Microsoft Active Directory Federation Services (AD FS) SSO Integration
Active Directory Federation Services is a standards-based service that allows the secure sharing of identity information between trusted business partners. OpsGenie supports single sign on with AD FS which means your organization can easily incorporate OpsGenie into your application base in AD FS, control which users have access to your OpsGenie account and let your users securely access OpsGenie.
For general information about OpsGenie's Single Sign-On feature, refer to the Single Sign-On with OpsGenie document. This document describes the specific instructions you can use to integrate your AD FS with OpsGenie SSO.
To configure Single Sign-On integration between your Active Directory Federation Services and OpsGenie accounts, go to OpsGenie SSO page, select "Microsoft ADFS" as provider and follow the instructions below:
Setting up Microsoft Active Directory Federation Services Integration
This guide was prepared using Windows Server 2012 R2 standard; however, other recent versions should also work.
Part 1: Adding a Relying Party Trust
- Open AD FS Management Tool. Expand Trust Relationships from left pane, select Relying Party Trusts and click Add Relying Party Trust from right pane. Add Relying Party Trust Wizard will be opened.
- Click Start button on Welcome step.
- On Select Data Source step, select Enter data about the relying party manually and click Next button.
- Specify a display name and click Next.
- Choose AD FS Profile on Choose Profile step and click Next.
- Leave Configure Certificate step as default, because we are encrypting none of the tokens. Click Next.
- Select Enable support for the SAML 2.0 WebSSO protocol. Switch to your SSO Settings page on OpsGenie UI, copy the SAML 2.0 Service URL value. Paste this URL into Relying party SAML 2.0 field on AD FS wizard. Click Next.
- Switch to your SSO Settings page on OpsGenie UI and copy the Trust Identifier value. Paste this value into Relying party trust identifier field on AD FS wizard, click Add and then click Next.
- Select I do not want to configure multi-factor authentication settings for this relying party trust at this time. and click Next.
- Check Permit all users to access this relying party and click Next.
- Review your settings on Ready to Add Trust step and click Next.
- Click Close to complete the wizard.
Part 2: Updating Secure Hash Algorithm
- Right click on the relying party trust that you have recently added and click Properties.
- Switch to Advanced tab. Expand the drop down list from Secure hash algorithm and select SHA-1. Click Apply and then click OK.
Part 3: Editing Claim Rules for the Relying Party Trust
- Right click on the relying party trust that you have recently added and click Edit Claim Rules...
- Click Add Rule.
- Select Send LDAP Attributes as Claims as Claim rule template and click Next.
- Give a name for Claim rule name and select Active Directory as Attribute store. Under the LDAP mapping section; select E-Mail-Addresses as the LDAP Attribute and select E-Mail Address as the Outgoing Claim Type from the drop-down lists. Click Finish.
- Click Add Rule again.
- Select Transform an Incoming Claim and click Next.
- Give a name for Claim rule name. Select E-Mail Address as Incoming claim type, Name ID as Outgoing claim type and Email as Outgoing name ID format from the drop-down lists. Make sure that Pass through all claim values is selected. Click Finish.
- Click Apply and then OK.
Part 4: Exporting the Certificate
- Select AD FS > Services > Certificates on AD FS Management Tool from left pane. Right click the certificate under the Token-signing section and click View Certificate.
- Switch to Details tab and click Copy to File...
- Certificate Export Wizard will be opened. Click Next.
- Select DER encoded binary X.509(.CER) as the format and click Next.
- Select a destination to export and click Next.
- Click Finish and then click OK if the export was successful.
- The exported certificate is in DER format, however we need the certificate in PEM format. To perform this conversion, you can use SSL Shopper or Open SSL. SSL Shopper is used in this guide. Open SSL Shopper and click SSL Converter - Convert SSL Certificates to different formats.
- Select the certificate file that you have recently exported. Select DER/Binary as the current type and Standard PEM as the type to convert to. Click Convert Certificate.
- When the converted certificate is downloaded, open the certificate with a text editor (Notepad, TextEdit, etc). Copy the content of the file.
- Switch back to your SSO Settings page on OpsGenie and paste the certificate content into X.509 Certificate field.
- Paste your SAML 2.0 Federation Endpoint (Login URL) to SAML 2.0 Endpoint field. Your Login URL is generally the URL of your ADFS service with /adfs/ls/ suffix. Click Save Changes.
- Now users in your AD FS can login with OpsGenie via SSO using their directory credentials.
If you are using Open SSL to convert the type of the certificate, you can use the following command:
openssl x509 -inform der -in certificate_in_name.cer -out certificate_out_name.pem
- Make sure that email addresses of users are exactly same on both OpsGenie and your Active Directory Federation Services.