SSO integration configuration is done with both Active Directory Federation Service (ADFS) and OpsRamp. The configuration sets up redirects to the custom branded URL.

Prerequisite

• Partners must register with OpsRamp to get OpsRamp login credentials.
• Provide your custom branding URL (such as <yourwebsitename>.opsramp.com).

ADFS configuration

ADFS configuration involves the following:

1. Adding the relying party trust identifier.
2. Editing the claim rules for the relying party trust.
3. Adding rules.
4. Editing the claims rules for the claims provider.
5. Exporting the certificate.

Step 1: Add relying party trust identifiers

To add the relying party trust identifier:

1. From ADFS, go to Tools > AD FS Management.
2. From AD FS > Trust Relationships > Relying Party Trusts, select Add Relying Party Trust Wizard and click Start to start the wizard configuration.
   1. On Specify Display Name, provide a unique display name and click Next.
   2. On Choose Profile, select the AD FS profile and click Next.
   3. On Configure Certificate, clear the Token encryption certificate field and click Next.
   4. On Configure URL, check Enable support for the SAML 2.0 WebSSO protocol and enter the following URL subdomain: https://yoursubdomain.opsramp.com/samlResponse.do to replace the subdomain with your custom branding and click Next.
   5. On Configure Identifiers screen, select Relying party trust identifier and click Next.
   6. Review the settings and click Next.
3. Click Close to complete the wizard configuration.
4. From the left pane, expand Trust Relationships menu, right-click Relying Party Trusts and select Properties.
5. On the Advanced tab, select SHA-1 from the Secure hash algorithm drop-down options, and click OK.

Step 2: Edit claim rules for relying party trusts

To edit the claim rules for the relying party trusts:

1. From ADFS, go to Trust Relationships > Relying Party Trusts, and select Edit Claim Rules..

   

2. Select the Issuance Transform Rules tab, select your Account Name, and click Add Rule.

3. In the Edit Transform Claim Rule Wizard wizard, enter:

   1. On Select Rule Template > Choose Rule Type, set Claim rule template to Send LDAP Attributes as Claims, and click Next.
   2. On Configure Rule > Configure Claim Rule, enter the following information, and click Finish.
      • Claim rule name: Get Attributes
      • Attribute store: Active Directory
      • Mapping of LDAP attributes to outgoing claim types (This step creates user information in OpsRamp):
        • LDAP attributes: Outgoing Claim Type
        • Email Addresses: email address
        • Display Name: first and last name

4. On Claim rule template, select Transform an Incoming Claim, and click Next.

5. On Configure Rule, enter the following details:

   • Claim rule name: Name ID Transform
   • Incoming claim type: E-mail
   • Outgoing claim type: Name ID
   • Outgoing name ID format: E-mail

6. Click Finish and OK.

   

   

   

   

   

Step 3: Add rules

Rules are added to map the login name of the user to the EmailID field in OpsRamp.

To add a rule:

1. Go to Trust Relationships > Relying Party Trusts and click Edit Claim Rules.
2. Select the Issuance Transform Rules tab, select your Account Name, and click Add Rule.
3. In the wizard, enter the following settings:
   • Send LDAP Attributes: Claims
   • Claim rule name: AccountName to NameID
   • LDAP Attribute: SAM-Account Name
   • Outgoing Claim Type: NameID
4. Click Finish

Step 4: Edit the claims rules for claims provider

To edit the claim rules for the claims provider:

1. Go to AD FS > Trust Relationships > Claims Provider Trusts.
2. Select Active Directory > Edit Claim Rules and click Add Rule.
3. From the Claim rule template drop-down menu, select Pass Through or Filter an Incoming Claim and click Next.
4. On the Configure Rule screen, enter the following details.
   • Claim rule name: Name ID Rule
   • Incoming claim type: Name ID
   • Incoming name ID format: E-mail
5. Click Finish

Step 5: Export the certificate

To export the certificate:

1. Go to ADFS > Service > Certificates.

2. Select Token-signing > View Certificate... and click the Details tab.

3. Click CopyFile and click OK.

4. On Certificate Export Wizard > Export File format, select DER encoded BINARY X.509 (.CER) format and click Next.

5. Choose a location to save your certificate and click Next.

6. Click Finish and OK.

   

   

   

To use SSL Shopper to convert the certificate from DER to PEM format:

1. Log into sslshopper.com.
2. Click SSL Converter - Convert SSL Certificates to different formats.
3. Select the following options and click Convert Certificate:
   • Type of Current Certificate: DER/BINARY
   • Type To Convert To: Standard PEM

OpsRamp configuration

To configure SSO integration:

1. From All Clients, select a client.

2. Navigate to Setup > Account.

3. Select the Integrations and Apps tab.

4. The Installed Integrations page, where all the installed applications are displayed. Note: If there are no installed applications, it will navigate to the Available Integrations and Apps page.

5. Click + ADD on the Installed Integrations page. The Available Integrations and Apps page displays all the available applications along with the newly created application with the version.
   

6. Search for the Active Directory Federation Service using the search option available. Alternatively, use the All Categories option to search.

7. Click +Add on the Active Directory Federation Service tile.

   

8. Enter the following information in the Configuration page:

   • Metadata XML: Upload the XML file. This file will have all the information related to Issuer URL, Redirection URL, Logout URL, and Certificate. After you upload the Metadata XML file, these fields are automatically populated.
     Alternatively, you can enter the information in the fields manually.
   • Issuer URL: Identity provider Issuer URL
   • Redirection URL: SAML EndPoints for HTTP
   • Logout URL: URL for logging out
   • Certificate: x.509 Certificate
     
     

9. Provision Username as: There are two ways to provision a user. Select the appropriate option:

   • Identify Provider’s Name Identifier option is selected by default. The user which is created in the SSO portal will reflect in OpsRamp.

   • Identify Provider’s Name Identifier with OpsRamp tenant-unique prefix: This option allows you to:

     • Create usernames with a unique 3-digit alphanumeric prefix, that is generated automatically by the system.
     • Install the same identity provider across multiple OpsRamp tenants.
       Note: Once you enable this option and install the integration, you cannot revert your changes.
       Example: There are three partners, Partner P1, P2, and P3. Each partner has usernames created with unique 3-digit alphanumeric prefix, like g0z.username1 for partner P1, p0w.username1 for partner P2, and t9q.username1 for partner P3.
       
       

10. Click Next. The INBOUND screen is displayed.

    In the Inbound page, there are two sections: USER PROVISION and MAP ATTRIBUTES.
    

    USER PROVISION

    • JIT
    • NONE: Only the existing users will be able to login.
      
      

    JIT

    Following section describes JIT provisioning in detail.

    In the Inbound page:

    1. Click the edit icon, enter the following information, and click UPDATE USER PROVISION:
       
       

    Field Name	Field Type	Description
    Provision Type	Dropdown	Select provision type as JIT. When configuring the integration it is necessary to select the Provision Type - JIT to synchronize users when provisioning occurs.
    Default Role	Dropdown	The required user role.

    

    The details are updated and the USER PROVISION section displays the unique Tenant Prefix. These details are used when configuring Active Directory Federation Service Provisioning settings.

    

    MAP ATTRIBUTES

11. Define the following Map Attributes:

    Note:

    • For JIT: The OpsRamp properties like Primary Email, First Name, Last Name, and Role are required.
      
      
    1. Click +Add in the Map Attributes section.
    2. From the Add Map Attributes window, enter the following information:
       
       

    User:

    1. Select OpsRamp Entity as User and OpsRamp Property as Role.
       

    

    2. Active Directory Federation Service Entity: Enter the value.
       
    3. Active Directory Federation Service Property: Enter the value.
       In PROPERTY VALUES section:
       
    4. Active Directory Federation Service Property Value: Enter the ADFS property value.
    5. OpsRamp Property Value: Select the appropriate role corresponding to the Active Directory Federation Service Property Value.
       
    6. Click Save. The mapping is saved and displayed.
       To add more property values click +Property Value.
       User the Filter option to filter the map attributes.

    Similarly, map attributes for other entities.

    Note: If mapping for Time Zone is not provided, then organization timezone is considered by default.

    7. Click ADD MAP ATTRIBUTES.
       
       
    • Click the three dots (menu icon) available at the end of each row to edit or delete a map attribute.
    • Use Filter to filter the map attributes.
      
      

    Note: If Role is not configured in Map Attributes section, the Default Role provided in USER PROVISION section is considered for SSO.

12. Click FINISH. The ADFS integration is installed and displayed under Installed Integrations.

Actions on Integration

You can perform actions like View Logs, Export, Edit, and Uninstall on the integration.

• See Actions on Integration for more information.

Audit Logs

View Inbound logs from the View Logs option for the integration. You can view if the event was successful or not.

See Audit Logs for more information.