- Log in to the Hitachi Ops Center Portal as the sysadmin user or as a user who belongs to the opscenter-administrators group.
- From the navigation bar, click Manage users.
- In the Users window, from the Asset type, click Identity providers.
- In the Identity Providers window, click +.
-
In the wizard, enter and register the required items.
Item
Value
Provider type
Active Directory Federation Services
Federation protocol
OpenID connect 1.0
Display name
Name of the identity provider (up to 64 characters).
Alias
Alias name that was decided on in Registering Common Services in AD FS as an application group
OpenID connect discovery endpoint
The endpoint that was verified in Checking the OpenID Connect Discovery endpoint of AD FS.
Enabled
If you specify Enable, the identity provider is enabled and the Log in using external identity provider link appears in the login window.
Client ID
The AD FS client identifier that was displayed in Registering Common Services in AD FS as an application group.
Client secret
The AD FS secret name that was displayed in Registering Common Services in AD FS as an application group.
Web API identifier
URI of the Web API identifier used in Registering Common Services in AD FS as an application group.
Allowed clock skew
Acceptable time difference between the management server where Common Services is installed and the AD FS server. If the time difference between the servers exceeds this value, you cannot use AD FS to log in.
Valid values are 0 to 300 (seconds).
Default: 300
Default group mappers
Local user group used as the default. (Optional)
When AD FS user authentication succeeds, the user is imported into Common Services as a local user, and the local user group specified for this item is assigned.
Maximum number of groups is 10.
Custom group mappers
A pair consists of an AD FS user group and a local user group. (Optional)
When AD FS user authentication succeeds, the user is imported into Common Services as a local user. If the user belongs to an AD FS user group specified in the Custom group mappers, the corresponding local user group is assigned.
Maximum number of pairs is 10.
Specify the AD FS user group name in Windows Domain Qualified Name format.
Tip: When the default group mapper is defined, all users that belong to the external identity provider are assigned to that group when they log in.By contrast, the custom group mapper requires that each external identity provider user be assigned to the group before they can log in.
External identity provider users are assigned whatever privileges belong to the local group to which they are mapped. For this reason, you should not use the opscenter-administrators as the default group mapper.
An Ops Center administrator can assign group membership individually to identity provider users instead of depending on the group mappers.
You can register AD FS with Common Services as an identity
provider.