- Log in to the Hitachi Ops Center Portal as the sysadmin user or as a user who is a member of the opscenter-administrators group.
- From the navigation bar, click Manage users.
- In the Users window, from the Asset type, click Identity providers.
- In the Identity Providers window, click +.
-
In the wizard, enter and register the required items.
Item
Value
Provider type
Active Directory Federation Services
Federation protocol
SAML 2.0
Display name
Name of the identity provider (up to 64 characters).
Alias
Alias name used to uniquely identify the identity provider (up to 64 characters).
Valid character types are half-width alphabetical characters (lowercase only), numbers, hyphens, and underscores.
You cannot change the registered value later.
AD FS endpoint metadata URI
Endpoint defined in Checking the AD FS metadata endpoint.
Enabled
If you specify Enable, the identity provider is enabled and the Log in using external identity provider link appears in the login window.
NameID Policy Format
Format used for the username when the AD FS user is imported as a Common Services local user:
- Windows Domain Qualified Name
- Unspecified
Allowed clock skew
Acceptable time difference between the management server where Common Services is installed and the AD FS server. If the time difference between the servers exceeds this value, you cannot use AD FS to log in.
Valid values are 0 to 300 (seconds).
Default: 300
Default group mappers
Local user group used as the default. (Optional)
When AD FS user authentication succeeds, the user is imported into Common Services as a local user, and the local user group specified for this item is assigned.
Maximum number of groups is 10.
Custom group mappers
A pair consists of an AD FS user group and a local user group. (Optional)
When AD FS user authentication succeeds, the user is imported into Common Services as a local user. If the user belongs to an AD FS user group specified in the Custom group mappers, the corresponding local user group is assigned.
Maximum number of pairs is 10.
Specify the AD FS user group name in Windows Domain Qualified Name format.
Tip: When the default group mapper is defined, all users that belong to the external identity provider are assigned to that group when they log in.By contrast, the custom group mapper requires that each external identity provider user be assigned to the group before they can log in.
External identity provider users are assigned whatever privileges belong to the local group to which they are mapped. For this reason, you should not use the opscenter-administrators as the default group mapper.
An Ops Center administrator can assign group membership individually to identity provider users instead of depending on the group mappers.
You can register AD FS with Common Services as an identity provider.