Learn about the Wavefront ADFS Integration.

ADFS Integration

ADFS is a popular identity management product that can be integrated with Wavefront to enable single sign-on.

ADFS Setup

After setting up the ADFS integration, users can authenticate to Wavefront through ADFS instead of using a password. New users who did not exist in Wavefront are auto-created on the Wavefront side when they authenticate for the first time.

Step 1. Run the Wizard

To add the ADFS integration to Wavefront, follow these steps:

images/sso_adfs_1.png

images/sso_adfs_2.png

images/sso_adfs_3.png

images/sso_adfs_4.png

images/sso_adfs_5.png

Note: For the next two steps, replace https://customer.wavefront.com with your Wavefront instance URL: https://YOUR_CLUSTER.wavefront.com.

images/sso_adfs_6.png

images/sso_adfs_7.png

images/sso_adfs_8.png

images/sso_adfs_9.png

Step 2. Set up Claim Rules

This task produces a SAML claim in the following format:

urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified

Here is an example of the resulting rule:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties /format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified");

The rule contains an identifier pull from Active Directory. Wavefront sends an email to this identifier value, so it should be a valid email address.

The screenshots below show to form this identifier from the 1st email address for the user stored in Active Directory.

images/sso_adfs_10.png

The rule sends an email address claim in the SAML response. The new rule transforms that email address claim into the NameID claim that Wavefront needs.

images/sso_adfs_11.png

Step 3. Send the Identity Provider Metadata to Wavefront and Complete the Setup

  1. Download https://<FQDN of ADFS>/FederationMetadata/2007-06/FederationMetadata.xml identity provider metadata file.
  2. Log in to your Wavefront instance as a user with SAML IdP Admin permissions.
  3. From the gear icon in the top right corner, select Self Service SAML.
  4. From the Identity Provider drop-down menu, select ADFS.
  5. Paste the downloaded metadata into the Configure Connection text box.
  6. To validate the metadata, click Test. The ADFS login page opens in a new browser window.
  7. Log in to ADFS.
  8. After the login is successful, click the Save button.

    Note: The Save button is disabled until you’ve completed a test successfully.