Registering AD FS with Common Services

Ops Center Installation and Configuration Guide

Version
11.0.x
Audience
anonymous
Part Number
MK-99OPS001-23
You can register AD FS with Common Services as an identity provider.
  1. Log in to the Hitachi Ops Center Portal as the sysadmin user or as a user who belongs to the opscenter-administrators group.
  2. From the navigation bar, click Manage users.
  3. In the Users window, from the Asset type, click Identity providers.
  4. In the Identity Providers window, click .
  5. In the wizard, enter and register the required items.

    Item

    Value

    Provider type

    Active Directory Federation Services

    Federation protocol

    OpenID connect 1.0

    Display name

    Name of the identity provider (up to 64 characters).

    Alias

    Alias name that was decided on in Registering Common Services in AD FS as an application group

    OpenID connect discovery endpoint

    The endpoint that was verified in Checking the OpenID Connect Discovery endpoint of AD FS.

    Enabled

    If you specify Enable, the identity provider is enabled and the Log in using external identity provider link appears in the login window.

    Client ID

    The AD FS client identifier that was displayed in Registering Common Services in AD FS as an application group.

    Client secret

    The AD FS secret name that was displayed in Registering Common Services in AD FS as an application group.

    Web API identifier

    URI of the Web API identifier used in Registering Common Services in AD FS as an application group.

    Allowed clock skew

    Acceptable time difference between the management server where Common Services is installed and the AD FS server. If the time difference between the servers exceeds this value, you cannot use AD FS to log in.

    Valid values are 0 to 300 (seconds).

    Default: 300

    Default group mappers

    Local user group used as the default. (Optional)

    When AD FS user authentication succeeds, the user is imported into Common Services as a local user, and the local user group specified for this item is assigned.

    Maximum number of groups is 10.

    Custom group mappers

    A pair consists of an AD FS user group and a local user group. (Optional)

    When AD FS user authentication succeeds, the user is imported into Common Services as a local user. If the user belongs to an AD FS user group specified in the Custom group mappers, the corresponding local user group is assigned.

    Maximum number of pairs is 10.

    Specify the AD FS user group name in Windows Domain Qualified Name format.

    Example:
    domain\cs_admin_group
    Tip: When the default group mapper is defined, all users that belong to the external identity provider are assigned to that group when they log in.

    By contrast, the custom group mapper requires that each external identity provider user be assigned to the group before they can log in.

    External identity provider users are assigned whatever privileges belong to the local group to which they are mapped. For this reason, you should not use the opscenter-administrators as the default group mapper.

    An Ops Center administrator can assign group membership individually to identity provider users instead of depending on the group mappers.