SSO integration configuration is done with both ADFS and OpsRamp. The configuration sets up redirects to the custom branded URL.

Prerequisite

  • Partners must register with OpsRamp to get OpsRamp login credentials.
  • Provide your custom branding URL (such as <yourwebsitename>.opsramp.com).

ADFS configuration

ADFS configuration involves the following:

  1. Adding the relying party trust identifier.
  2. Editing the claim rules for the relying party trust.
  3. Adding rules.
  4. Editing the claims rules for the claims provider.
  5. Exporting the certificate.

Step 1: Add relying party trust identifiers

To add the relying party trust identifier:

  1. From ADFS, go to Tools > AD FS Management.
  2. From AD FS > Trust Relationships > Relying Party Trusts, select Add Relying Party Trust Wizard and click Start to start the wizard configuration.
    1. On Specify Display Name, provide a unique display name and click Next.
    2. On Choose Profile, select the AD FS profile and click Next.
    3. On Configure Certificate, clear the Token encryption certificate field and click Next.
    4. On Configure URL, check Enable support for the SAML 2.0 WebSSO protocol and enter the following URL subdomain: https://yoursubdomain.opsramp.com/samlResponse.do to replace the subdomain with your custom branding and click Next.
    5. On Configure Identifiers screen, select Relying party trust identifier and click Next.
    6. Review the settings and click Next.
  3. Click Close to complete the wizard configuration.
  4. From the left pane, expand Trust Relationships menu, right-click Relying Party Trusts and select Properties.
  5. On the Advanced tab, select SHA-1 from the Secure hash algorithm drop-down options, and click OK.
Relying Party Properties

Step 2: Edit claim rules for relying party trusts

To edit the claim rules for the relying party trusts:

  1. From ADFS, go to Trust Relationships > Relying Party Trusts, and select Edit Claim Rules..

    Edit Claim Rules

  2. Select the Issuance Transform Rules tab, select your Account Name, and click Add Rule.

  3. In the Edit Transform Claim Rule Wizard wizard, enter:

    1. On Select Rule Template > Choose Rule Type, set Claim rule template to Send LDAP Attributes as Claims, and click Next.
    2. On Configure Rule > Configure Claim Rule, enter the following information, and click Finish.
      • Claim rule name: Get Attributes
      • Attribute store: Active Directory
      • Mapping of LDAP attributes to outgoing claim types (This step creates user information in OpsRamp):
        • LDAP attributes: Outgoing Claim Type
        • Email Addresses: email address
        • Display Name: first and last name
  4. On Claim rule template, select Transform an Incoming Claim, and click Next.

  5. On Configure Rule, enter the following details:

    • Claim rule name: Name ID Transform
    • Incoming claim type: E-mail
    • Outgoing claim type: Name ID
    • Outgoing name ID format: E-mail
  6. Click Finish and OK.

    Edit Edit Rules
    ADFS get attributes
    ADFS transform rules
    ADFS Incoming claim
    ADFS transform claim

Step 3: Add rules

Rules are added to map the login name of the user to the EmailID field in OpsRamp.

To add a rule:

  1. Go to Trust Relationships > Relying Party Trusts and click Edit Claim Rules.
  2. Select the Issuance Transform Rules tab, select your Account Name, and click Add Rule.
  3. In the wizard, enter the following settings:
    • Send LDAP Attributes: Claims
    • Claim rule name: AccountName to NameID
    • LDAP Attribute: SAM-Account Name
    • Outgoing Claim Type: NameID
  4. Click Finish
AccountName to NameID

Step 4: Edit the claims rules for claims provider

To edit the claim rules for the claims provider:

  1. Go to AD FS > Trust Relationships > Claims Provider Trusts.
  2. Select Active Directory > Edit Claim Rules and click Add Rule.
  3. From the Claim rule template drop-down menu, select Pass Through or Filter an Incoming Claim and click Next.
  4. On the Configure Rule screen, enter the following details.
    • Claim rule name: Name ID Rule
    • Incoming claim type: Name ID
    • Incoming name ID format: E-mail
  5. Click Finish
NameID Rule
NameID Rule
NameID Rule
NameID Rule

Step 5: Export the certificate

To export the certificate:

  1. Go to ADFS > Service > Certificates.

  2. Select Token-signing > View Certificate... and click the Details tab.

  3. Click CopyFile and click OK.

  4. On Certificate Export Wizard > Export File format, select DER encoded BINARY X.509 (.CER) format and click Next.

  5. Choose a location to save your certificate and click Next.

  6. Click Finish and OK.

    View Certificate
    View Certificate
    Certificate Export Wizard

To use SSL Shopper to convert the certificate from DER to PEM format:

  1. Log into sslshopper.com.
  2. Click SSL Converter - Convert SSL Certificates to different formats.
  3. Select the following options and click Convert Certificate:
    • Type of Current Certificate: DER/BINARY
    • Type To Convert To: Standard PEM

OpsRamp configuration

To configure SSO integration:

  1. From All Clients, select a client.

  2. Navigate to Setup > Account.

  3. Select the Integrations and Apps tab.

  4. The Installed Integrations page, where all the installed applications are displayed. Note: If there are no installed applications, it will navigate to the Available Integrations and Apps page.

  5. Click + ADD on the Installed Integrations page. The Available Integrations and Apps page displays all the available applications along with the newly created application with the version.

  6. Search for the Active Directory Federation Service using the search option available. Alternatively, use the All Categories option to search.

  7. Click +Add on the Active Directory Federation Service tile.

    SSO - ADFS configuration page
  8. Enter the following information in the Configuration page:

    • Metadata XML: Upload the XML file. This file will have all the information related to Issuer URL, Redirection URL, Logout URL, and Certificate. After you upload the Metadata XML file, these fields are automatically populated.
      Alternatively, you can enter the information in the fields manually.
    • Issuer URL: Identity provider Issuer URL
    • Redirection URL: SAML EndPoints for HTTP
    • Logout URL: URL for logging out
    • Certificate: x.509 Certificate

  9. Provision Username as: There are two ways to provision a user. Select the appropriate option:

    • Identify Provider’s Name Identifier option is selected by default. The user which is created in the SSO portal will reflect in OpsRamp.

    • Identify Provider’s Name Identifier with OpsRamp tenant-unique prefix: This option allows you to:

      • Create usernames with a unique 3-digit alphanumeric prefix, that is generated automatically by the system.
      • Install the same identity provider across multiple OpsRamp tenants.
        Note: Once you enable this option and install the integration, you cannot revert your changes.
        Example: There are three partners, Partner P1, P2, and P3. Each partner has usernames created with unique 3-digit alphanumeric prefix, like g0z.username1 for partner P1, p0w.username1 for partner P2, and t9q.username1 for partner P3.

  10. Click Next.

  11. In the Inbound page:
    User Provision:

    • Select the following details and click Update User Provision:
    • Provision Type: If you select provision type as JIT, JIT user is created during user login.
    • Default Role: The required user role.

  12. Define the following Map Attributes:

    Note: The OpsRamp properties Primary Email, First Name, Last Name, and Role are required.

    1. Click +Add in the Map Attributes section.
    2. From the Add Map Attributes window, enter the following information:

    User:

    1. Select OpsRamp Entity as User and OpsRamp Property as Role.
      Role mapping is required for User and User Group.
    1. ADFS Entity: Enter the value.
    2. ADFS Property: Enter the value.
      Similarly, do the role mapping for Primary Email, First Name, and Last Name..
      Under Property Values:
    3. ADFS Property Value: Enter the value that is coming from Azure side (from the payload).
    4. OpsRamp Property Value: Select the appropriate role corresponding to the ADFS Property Value.
    5. Click Save. The mapping is saved and displayed.
      To add more property values click +Property Value.
      User the Filter option to filter the map attributes.

    Similarly, map attributes for other entities.

    Note: If mapping for Time Zone is not provided, then organization timezone is considered by default.

    User Group:

    1. Select OpsRamp Entity as User Group and OpsRamp Property as Role.
    1. ADFS Entity: Enter the value.
    2. ADFS Property: Enter the value.
      Similarly, do the role mapping for Primary Email, First Name, and Last Name..
      Under Property Values:
    3. ADFS Property Value: Enter the value that is coming from Azure side (from the payload).
    4. OpsRamp Property Value: Select the appropriate role corresponding to the ADFS Property Value.
    5. Click Save. The mapping is saved and displayed.
      To add more property values click +Property Value.
    6. Click Add Map Attributes.

    • Click the three dots (menu icon) available at the end of each row to edit or delete a map attribute.

If the Role is not configured in Map Attributes section, the Default Role provided in the User Provision section is considered for SSO.

  1. Click Finish. The integration is installed.