Creating a relying party trust by importing federation metadata

You can import the values for each relying party trust by accessing the SAML metadata for each Admin Node.

Before you begin

About this task

These instructions apply to AD FS 4.0, which is included with Windows Server 2016. If you are using AD FS 3.0, which is included with Windows 2012 R2, you will notice slight differences in the procedure. See the Microsoft AD FS documentation if you have questions.

Procedure

  1. In Windows Server Manager, click Tools, and then select AD FS Management.
  2. Under Actions, click Add Relying Party Trust.
  3. On the Welcome page, choose Claims aware, and click Start.
  4. Select Import data about the relying party published online or on a local network.
  5. In Federation metadata address (host name or URL), type the location of the SAML metadata for this Admin Node: https://Admin_Node_FQDN/api/saml-metadata
    For Admin_Node_FQDN, enter the fully qualified domain name for the same Admin Node. (If necessary, you can use the node’s IP address instead. However, if you enter an IP address here, be aware that you must update or recreate this relying party trust if that IP address ever changes.)
  6. Complete the Relying Party Trust wizard, save the relying party trust, and close the wizard.
    Note: When entering the display name, use the Relying Party Identifier for the Admin Node, exactly as it appears on the Single Sign-on page in the Grid Manager. For example, SG-DC1-ADM1.
  7. Add a claim rule:
    1. Right-click the trust, and select Edit claim issuance policy.
    2. Click Add rule:
    3. On the Select Rule Template page, select Send LDAP Attributes as Claims from the list, and click Next.
    4. On the Configure Rule page, enter a display name for this rule.
      For example, ObjectGUID to Name ID.
    5. For the Attribute Store, select Active Directory.
    6. In the LDAP Attribute column of the Mapping table, type objectGUID.
    7. In the Outgoing Claim Type column of the Mapping table, select Name ID from the drop-down list.
    8. Click Finish, and click OK.
  8. Confirm that the metadata was imported successfully.
    1. Right-click the relying party trust to open its properties.
    2. Confirm that the fields on the Endpoints, Identifiers, and Signature tabs are populated.
      If the metadata is missing, confirm that the Federation metadata address is correct, or simply enter the values manually.
  9. Repeat these steps to configure a relying party trust for all of the Admin Nodes in your StorageGRID system.
  10. When you are done, return to StorageGRID and test all relying party trusts to confirm they are configured correctly.