web Console using SAML authentication, you'll be redirected to the primary SolarWinds Platform Web Console
These URLs are used to generate the URL and URI you copy into your identity provider settings.
-
-
The Prepare IdP step provides the Audience URI and SSO Service URLs to be copied and pasted into the AD FS configuration.
Keep the browser open, and continue in AD FS.
If you have deployed additional web servers, the SSO Service URLs section includes more URLs - one for the primary SolarWinds Platform Web Console and one for each additional web server.
Task 2: Configure AD FS to communicate with the SolarWinds Platform
Mapping AD FS to the SolarWinds Platform requires that:
- AD FS is configured on the server.
- A token encryption certificate is available.
- Service endpoint URL for the relying party trust is configured.
Step 1: Configure the Relying Party Trust
-
In the Windows Server Manager, click Tools, and then select AD FS Management.
-
Under Actions, click Add Relying Party Trust.
-
On the Welcome page, choose Claims aware and click Start.
-
On the Select Data Source page, click Enter data about the relying party manually, and click Next.
-
On the Specify Display Name page, type a name in Display name. Under Notes, type a description for this party trust, and click Next.
-
Ensure that the encryption certificate for the relying party trust is empty, and then click Next.
Orion Platform 2018.4 does not support this certificate. Providing the certificate might cause issues.
Screenshots property of © 2019 Microsoft.
-
On the Configure URL page, do the following:
-
Select the Enable support for the SAML 2.0 Web SSO protocol box.
-
Under Relying party SAML 2.0 SSO service URL, paste the SSO Service URL from the SolarWinds Platform Web Console into Security Assertion Markup Language (SAML) service endpoint URL, such as
https://hostname.domain/Orion/SamlLogin.aspx
, and then click Next.The SolarWinds Platform Web Console must be configured to support https.
-
-
Under Relying party trust identifier on the Configure Identifiers page, paste the Audience URI from the SolarWinds Platform Web Console.
Example Audience URI:
http://hostname
You can add one or more identifiers for this relying party. When you add all required identifiers, click Next.
-
On the Choose Access Control Policy select a policy and click Next. For more information, see Access Control Policies in Windows Server 2016 AD FS (© 2018 Microsoft, available at https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-in-ad-fs, obtained on August 2, 2018).
-
Complete the wizard.
Step 2: Configure Claim Rules for the Relying Party Trust
When you have created the Relying Party Trust, configure Claim Rules:
-
Right-click the created Relying Party Trust and select Edit Claim Issuance Policy.
-
Click Add Rule.
-
From the drop-down, select Send LDAP Attributes as Claims, and click Next.
-
Fill in the Claim rule name and pick Active Directory as an Attribute store.
-
Next fill the Mapping of LDAP attributes as follows:
LDAP Attribute Outgoing Claim Type User-Principal-Name Name ID Given-Name FirstName Surname LastName E-Mail-Addresses Email Token-Groups - Qualified by Long Domain Name OrionGroups
You have configured your AD FS to match the SolarWinds Platform requirements. If you have an additional website deployed, configure the additional website. Otherwise, continue by exporting the certificate.
Step 3: Configure Additional Website
This step applies only if you have deployed additional web servers.
-
In AD FS Management, right-click Relying Party Trusts, and select Properties.
-
Select the Endpoints tab and click the Add SAML button.
-
Set the following values and click OK.
Field Value Endpoint type SAML Assertion Consumer Binding POST Index Select a value higher than existing indexes.
Trusted URL Your SAML login URL, such as
https://hostname.domain/Orion/SAMLLogin.aspx
This is the URL for your additional web server. Copy it from SSO Service URLs in the SolarWinds Platform Web Console.
-
Click Apply and then click OK.
The additional website is configured for SAML configuration in the SolarWinds Platform.
Step 4: Export the token-signing certificate from the AD FS server
You need this certificate to complete the identity provider configuration in the SolarWinds Platform Web Console.
-
Open AD FS and navigate to Service > Certificates.
-
Click the Token-signing certificate.
-
In the Actions section, click View Certificate.
-
Click the Details tab, click Copy to File, and then click Next.
-
Select Base-64 encoded X.509 (.CER), and click Next.
-
Click Browse, select a location, enter a file name, and then click Save.
-
Click Next, and then click Finish.
Task 3: Complete the identity provider configuration in the SolarWinds Platform Web Console
-
Switch back to the SolarWinds Platform Web Console. You have the Add Identity Provider wizard open on the Prepare IdP step. Click Next.
-
In the Configure step, enter your Identity Provider details:
-
Identity Provider Name: specify how the identity provider will be displayed on the login page.
Example provider name: AD FS
-
SSO Target URL: enter the URL manually, using the example format.
Example format:
https://hostname.domain/adfs/ls
-
Issuer (Entity ID): paste the Issuer URI.
- Open AD FS, navigate to Service and right-click it.
- Select Edit Federation Service Properties, copy Federation Service Identifier, and paste is into Issuer (Entity ID).
Example format:
http://hostname.local/adfs/services/trust
-
Public Certificate - Certificate in Base64 form
Where do I get the certificate for AD FS?Open the exported certificate in a text editor and copy it, starting with BEGIN CERTIFICATE and ending with the END CERTIFICATE line.
-
-
Save the configuration.
When logging to the SolarWinds Platform Web Console, users now see an additional button Log In with <Identity Provider Name>. To enable users to log in using single sign-on, create SAML users or SAML user groups for the users.
Task 4: Define users for SAML login in the SolarWinds Platform Web Console
-
Log in to the SolarWinds Platform Web Console using an account with Administrator privileges.
-
Click Settings > All Settings, and then click Manage Accounts in the User Accounts section.
-
Click Add New Account.
-
Define the SAML individual user or group.
Create SAML individual user account
- Select SAML individual account.
- Provide Name ID. Use the Active Directory user name, such as
example.user@domain
. - Specify what the user can access and do, and then complete the wizard.
Create SAML group account
- Select SAML group account.
- Provide Group ID. Use
domain\Group Name
- Specify what users in the group can access and do, and complete the wizard.
Your users can now log in. You can also test the login in Orion SAML Configuration.
Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment. You elect to use third-party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.