SSO integration configuration is done with both ADFS and OpsRamp. The configuration sets up redirects to the custom branded URL.

Prerequisite

  • Partners must register with OpsRamp to get OpsRamp login credentials.
  • Provide your custom branding URL (such as <yourwebsitename>.opsramp.com).

ADFS configuration

ADFS configuration involves the following:

  1. Adding the relying party trust identifier.
  2. Editing the claim rules for the relying party trust.
  3. Adding rules.
  4. Editing the claims rules for the claims provider.
  5. Exporting the certificate.

Step 1: Add relying party trust identifiers

To add the relying party trust identifier:

  1. From ADFS, go to Tools > AD FS Management.
  2. From AD FS > Trust Relationships > Relying Party Trusts, select Add Relying Party Trust Wizard and click Start to start the wizard configuration.
    1. On Specify Display Name, provide a unique display name and click Next.
    2. On Choose Profile, select the AD FS profile and click Next.
    3. On Configure Certificate, clear the Token encryption certificate field and click Next.
    4. On Configure URL, check Enable support for the SAML 2.0 WebSSO protocol and enter the following URL subdomain: https://yoursubdomain.opsramp.com/samlResponse.do to replace the subdomain with your custom branding and click Next.
    5. On Configure Identifiers screen, select Relying party trust identifier and click Next.
    6. Review the settings and click Next.
  3. Click Close to complete the wizard configuration.
  4. From the left pane, expand Trust Relationships menu, right-click Relying Party Trusts and select Properties.
  5. On the Advanced tab, select SHA-1 from the Secure hash algorithm drop-down options, and click OK.
Relying Party Properties

Step 2: Edit claim rules for relying party trusts

To edit the claim rules for the relying party trusts:

  1. From ADFS, go to Trust Relationships > Relying Party Trusts, and select Edit Claim Rules..
    Edit Claim Rules
  2. Select the Issuance Transform Rules tab, select your Account Name, and click Add Rule.
  3. In the Edit Transform Claim Rule Wizard wizard, enter:
    1. On Select Rule Template > Choose Rule Type, set Claim rule template to Send LDAP Attributes as Claims, and click Next.
    2. On Configure Rule > Configure Claim Rule, enter the following information, and click Finish.
      • Claim rule name: Get Attributes
      • Attribute store: Active Directory
      • Mapping of LDAP attributes to outgoing claim types (This step creates user information in OpsRamp):
        • LDAP attributes: Outgoing Claim Type
        • Email Addresses: email address
        • Display Name: first and last name
  4. On Claim rule template, select Transform an Incoming Claim, and click Next.
  5. On Configure Rule, enter the following details:
    • Claim rule name: Name ID Transform
    • Incoming claim type: E-mail
    • Outgoing claim type: Name ID
    • Outgoing name ID format: E-mail
  6. Click Finish and OK.
Add Transform Claim Rule Wizard

Step 3: Add rules

Rules are added to map the login name of the user to the EmailID field in OpsRamp.

To add a rule:

  1. Go to Trust Relationships > Relying Party Trusts and click Edit Claim Rules.
  2. Select the Issuance Transform Rules tab, select your Account Name, and click Add Rule.
  3. In the wizard, enter the following settings:
    • Send LDAP Attributes: Claims
    • Claim rule name: AccountName to NameID
    • LDAP Attribute: SAM-Account Name
    • Outgoing Claim Type: NameID
  4. Click Finish
AccountName to NameID

Step 4: Edit the claims rules for claims provider

To edit the claim rules for the claims provider:

  1. Go to AD FS > Trust Relationships > Claims Provider Trusts.
  2. Select Active Directory > Edit Claim Rules and click Add Rule.
  3. From the Claim rule template drop-down menu, select Pass Through or Filter an Incoming Claim and click Next.
  4. On the Configure Rule screen, enter the following details.
    • Claim rule name: Name ID Rule
    • Incoming claim type: Name ID
    • Incoming name ID format: E-mail
  5. Click Finish
NameID Rule

Step 5: Export the certificate

To export the certificate:

  1. Go to ADFS > Service > Certificates.
  2. Select Token-signing > View Certificate... and click the Details tab.
  3. Click CopyFile and click OK.
  4. On Certificate Export Wizard > Export File format, select DER encoded BINARY X.509 (.CER) format and click Next.
  5. Choose a location to save your certificate and click Next.
  6. Click Finish and OK.

To use SSL Shopper to convert the certificate from DER to PEM format:

  1. Log into sslshopper.com.
  2. Click SSL Converter - Convert SSL Certificates to different formats.
  3. Select the following options and click Convert Certificate:
    • Type of Current Certificate: DER/BINARY
    • Type To Convert To: Standard PEM

OpsRamp configuration

To configure SSO integration, from the console:

  1. From All Clients, select a client.

  2. Go to Setup > Account.

  3. Select the Integrations and Apps tab.

  4. The Installed Integrations page, where all the installed applications are displayed. Note: If there are no installed applications, it will navigate to the Available Integrations and Apps page.

  5. Click + ADD on the Installed Integrations page. The Available Integrations and Apps page displays all the available applications along with the newly created application with the version.
    Note: You can even search for the application using the search option available. Also you can use the All Categories option to search.

  6. From Available Integrations and Apps, click +ADD on the Active Directory Federation Service and click Install.

    SSO - Tenant unique prefix
  7. Enter:

    • Issuer URL: Identity provider Issuer URL
    • Redirection URL: SAML EndPoints for HTTP
    • Logout URL: URL for logging out
    • Certificate: x.509 Certificate

  8. Provision Username as: There are two ways to provision a user:

    • Identify Provider’s Name Identifier option is selected by default. The user which is created in the SSO portal will reflect in OpsRamp.

    • Identify Provider’s Name Identifier with OpsRamp tenant-unique prefix: This option allows you to:

      • Create usernames with a unique 3-digit alphanumeric prefix, that is generated automatically by the system.
      • Install the same identity provider across multiple OpsRamp tenants.
        Note: Once you enable this option and install the integration, you cannot revert your changes.
        Example: There are three partners, Partner P1, P2, and P3. Each partner has usernames created with unique 3-digit alphanumeric prefix, like g0z.username1 for partner P1, p0w.username1 for partner P2, and t9q.username1 for partner P3.

      After installing the integration, when you click the integration name in the Configuration tab, the User Provision section will show the unique tenant prefix.

      User Provision - Tenant prefix
  9. Click Install.

    User Provision:

    • Select the following details and click Save:
    • Provision Type: SCIM. When configuring the integration it is necessary to select the Provision Type - SCIM to synchronize users and groups when provisioning occurs. If you select provision type as JIT, JIT user is created during user login.
    • Default Role: The required user role.

  10. Copy the URL and Token information. These details are used when configuring Azure AD Provisioning settings.

  11. Define the following Map Attributes:

    Role mapping is required for groups and users.

    User:

    1. Select OpsRamp Entity as User and OpsRamp Property as Role.
    1. Click +. The Create User Mapping on Role popup is displayed.

    a. Third-party Entity: Enter the value.
    b. Third-party Property: Enter the value.
    OpsRamp Entity and OpsRamp Property are populated automatically.
    Under Add Property Values:
    c. Third-party Property Value: Enter the value that is coming from Azure side (from the payload).
    d. OpsRamp Property Value: Select the appropriate role corresponding to the Third-party Property Value. To add more property values click +.
    e. Click Save. The mapping is saved and displayed.

    Similarly, map attributes for other entities like First Name, Last Name, Mobile Number, Phone, Email, etc.

    User Group:

    1. Select OpsRamp Entity as User Group and OpsRamp Property as Role.
    1. Click +. The Create User Group Mapping on Role popup is displayed.

    a. Third-party Entity: Enter the value.
    b. Third-party Property: Enter the value.
    OpsRamp Entity and OpsRamp Property are populated automatically.
    Under Add Property Values:
    c. Third-party Property Value: Enter the value that is coming from Azure side (from the payload).
    d. OpsRamp Property Value: Select the appropriate role corresponding to the Third-party Property Value. To add more property values click +.
    e. Click Save. The mapping is saved and displayed.

If the Role is not configured in Map Attributes section, the Default Role provided in User Provision is considered for SSO.