ADFS SAML SSO integration set up
Last updated: 06 April 2020
- Define Cloud Conformity in your identity provider as a service by one of the following options:
- Import Cloud Conformity Service Provider metadata under Relying party trusts.
The latest metadata is available at these URLs: - Define Cloud Conformity as a service provider manually:
- Entity ID: https://www.cloudconformity.com
- ACS: https://www.cloudconformity.com/v1/proxy/sso/saml/consume
- ACS Method: HTTP POST
- Set Signing and Encryption certificate using this X.509 certificate
- Import Cloud Conformity Service Provider metadata under Relying party trusts.
- Set Default Relay State:
REGION_OF_SERVICE:YOUR_DOMAIN.com
(This is to enable IdP-initiated sign-on) - In Claim Rules dialog, select Send LDAP Attributes as Claims and make sure email address, given name, and surname claims are enabled.
-
Configure role mapping
Depending on how you manage your groups, send a group membership claim to map to user role in Cloud Conformity. Users coming through ADFS, can take any of the four supported roles in Cloud Conformity:- Admin: This role is the organisation administrator and has full access to everything in Cloud Conformity.
- Power user: This role has full access to all accounts but no organisation-level access, e.g. cannot manage users or add accounts.
- Read-only: Similar to power user but only with read-only access to all accounts.
- Custom: Custom users have no access by default and can be granted fine-grained permissions after their first sign-on, by an organisation administrator.
- Download and provide us with your identity provider metadata file. ADFS SAML 2.0 metadata should be accessible here: https://ADFS_DOMAIN/FederationMetadata/2007-06/FederationMetadata.xml
Once you have provided identity provider metadata, a member of our team will import it to Cloud Conformity as a trusted identity provider and can begin verifying the integration.
Please contact your account manager and SSO@cloudconformity.com for additional help.