ADFS is a popular identity management product that can be integrated with Wavefront to enable single sign-on.
Step 1. Run the Wizard
To add the ADFS integration to Wavefront, follow these steps:
Note: For the next two steps, replace
https://customer.wavefront.com with your Wavefront instance URL:
Step 2. Set up Claim Rules
This task produces a SAML claim in the following format:
Here is an example of the resulting rule:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties /format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified");
The rule contains an identifier pull from Active Directory. Wavefront sends an email to this identifier value, so it should be a valid email address.
The screenshots below show to form this identifier from the 1st email address for the user stored in Active Directory.
The rule sends an email address claim in the SAML response. The new rule transforms that email address claim into the NameID claim that Wavefront needs.
Step 3. Download Identity Provider Metadata and Send to Wavefront
https://<FQDN of ADFS>/FederationMetadata/2007-06/FederationMetadata.xmlto retrieve the identify provider metadata file.
- Send the metadata file to firstname.lastname@example.org with a request to set up ADFS SSO integration for Wavefront and we’ll activate the integration on our end. We’ll notify you as soon as we’ve done this. At that point the users would authenticate to Wavefront through ADFS instead of using a password. Any new user that comes along that did not yet exist in Wavefront is auto-created on the Wavefront side on first authentication.