ADFS is a popular identity management product that can be integrated with Wavefront to enable single sign-on.
After setting up the ADFS integration, users can authenticate to Wavefront through ADFS instead of using a password. New users who did not exist in Wavefront are auto-created on the Wavefront side when they authenticate for the first time.
Step 1. Run the Wizard
To add the ADFS integration to Wavefront, follow these steps:
Note: For the next two steps, replace
https://customer.wavefront.com with your Wavefront instance URL:
Step 2. Set up Claim Rules
This task produces a SAML claim in the following format:
Here is an example of the resulting rule:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties /format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified");
The rule contains an identifier pull from Active Directory. Wavefront sends an email to this identifier value, so it should be a valid email address.
The screenshots below show to form this identifier from the 1st email address for the user stored in Active Directory.
The rule sends an email address claim in the SAML response. The new rule transforms that email address claim into the NameID claim that Wavefront needs.
Step 3. Send the Identity Provider Metadata to Wavefront and Complete the Setup
https://<FQDN of ADFS>/FederationMetadata/2007-06/FederationMetadata.xmlidentity provider metadata file.
- Log in to your Wavefront instance as a user with
SAML IdP Adminpermissions.
- From the gear icon in the top right corner, select Self Service SAML.
- From the Identity Provider drop-down menu, select ADFS.
- Paste the downloaded metadata into the Configure Connection text box.
- To validate the metadata, click Test. The ADFS login page opens in a new browser window.
- Log in to ADFS.
After the login is successful, click the Save button.
Note: The Save button is disabled until you’ve completed a test successfully.