Configure an ADFS Identity Provider
This guide explains how to configure Active Directory Federated Services (ADFS) in order to use it as an Identity Provider (IdP) for Terraform Enterprise's SAML authentication feature. The screenshots below were taken on Windows Server 2016, and the UI may not look the same on previous Windows versions.
Requirements
Install and configure ADFS before completing these instructions.
Gather ADFS information
- On the ADFS server, start the Server Manager.
- Click "Tools" -> "AD FS Management" .
- Expand the
Service
object and click "Endpoints". - Make a note of the
URL Path
for TypeSAML 2.0/WS-Federation
. (If you are using the default settings, this will be/adfs/ls/
.) - Switch from "Endpoints" to "Certificates" and choose the one under
Token-signing
. - Right click "View Certificate".
- In the Certificate dialog, select the Details tab and click "Copy to File".
- In the Certificate Export Wizard, click "Next", select "Base-64 encoded X.509 (.CER)" and click "Next" again.
- Pick a location to save the file and click "Next".
- Review the settings and click "Finish".
Configure Terraform Enterprise
- Visit
https://<TFE HOSTNAME>/app/admin/saml
. - Set "Single Sign-on URL" to
https://<ADFS hostname>/<URL Path>
, using the path you noted above in step 4. - Set "Single Log-out URL" to
https://<ADFS hostname>/<URL Path>?wa=wsignout1.0
(note that this is the same path with an additional URL parameter). - Paste the contents of the saved certificate in "IDP Certificate".
- Scroll to the bottom of the screen and click "Save SAML Settings".
Configure ADFS
Configure the Relying Party (RP) Trust
- On the ADFS server, start the Server Manager.
- Click "Tools" -> "AD FS Management".
- Right-click "Relying Party Trusts" and then click "Add Relying Party Trust".
- In the Add Relying Party Trust Wizard, select "Claims aware" and click "Start".
- Next, select "Import data about the relying party published online or on a local network", and in the text box, enter
https://<TFE HOSTNAME>/users/saml/metadata
. - Click "Next", type a display name used to identify the RP trust, and click "Next" again.
- In the "Choose Access Control Policy" screen, choose one that matches your security policy, and click "Next".
- Review the settings and click "Next".
- Finally, make sure "Configure claims issuance policy for this application" is checked and click "Close". This opens the Claim Issuance Policy editor for the RP trust just configured.
Configure Claim Issuance
LDAP Attributes as Claims
Click "Add Rule", and then select "Send LDAP Attributes as Claims" from the
Claim rule template
dropdown. Click "Next".Set a name used to identify the claim rule.
Set the attribute store to "Active Directory".
- From the
LDAP Attribute
column, select "E-Mail Addresses". - From the
Outgoing Claim Type
, select "E-Mail Address".
- From the
Click "Finish".
Transform Incoming Claims
- Click "Add Rule", and then select "Transform an Incoming Claim" from the
Claim rule template
dropdown. Click "Next". - Set a name used to identify the claim rule.
- Select "E-mail Address" as the
Incoming Claim Type
. - Select "Name ID" as the
Outgoing Claim Type
. - Select "Email" for
Outgoing Name ID Format
.
- Click "Finish".
Send Group Membership as a Claim
- Click "Add Rule", and then select "Send Group Membership as a Claim" from the
Claim rule template
dropdown. Click "Next". - Click "Browse" and locate the AD User group that contains all Terraform Enterprise admins.
- Set
Outgoing claim type
toMemberOf
. - Set
Outgoing claim value
tosite-admins
.
- Click "Finish".
Test configured SAML login
At this point SAML is configured. Follow these instructions to log in to Terraform Enterprise.