Registering AD FS with Common Services

Ops Center Installation and Configuration Guide

Version
11.0.x
Audience
anonymous
Part Number
MK-99OPS001-23
You can register AD FS with Common Services as an identity provider.
  1. Log in to the Hitachi Ops Center Portal as the sysadmin user or as a user who is a member of the opscenter-administrators group.
  2. From the navigation bar, click Manage users.
  3. In the Users window, from the Asset type, click Identity providers.
  4. In the Identity Providers window, click .
  5. In the wizard, enter and register the required items.

    Item

    Value

    Provider type

    Active Directory Federation Services

    Federation protocol

    SAML 2.0

    Display name

    Name of the identity provider (up to 64 characters).

    Alias

    Alias name used to uniquely identify the identity provider (up to 64 characters).

    Valid character types are half-width alphabetical characters (lowercase only), numbers, hyphens, and underscores.

    You cannot change the registered value later.

    AD FS endpoint metadata URI

    Endpoint defined in Checking the AD FS metadata endpoint.

    Enabled

    If you specify Enable, the identity provider is enabled and the Log in using external identity provider link appears in the login window.

    NameID Policy Format

    Format used for the username when the AD FS user is imported as a Common Services local user:

    • Windows Domain Qualified Name
    • Email
    • Unspecified

    Allowed clock skew

    Acceptable time difference between the management server where Common Services is installed and the AD FS server. If the time difference between the servers exceeds this value, you cannot use AD FS to log in.

    Valid values are 0 to 300 (seconds).

    Default: 300

    Default group mappers

    Local user group used as the default. (Optional)

    When AD FS user authentication succeeds, the user is imported into Common Services as a local user, and the local user group specified for this item is assigned.

    Maximum number of groups is 10.

    Custom group mappers

    A pair consists of an AD FS user group and a local user group. (Optional)

    When AD FS user authentication succeeds, the user is imported into Common Services as a local user. If the user belongs to an AD FS user group specified in the Custom group mappers, the corresponding local user group is assigned.

    Maximum number of pairs is 10.

    Specify the AD FS user group name in Windows Domain Qualified Name format.

    Example:
    domain\cs_admin_group
    Tip: When the default group mapper is defined, all users that belong to the external identity provider are assigned to that group when they log in.

    By contrast, the custom group mapper requires that each external identity provider user be assigned to the group before they can log in.

    External identity provider users are assigned whatever privileges belong to the local group to which they are mapped. For this reason, you should not use the opscenter-administrators as the default group mapper.

    An Ops Center administrator can assign group membership individually to identity provider users instead of depending on the group mappers.