Creating a relying party trust manually

If you choose not to import the data for the relying part trusts, you can enter the values manually.

Before you begin

About this task

These instructions apply to AD FS 4.0, which is included with Windows Server 2016. If you are using AD FS 3.0, which is included with Windows 2012 R2, you will notice slight differences in the procedure. See the Microsoft AD FS documentation if you have questions.

Procedure

  1. In Windows Server Manager, click Tools, and then select AD FS Management.
  2. Under Actions, click Add Relying Party Trust.
  3. On the Welcome page, choose Claims aware, and click Start.
  4. Select Enter data about the relying party manually, and click Next.
  5. Complete the Relying Party Trust wizard:
    1. Enter a display name for this Admin Node.
      For consistency, use the Relying Party Identifier for the Admin Node, exactly as it appears on the Single Sign-on page in the Grid Manager. For example, SG-DC1-ADM1.
    2. Skip the step to configure an optional token encryption certificate.
    3. On the Configure URL page, select the Enable support for the SAML 2.0 WebSSO protocol check box.
    4. Type the SAML service endpoint URL for the Admin Node: https://Admin_Node_FQDN/api/saml-response
      For Admin_Node_FQDN, enter the fully qualified domain name for the Admin Node. (If necessary, you can use the node’s IP address instead. However, if you enter an IP address here, be aware that you must update or recreate this relying party trust if that IP address ever changes.)
    5. On the Configure Identifiers page, specify the Relying Party Identifier for the same Admin Node:Admin_Node_Identifier
      For Admin_Node_Identifier, enter the Relying Party Identifier for the Admin Node, exactly as it appears on the Single Sign-on page. For example, SG-DC1-ADM1.
    6. Review the settings, save the relying party trust, and close the wizard.
      The Edit Claim Issuance Policy dialog box appears.
      Note: If the dialog box does not appear, right-click the trust, and select Edit claim issuance policy.
  6. To start the Claim Rule wizard, click Add rule:
    1. On the Select Rule Template page, select Send LDAP Attributes as Claims from the list, and click Next.
    2. On the Configure Rule page, enter a display name for this rule.
      For example, ObjectGUID to Name ID.
    3. For the Attribute Store, select Active Directory.
    4. In the LDAP Attribute column of the Mapping table, type objectGUID.
    5. In the Outgoing Claim Type column of the Mapping table, select Name ID from the drop-down list.
    6. Click Finish, and click OK.
  7. Right-click the relying party trust to open its properties.
  8. On the Endpoints tab, configure the endpoint for single logout (SLO):
    1. Click Add SAML.
    2. Select Endpoint Type > SAML Logout.
    3. Select Binding > Redirect.
    4. In the Trusted URL field, enter the URL used for single logout (SLO) from this Admin Node: https://Admin_Node_FQDN/api/saml-logout
      For Admin_Node_FQDN, enter the Admin Node's fully qualified domain name. (If necessary, you can use the node’s IP address instead. However, if you enter an IP address here, be aware that you must update or recreate this relying party trust if that IP address ever changes.)
    5. Click OK.
  9. On the Signature tab, specify the signature certificate for this relying party trust:
    1. Add the custom certificate:
      • If you have the custom management certificate you uploaded to StorageGRID, select that certificate.
      • If you do not have the custom certificate, log in to the Admin Node, go the /var/local/mgmt-api directory of the Admin Node, and add the custom-server.crt certificate file.
      Note: Using the Admin Node's default certificate (server.crt) is not recommended. If the Admin Node fails, the default certificate will be regenerated when you recover the node, and you will need to update the relying party trust.
    2. Click Apply, and click OK.
      The Relying Party properties are saved and closed.
  10. Repeat these steps to configure a relying party trust for all of the Admin Nodes in your StorageGRID system.
  11. When you are done, return to StorageGRID and test all relying party trusts to confirm they are configured correctly.