Configure Microsoft Active Directory Federation Service (ADFS)

Observe supports using Microsoft Active Directory Federation Service (ADFS) using Security Authentication Markup Language (SAML 2.0). Use the following steps to configure SSO for ADFS.

Configuring Microsoft Active Directory Federation Service

  1. From the ADFS Management Console, navigate to the Relying Party Trusts page and select Add Relying Party Trust… to start the Add Relying Party Trust Wizard.

  2. Use the default option of Claims aware and click Start.

  3. For the Select Data Source step, choose Enter data bout the relying party manually and click Next.

  4. For Specify Display Name, enter a relevant value such as Observe Inc and click Next.

  5. For Configure Certificate you can skip this step and just click Next.

  6. For Configure URL select the option for Enable support for the SAML 2.0 WebSSO protocol and in the input box for Relying party... add the below URL, substituting your customer ID appropriate region URL. See Observe deployment regions.

https://${CUSTOMER_ID}.${REGION_URL}/auth/saml2/callback

  1. For Configure Identifiers in the Relying part trust identifier input box, paste the same URL from step 6.

  2. For the remaining steps, you can use whatever settings are appropriate for your organization.

Configure Claim Issuance Policy

In order for Observe to provision and authenticate the AD FS user to Observe, you need to send specific attributes via ADFS claims. To set these up, follow these steps - you will be adding 2 rules.

  1. From the ADFS Management Console, navigate to the Relying Party Trusts page and select Edit Claim Issuance Policy....

  2. Click the Add Rule... button, and for the Choose Rule Type step, select Transform an Incoming Claim.

    • For the Claim rule name input field, fill in NameId.

    • For the Incoming claim type select UPN.

    • For the Outgoing claim type select Name ID

    • For the Outgoing name ID format select Email

    • Select Pass through all claim values

    click Finish.

  3. Click the Add Rule... button, and for the Choose Rule Type step, select Send LDAP Attributes as Claims. Provide a name for your claim rule in the Claim rule name input box. Ensure Active Directory is selected as the Attribute store. You will create three attribute mappings, and then click Finish.

LDAP Attribute

Outgoing Claim Type

Given-Name

Given Name

Surname

Surname

E-Mail-Addresses

E-Mail Address

Group Membership Attributes

  1. To send group attributes to Observe, Observe expects the claim to contain an identifier named groups. To add this claim description, navigate to the Claim Descriptions area of the ADFS Console and select Add Claim Description. Set the values for Display name, Short name and Claim identifier are all set to the value groups. Additionally, ensure both checkboxes for Publish this claim are also selected. Click OK to save this.

Observe ADFS group claim settings

You now need to add an additional Claim Issuance Policy to send the group membership values to Observe:

  1. From the ADFS Management Console, navigate to the Relying Party Trusts page and select Edit Claim Issuance Policy....

  2. Click the Add Rule... button, and for the Choose Rule Type step, select Send LDAP Attributes as Claims. Provide a name for your claim rule in the Claim rule name input box. Ensure Active Directory is selected as the Attribute store. You will create the following attribute mapping, and then click Finish.

LDAP Attribute

Outgoing Claim Type

Token-Groups - Unqualified Names

groups

Configuring Observe

Note

Self-service management of SAML certificate is in private preview. Please work with your Observe account team to enable and configure your SAML integration via the steps below.

1. Navigate to https://${CUSTOMER_ID}.${REGION_URL}/settings/customer, substituting your customer ID and {}the appropriate URL for your deployment region. See Observe deployment regions.

Observe SAML settings

Figure 4 - Observe Settings

2.Scroll down to Add SAML, and enter the URL for type SAML 2.0/WS-Federation of your ADFS server into the ENTRY POINT field of Observe’s SAML configuration. Typically the URL has the suffix /adfs/ls/. For example if your ADFS server is https://adfs.mycompany.com then the ENTRY POINT value would be https://adfs.mycompany.com/adfs/ls.

3. Open X.509 certificate from Step 7 in a text editor and paste the Base64 certificate into the CERT field.

Note

You must export your ADFS certificate in Base-64 encoded X.509 format. Observe currently supports ADFS where the Token-signing and Token-decrypting certificate are the same.

4. Click Add SAML Provider.