Skip to main content

Creating relying party trusts in AD FS

Contributors netapp-lhalbert

You must use Active Directory Federation Services (AD FS) to create a relying party trust for each Admin Node in your system. You can create relying party trusts using PowerShell commands, by importing SAML metadata from StorageGRID, or by entering the data manually.

Creating a relying party trust using Windows PowerShell

You can use Windows PowerShell to quickly create one or more relying party trusts.

What you'll need
  • You have configured SSO in StorageGRID, and you know the fully qualified domain name (or the IP address) and the relying party identifier for each Admin Node in your system.

    Note You must create a relying party trust for each Admin Node in your StorageGRID system. Having a relying party trust for each Admin Node ensures that users can securely sign in to and out of any Admin Node.
  • You have experience creating relying party trusts in AD FS, or you have access to the Microsoft AD FS documentation.

  • You are using the AD FS Management snap-in, and you belong to the Administrators group.

About this task

These instructions apply to AD FS 4.0, which is included with Windows Server 2016. If you are using AD FS 3.0, which is included with Windows 2012 R2, you will notice slight differences in the procedure. See the Microsoft AD FS documentation if you have questions.

Steps
  1. From the Windows start menu, right-click the PowerShell icon, and select Run as Administrator.

  2. At the PowerShell command prompt, enter the following command:

    Add-AdfsRelyingPartyTrust -Name "Admin_Node_Identifer" -MetadataURL "https://Admin_Node_FQDN/api/saml-metadata"

    • For Admin_Node_Identifier, enter the Relying Party Identifier for the Admin Node, exactly as it appears on the Single Sign-on page. For example, SG-DC1-ADM1.

    • For Admin_Node_FQDN, enter the fully qualified domain name for the same Admin Node. (If necessary, you can use the node's IP address instead. However, if you enter an IP address here, be aware that you must update or recreate this relying party trust if that IP address ever changes.)

  3. From Windows Server Manager, select Tools > AD FS Management.

    The AD FS management tool appears.

  4. Select AD FS > Relying Party Trusts.

    The list of relying party trusts appears.

  5. Add an Access Control Policy to the newly created relying party trust:

    1. Locate the relying party trust you just created.

    2. Right-click the trust, and select Edit Access Control Policy.

    3. Select an Access Control Policy.

    4. Click Apply, and click OK

  6. Add a Claim Issuance Policy to the newly created Relying Party Trust:

    1. Locate the relying party trust you just created.

    2. Right-click the trust, and select Edit claim issuance policy.

    3. Click Add rule.

    4. On the Select Rule Template page, select Send LDAP Attributes as Claims from the list, and click Next.

    5. On the Configure Rule page, enter a display name for this rule.

      For example, ObjectGUID to Name ID.

    6. For the Attribute Store, select Active Directory.

    7. In the LDAP Attribute column of the Mapping table, type objectGUID.

    8. In the Outgoing Claim Type column of the Mapping table, select Name ID from the drop-down list.

    9. Click Finish, and click OK.

  7. Confirm that the metadata was imported successfully.

    1. Right-click the relying party trust to open its properties.

    2. Confirm that the fields on the Endpoints, Identifiers, and Signature tabs are populated.

      If the metadata is missing, confirm that the Federation metadata address is correct, or simply enter the values manually.

  8. Repeat these steps to configure a relying party trust for all of the Admin Nodes in your StorageGRID system.

  9. When you are done, return to StorageGRID and test all relying party trusts to confirm they are configured correctly.

Creating a relying party trust by importing federation metadata

You can import the values for each relying party trust by accessing the SAML metadata for each Admin Node.

What you'll need
  • You have configured SSO in StorageGRID, and you know the fully qualified domain name (or the IP address) and the relying party identifier for each Admin Node in your system.

    Note You must create a relying party trust for each Admin Node in your StorageGRID system. Having a relying party trust for each Admin Node ensures that users can securely sign in to and out of any Admin Node.
  • You have experience creating relying party trusts in AD FS, or you have access to the Microsoft AD FS documentation.

  • You are using the AD FS Management snap-in, and you belong to the Administrators group.

About this task

These instructions apply to AD FS 4.0, which is included with Windows Server 2016. If you are using AD FS 3.0, which is included with Windows 2012 R2, you will notice slight differences in the procedure. See the Microsoft AD FS documentation if you have questions.

Steps
  1. In Windows Server Manager, click Tools, and then select AD FS Management.

  2. Under Actions, click Add Relying Party Trust.

  3. On the Welcome page, choose Claims aware, and click Start.

  4. Select Import data about the relying party published online or on a local network.

  5. In Federation metadata address (host name or URL), type the location of the SAML metadata for this Admin Node:

    https://Admin_Node_FQDN/api/saml-metadata

    For Admin_Node_FQDN, enter the fully qualified domain name for the same Admin Node. (If necessary, you can use the node's IP address instead. However, if you enter an IP address here, be aware that you must update or recreate this relying party trust if that IP address ever changes.)

  6. Complete the Relying Party Trust wizard, save the relying party trust, and close the wizard.

    Note When entering the display name, use the Relying Party Identifier for the Admin Node, exactly as it appears on the Single Sign-on page in the Grid Manager. For example, SG-DC1-ADM1.
  7. Add a claim rule:

    1. Right-click the trust, and select Edit claim issuance policy.

    2. Click Add rule:

    3. On the Select Rule Template page, select Send LDAP Attributes as Claims from the list, and click Next.

    4. On the Configure Rule page, enter a display name for this rule.

      For example, ObjectGUID to Name ID.

    5. For the Attribute Store, select Active Directory.

    6. In the LDAP Attribute column of the Mapping table, type objectGUID.

    7. In the Outgoing Claim Type column of the Mapping table, select Name ID from the drop-down list.

    8. Click Finish, and click OK.

  8. Confirm that the metadata was imported successfully.

    1. Right-click the relying party trust to open its properties.

    2. Confirm that the fields on the Endpoints, Identifiers, and Signature tabs are populated.

      If the metadata is missing, confirm that the Federation metadata address is correct, or simply enter the values manually.

  9. Repeat these steps to configure a relying party trust for all of the Admin Nodes in your StorageGRID system.

  10. When you are done, return to StorageGRID and test all relying party trusts to confirm they are configured correctly.

Creating a relying party trust manually

If you choose not to import the data for the relying part trusts, you can enter the values manually.

What you'll need
  • You have configured SSO in StorageGRID, and you know the fully qualified domain name (or the IP address) and the relying party identifier for each Admin Node in your system.

    Note You must create a relying party trust for each Admin Node in your StorageGRID system. Having a relying party trust for each Admin Node ensures that users can securely sign in to and out of any Admin Node.
  • You have the custom certificate that was uploaded for the StorageGRID management interface, or you know how to log in to an Admin Node from the command shell.

  • You have experience creating relying party trusts in AD FS, or you have access to the Microsoft AD FS documentation.

  • You are using the AD FS Management snap-in, and you belong to the Administrators group.

About this task

These instructions apply to AD FS 4.0, which is included with Windows Server 2016. If you are using AD FS 3.0, which is included with Windows 2012 R2, you will notice slight differences in the procedure. See the Microsoft AD FS documentation if you have questions.

Steps
  1. In Windows Server Manager, click Tools, and then select AD FS Management.

  2. Under Actions, click Add Relying Party Trust.

  3. On the Welcome page, choose Claims aware, and click Start.

  4. Select Enter data about the relying party manually, and click Next.

  5. Complete the Relying Party Trust wizard:

    1. Enter a display name for this Admin Node.

      For consistency, use the Relying Party Identifier for the Admin Node, exactly as it appears on the Single Sign-on page in the Grid Manager. For example, SG-DC1-ADM1.

    2. Skip the step to configure an optional token encryption certificate.

    3. On the Configure URL page, select the Enable support for the SAML 2.0 WebSSO protocol check box.

    4. Type the SAML service endpoint URL for the Admin Node:

      https://Admin_Node_FQDN/api/saml-response

      For Admin_Node_FQDN, enter the fully qualified domain name for the Admin Node. (If necessary, you can use the node's IP address instead. However, if you enter an IP address here, be aware that you must update or recreate this relying party trust if that IP address ever changes.)

    5. On the Configure Identifiers page, specify the Relying Party Identifier for the same Admin Node:

      Admin_Node_Identifier

      For Admin_Node_Identifier, enter the Relying Party Identifier for the Admin Node, exactly as it appears on the Single Sign-on page. For example, SG-DC1-ADM1.

    6. Review the settings, save the relying party trust, and close the wizard.

      The Edit Claim Issuance Policy dialog box appears.

      Note If the dialog box does not appear, right-click the trust, and select Edit claim issuance policy.
  6. To start the Claim Rule wizard, click Add rule:

    1. On the Select Rule Template page, select Send LDAP Attributes as Claims from the list, and click Next.

    2. On the Configure Rule page, enter a display name for this rule.

      For example, ObjectGUID to Name ID.

    3. For the Attribute Store, select Active Directory.

    4. In the LDAP Attribute column of the Mapping table, type objectGUID.

    5. In the Outgoing Claim Type column of the Mapping table, select Name ID from the drop-down list.

    6. Click Finish, and click OK.

  7. Right-click the relying party trust to open its properties.

  8. On the Endpoints tab, configure the endpoint for single logout (SLO):

    1. Click Add SAML.

    2. Select Endpoint Type > SAML Logout.

    3. Select Binding > Redirect.

    4. In the Trusted URL field, enter the URL used for single logout (SLO) from this Admin Node:

      https://Admin_Node_FQDN/api/saml-logout

      For Admin_Node_FQDN, enter the Admin Node's fully qualified domain name. (If necessary, you can use the node's IP address instead. However, if you enter an IP address here, be aware that you must update or recreate this relying party trust if that IP address ever changes.)

    5. Click OK.

  9. On the Signature tab, specify the signature certificate for this relying party trust:

    1. Add the custom certificate:

      • If you have the custom management certificate you uploaded to StorageGRID, select that certificate.

      • If you do not have the custom certificate, log in to the Admin Node, go the /var/local/mgmt-api directory of the Admin Node, and add the custom-server.crt certificate file.

        Note: Using the Admin Node's default certificate (server.crt) is not recommended. If the Admin Node fails, the default certificate will be regenerated when you recover the node, and you will need to update the relying party trust.

    2. Click Apply, and click OK.

      The Relying Party properties are saved and closed.

  10. Repeat these steps to configure a relying party trust for all of the Admin Nodes in your StorageGRID system.

  11. When you are done, return to StorageGRID and test all relying party trusts to confirm they are configured correctly.