Configure Active Directory Federation Services as an Identity Provider

Pivotal Web Services End of Availability Announced
For more information, see Frequently Asked Questions.

This topic describes how to set up Active Directory Federation Services (AD FS) as your identity provider by configuring SAML integration in both Pivotal Web Services (PWS) and AD FS.

Set up SAML in PWS

  1. Log in to the Single Sign-On (SSO) dashboard at as a Plan Administrator.
  2. Select your plan and click Manage Identity Providers on the drop-down menu.

    Adfs manage id providers

  3. Click Configure SAML Service Provider.

    Adfs config saml service provider

  4. (Optional) Select Perform signed authentication requests to enforce SSO private key signature and identity provider validation.

    Saml auth checkbox

  5. (Optional) Select Require signed assertions to validate the origin of signed responses.

  6. Click Download Metadata to download the service provider metadata.

  7. Click Save.

Set up SAML in Active Directory Federation Services

  1. Open the AD FS Management console.

  2. Click Add Relying Party Trust… in the Actions pane.

  3. On the Welcome step, click Start.

    Adfs add relying party

  4. Select Import data about the relying party from a file, enter the path to the downloaded service provider metadata, and click Next.

    Adfs import metadata

  5. Enter a name for Display name and click Next.

    Adfs display name

  6. Leave the default multi-factor authentication selection and click Next.

    Adfs mfa

  7. Select Permit all users to access this relying party and click Next.

    Adfs permit users

  8. Review your settings and click Next.

  9. Click Close to finish the wizard.

  10. The claim rule editor should open by default. If it does not, select your Relying Party Trust and click Edit Claim Rules… in the Actions pane.

  11. Create two claim rules by following these steps:

    1. Click Add Rule.
    2. Select Send LDAP Attributes as Claims for Claim rule template and click Next.

      Adfs ldap claims

    3. Enter a Claim rule name.

    4. Select Active Directory for Attribute store.

    5. Select E-Mail-Addresses for LDAP Attribute and select E-mail Address for Outgoing Claim Type.

    6. Click Finish.

      Adfs ldap claim mappings

    7. Click Add Rule.

    8. Select Transform an Incoming Claim for Claim rule template and click Next.

      Adfs transform claims

    9. Enter a Claim rule name.

    10. Select E-Mail Address for Incoming claim type.

    11. Select Name ID for Outgoing claim type

    12. Select Email for Outgoing name ID format.

    13. Click Finish.

      Adfs transform claim mappings

  12. Double-click on the new Relying Party Trust to open the properties.

  13. Select the Encryption tab and click Remove to remove the encryption certificate.

    Adfs remove cert

  14. Select the Advanced tab and select SHA algorithm for the Secure hash algorithm that matches the SHA Algorithm configured for PCF Elastic Runtime.

    Adfs sha1

  15. (Optional) If you are using a self-signed certificate, disable CRL checks by following these steps:

    1. Open Windows Powershell as an Administrator.
    2. Execute the following command:
      > set-ADFSRelyingPartyTrust -TargetName "< Relying Party Trust >" -SigningCertificateRevocationCheck None
  16. (Optional) If you are using a self-signed certificate, add it to the ADFS trust store. Obtain the OpsManager certificate from https://OPS_MANAGER_IP/api/v0/security/root_ca_certificate and add this CA certificate to the ADFS trust store, so ADFS can trust the “Service Provider Key Certificate” certificate signed by OpsManager ROOT CA.

  17. (Optional) To specify any application or group attributes that you want to map to users in the ID token, click Edit Claim Rules… and configure Send LDAP Attributes as Claims.