Active Directory Single Sign-on

This section describes how to configure Microsoft Active Directory Federation Services (AD FS) 3.0 for Single Sign-on (SSO) 2.0 authentication with the PCE.

Overview of AD FS SSO Configuration

To enable AD FS for the PCE, the PCE needs three fields returned as claims from:

  • NameID
  • Surname
  • Given Name

There are two ways for AD FS to produce the NameID claim for an SSO user. The first uses the email field in an Active Directory user account for the NameID.

The second way to return a NameID of an Active Directory user is to use the User Principal Name (UPN). Each user created in Active Directory has an extension to their username that’s ADUserName@yourADDomanName. For example, a user named “test” in an Active Directory domain called “testing.com” would have a UPN of test@testing.com.

Configure AD Users to Use Different UPN Suffixes

To configure different UPN suffix as the source for NameID:

  1. Add a UPN suffix. On your system under Server Manager Tools, click Active Directory Domains and Trusts.

  2. From the left side of the window, right-click Active Directory Domains and Trusts, and select Properties. In this dialog, you can create new suffixes for Active Directory usernames.

  3. Create a suffix that matches the external namespace you'll be using and click Add.

    You can now assign an Active Directory user your custom UPN for the SAML response.

  4. You can add multiple UPNs if needed. As shown below, you can select the UPN created in the previous steps.

    Your UPN configuration is set up and you can begin configuring AD FS for SSO with the PCE.

Initial AD FS SSO Configuration

This task explains how to perform the initial configuration of AD FS to be your SSO IdP for Illumio Core.

To configure AD FS: 

  1. Open Microsoft Server Manager and click the notification icon.

  2. Click the “Configure the federation service on this server” link.

  3. Select the “Create the first federation server in a federation server farm” option and click Next.

  4. Specify a domain admin account for AD FS configuration.

  5. Select or import a certificate. This certificate can be a self-signed certificate.

  6. Specify your Federated Service Name, enter a display name for this instance of AD FS, and click Next.

  7. Specify your service account and click Next.

  8. Select “Create a database on this server using Windows Internal Database” or choose the SQL server option, and click Next.

  9. Review your selected options and click Next.

  10. Click Configure to finish the basic configuration of AD FS.

  11. In the results screen, click Close.

    AD FS is now installed with the basic configuration on this host.

Create a Relying Party Trust

To start configuring AD FS for SSO with the PCE, you need to create a Relying Party Trust for your Illumio PCE.

  1. From Server Manager/Tools, open the AD FS Manager.

  2. From the left panel, choose Relying Party Trusts > Add Relying Party Trust.

    The Add Relying Party Trust Wizard appears.

  3. Click Start.

  4. Select the “Enter data about the relying party manually” option and click Next.

  5. Name your Relying Party Trust and click Next.

  6. Select “ADFS profile” and click Next.

  7. When you have a separate certificate for token encryption, browse to, select it, and click Next.

    NOTE:

    To use the standard AD FS certificate (created during AD FS installation) for token signing, don’t select anything in this step and click Next.

  8. Select “Enable support for the SAML 2.0 WebSSO protocol.” In the Relying party SAML 2.0 SSO service URL field, add your “Assertion Consumer URL” (obtained from the PCE web console).

    To locate the “Assertion Consumer URL,” go to Settings > Authentication > Information for Identity Provider in the PCE web console:

  9. On the Configure Identifiers page, use the same URL for the Relying party trust identifier, without the /acs/<randomNumbers>. For example: https://pce-mnc.illumioeval.com:8443/login. Click Next.

  10. Select the “I do not want to configure multi-factor authentication...” and click Next.

  11. Select “Permit all users to access this relying party” and click Next.

  12. On the Ready to Add Trust page, click Next.


  13. Leave the Open the Edit Claim Rules checkbox selected and click Close.

Create Claim Rules

You need to create claim rules to enable proper communication between AD FS and the PCE.

  1. In the Edit Claim Rules dialog, click Add Rule.

  2. Under Select Rule Template, select “Send LDAP Attributes as Claims” and click Next.

  3. Name the Claim rule “Illumio Attributes” and select Active Directory as the Attribute store. Under the first attribute, select “User-Principal-Name” and “E-Mail Address” as the outgoing. Select “Surname” and type the custom field name of “User.LastName” in the outgoing field. Repeat the values for “Given-Name” and “User.FirstName” and click Finish.

  4. In the Edit Claim Rules dialog with your new rule added, click Add Rule to add the final rule.

  5. Under the Claim Rule Template, select “Transform and Incoming Claim” and click Next.

  6. Name the rule “Email to NameID Transform” and change the incoming claim type to “E-Mail Address.” Set the Outgoing claim type to “Name ID” and the Outgoing name ID format to “Email” and click Finish.

    The Edit Claim Rules window opens.

  7. Select the Issuance Authorization Rules tab.

  8. To allow all your Active Directory Users to access the PCE, leave the “Permit Access to All Users” as is. Otherwise, you should restrict access to a single group or groups of users.

  9. Select “Permit or Deny Users Based on an Incoming Claim” and click Next.

  10. Name the rule “AD FS Users” and change the Incoming claim type to “Group SID” (you might have to scroll to find it). In Incoming claim value, browse to the group of users you want to give access. Make sure “Permit access” is selected and click Finish.

  11. If you are using RBAC with groups, you need to create a Goup Claim Rule.

    To add groups to AD FS claim rule configuration, click Edit Rule. Add the requirement for “LDAP Attribute: memberOf” by selecting the Outgoing Claim Type as “User.MemberOf.” Click OK.

Obtain ADFS SSO Information for the PCE

Before you can configure the PCE to use AD FS for SSO, obtain the following information from your AD FS configuration:

  • x.509 certificate supplied by ADFS
  • Remote Login URL
  • Logout Landing URL

To obtain the AD FS SSO information for the PCE:

  1. To find the certificate in your AD FS configuration, log into the AD FS server and open the management console.
  2. Browse to the certificates and export the Token-Signing certificate.
  3. Right-click the certificate and select View Certificate.
  4. Select the Details tab.

  5. Click Copy to File.


  6. When the Certificate Export Wizard launches, click Next.
  7. Verify that the “No - do not export the private key” option is selected and click Next.
  8. Select Base 64 encoded binary X.509 (.cer) and click Next.
  9. Select where you want to save the file, name the file, and click Next.
  10. Click Finish.
  11. After exporting the certificate to a file, open the file with a text editor. Copy and paste the contents of the exported x.509 certificate, including the BEGIN CERTIFICATE and END CERTIFICATE delimiters in to the SAML Identity Provider Certificate field.

  12. To find the Remote Login URL (which AD FS calls “Sign-On URL”), download and open the following metadata file from your AD FS server by navigating to https://server.mydomain/FederationMetadata/2007-06/FederationMetadata.xml and search for SingleSignOnService.


  13. To find the Logout Landing URL for the PCE, you can use the login URL of the PCE (preferred):

    https://<myPCENameAndPort>/login

    Or, a generic logout URL of AD FS:

    https://<URLToMyADFSServer>/adfs/ls/?wa=wsignout1.0

    You are now ready to configure the PCE to use AD FS for SSO.

Configure the PCE for AD FS SSO

Before you configure the PCE to use Microsoft AD FS for SSO, make sure you have the following information provided by your AD FS, which you configure in the PCE web console: 

  • x.509 certificate supplied by ADFS
  • Remote Login URL
  • Logout Landing URL

For more information, see Obtain ADFS SSO Information for the PCE.

NOTE:

When SSO is configured in Illumio Core and for the IdP, the preferences in Illumio Core are used. When SSO is not configured in Illumio Core, the default IdP settings are used.

To configure the PCE for AD FS: 

  1. From the PCE web console menu, choose Settings >SSO Config.
  2. Click Edit.
  3. Select the Enabled checkbox next to SAML Status.
  4. In the Information From Identity Provider section, enter the following information: 
    • SAML Identity Provider Certificate
    • Remote Login URL
    • Logout Landing URL
  5. Select the authentication method from the drop-down list:
    • Unspecified: Uses the IdP default authentication mechanism.

    • Password Protected Transport: Requires the user to log in with a password using a protected session; select this option and check the Force Re-authorization checkbox to force user re-authorization.

  6. To require users to re-enter their login information to access Illumio (even if the session is still valid), check the Force Re-authentication checkbox. This allows users to log into the PCE using a different login than their default computer login and is disabled by default.

    NOTE:

    You must select "Password Protected Transport" as the authentication method and check the Force Re-authentication checkbox to force users to re-authenticate.

  7. Click Save.

    Your PCE is now configured to use AD FS for SSO authentication.