PowerScale OneFS 9.8.0.0 Web Administration Guide

PDF

Configure the Identity Provider to communicate with OneFS

The verified Identity Provider (IdP) for OneFS SSO is Active Directory Federation Services (ADFS). Other IdPs may work.

This task describes how to set up communication between ADFS and OneFS. You must have an instance of ADFS configured and running.

All users who intend to log in to OneFS through SSO must have accounts in OneFS and in AD. The following table describes the requirements for those accounts.

Table 1. Account requirementsThis table displays account requirements.
System	Requirements
OneFS	The OneFS user accounts must have appropriate privileges: ISI_PRIV_LOGIN_PAPI -- This privilege is required to access the WebUI. component-specific privileges-- Administrators typically require privileges to manage components. For example, an SMB administrator needs ISI_PRIV_SMB privilege.
ADFS	The corresponding ADFS user account must have an associated email address that is configured when using the OneFS default emailAddress --name-id-format. NOTE:If you change the --name-id-format to either Kerberos or WindowsDomainQualifiedName, then you do not need to configure an email address on the ADFS user account.

For configuration, ADFS offers a Windows Web UI and a command-line interface. You can use either, with the Web UI being simpler to use. The following instructions use the ADFS command-line interface.

Configure an SSO administrator and maintainer.
In OneFS, the user account must have at least one of the following privileges:
- ISI_PRIV_LOGIN_PAPI - required for the admin to use the OneFS WebUI to administer SSO.
- ISI_PRIV_LOGIN_SSH - required for the admin to use the OneFS CLI in SSH sessions to administer SSO.
- ISI_PRIV_LOGIN_CONSOLE - required for the admin to use the OneFS CLI on the console to administer SSO.

Add OneFS metadata to ADFS.

RDP to the ADFS server.
Set a variable to a rule that defines who can log in. The following example shows a simple rule that permits all users to log in. You can define more complex rules that fit the needs of your organization.
```
$AuthRules = @"
@RuleTemplate="AllowAllAuthzRule" => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value="true");
"@
```

Set a variable for setting the Active Directory user email address mapping to the SAML NameID.

NOTE: If you are configuring a different --name-id-format from the default email address, then you can skip adding the email address mapping rules.

$TransformRules = @"
@RuleTemplate = "LdapClaims"
@RuleName = "LDAP mail"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
   => issue(store = "Active Directory",
            types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"),
            query = ";mail;{0}", param = c.Value);

@RuleTemplate = "MapClaims"
@RuleName = "NameID"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
   => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
            Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value,
            ValueType = c.ValueType,
            Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] =
              "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
"@

Configure AD to trust the OneFS WebUI certificate.

Create the relying party trust.

Add-AdfsRelyingPartyTrust -Name <OneFS-name> \
   -MetadataUrl "https://<onefs-node-ip>:8080/session/1/saml/metadata" \
   -IssuanceAuthorizationRules $AuthRules -IssuanceTransformRules $TransformRules

Where:

<OneFS-name> is the name that you want to represent the cluster in ADFS.
<onefs-node-ip> is the IP address or DNS name of your OneFS node.