Attributes for configuring WS-Federation or SAML

Hello, everyone!

Has anyone had experience setting up authentication in OpenFlow via WS-Federation/SAML?
We have an Active Directory Federation Services (ADFS) that supports this method, including with automatic configuration link:

but I don’t fully understand what I should specify in the OpenFlow settings and what the configuration sequence should be. In particular, we are interested in the assignment of attributes:

id: is the id used in the url of openflow ( the IdP needs to know that if it’s validating return urls … adfs in this case. This will also be inside the dedicated FederationMetadata.xml file for your new provider, see the last part )
issuer: is the issuer id for you adfs. This should be located inside your FederationMetadata.xml from adfs, so try opening that and search for issuer
metadataurl: this is where you put the url to FederationMetadata.xml for your adfs

After you click save, and open the provider again, you will get an metadataurl at the bottom of the page. you need this while adding the relying party to your adfs server.
Now, your adfs can load openflows signing certificates and other information directly from openflow, and openflow will load your adfs config, including your adfs’ signing certificates doing start up. If you adfs does not support rolling certificates you will need to restart the api node, when the certificate expires,then it will fetch the new one.

Hello, Allan! Thanks for the help!
Another question has appeared: is it possible to extend user properties in OpenFlow, for example: email, department, manager, etc. Is it also possible to receive them from a third-party provider (IdP) like ADFS?

Not right now, no.
But when using adfs/ws-federation it will map roles
So if you send the users ad roles ( or manually map role memberships when setting up the relaying party ) openflow will check each role toward the roles in openflow, and if they match, it will auto add the user to those roles (but not remove again so some management is still required )

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.