Configuring Microsoft Active Directory Federation Service (ADFS)¶
Observe supports using Microsoft Active Directory Federation Service (ADFS) using Security Authentication Markup Language (SAML 2.0). Use the following steps to configure SSO for ADFS.
Configuring Microsoft Active Directory Federation Service¶
From the ADFS Management Console, navigate to the Relying Party Trusts page and select Add Relying Party Trust… to start the Add Relying Party Trust Wizard.
Use the default option of Claims aware and click
Start
.For the Select Data Source step, choose
Enter data bout the relying party manually
and clickNext
.For Specify Display Name, enter a relevant value such as
Observe Inc
and clickNext
.For Configure Certificate you can skip this step and just click
Next
.For Configure URL select the option for
Enable support for the SAML 2.0 WebSSO protocol
and in the input box forRelying party...
add the below URL, substituting your customer ID (and if needed regional subdomain; eu-1, ap-1, etc.)
https://${CUSTOMER_ID}.observeinc.com/auth/saml2/callback
For Configure Identifiers in the
Relying part trust identifier
input box, paste the same URL from step 6 (ex.https://${CUSTOMER_ID}.observeinc.com/auth/saml2/callback
).For the remaining steps, you can use whatever settings are appropriate for your organization.
Configure Claim Issuance Policy¶
In order for Observe to provision and authenticate the AD FS user to Observe, you need to send specific attributes via ADFS claims. To set these up, follow these steps - you will be adding 2 rules.
From the ADFS Management Console, navigate to the Relying Party Trusts page and select
Edit Claim Issuance Policy...
.Click the
Add Rule...
button, and for the Choose Rule Type step, selectTransform an Incoming Claim
.For the
Claim rule name
input field, fill inNameId
.For the
Incoming claim type
selectUPN
.For the
Outgoing claim type
selectName ID
For the
Outgoing name ID format
selectEmail
Select
Pass through all claim values
click
Finish
.Click the
Add Rule...
button, and for the Choose Rule Type step, selectSend LDAP Attributes as Claims
. Provide a name for your claim rule in theClaim rule name
input box. EnsureActive Directory
is selected as theAttribute store
. You will create three attribute mappings, and then clickFinish
.
LDAP Attribute |
Outgoing Claim Type |
---|---|
Given-Name |
Given Name |
Surname |
Surname |
E-Mail-Addresses |
E-Mail Address |
Group Membership Attributes¶
To send group attributes to Observe, Observe expects the claim to contain an identifier named
groups
. To add this claim description, navigate to theClaim Descriptions
area of the ADFS Console and selectAdd Claim Description
. Set the values forDisplay name
,Short name
andClaim identifier
are all set to the valuegroups
. Additionally, ensure both checkboxes forPublish this claim
are also selected. ClickOK
to save this.
You now need to add an additional Claim Issuance Policy to send the group membership values to Observe:
From the ADFS Management Console, navigate to the Relying Party Trusts page and select
Edit Claim Issuance Policy...
.Click the
Add Rule...
button, and for the Choose Rule Type step, selectSend LDAP Attributes as Claims
. Provide a name for your claim rule in theClaim rule name
input box. EnsureActive Directory
is selected as theAttribute store
. You will create the following attribute mapping, and then clickFinish
.
LDAP Attribute |
Outgoing Claim Type |
---|---|
Token-Groups - Unqualified Names |
groups |
Configuring Observe¶
Note
We’re working on some new capabilities for SSO that we’re excited to share with you all. In the meantime, work with your Observe account team to enable and configure your SAML integration, via the steps below.
1. Navigate to https://${CUSTOMER_ID}.observeinc.com/settings/customer
, substituting your customer ID (and if needed regional subdomain; eu-1, ap-1, etc.)
Figure 4 - Observe Settings
2.Scroll down to Add SAML, and enter the URL for type SAML 2.0/WS-Federation
of your ADFS server into the ENTRY POINT field of Observe’s SAML configuration. Typically the URL has the suffix /adfs/ls/
. For example if your ADFS server is https://adfs.mycompany.com
then the ENTRY POINT value would be https://adfs.mycompany.com/adfs/ls
.
3. Open X.509 certificate from Step 7 in a text editor and paste the Base64 certificate into the CERT field.
Note
You must export your ADFS certificate in Base-64 encoded X.509 format. Observe currently supports ADFS where the Token-signing and Token-decrypting certificate are the same.
4. Click Add SAML Provider.