Configuring zCenter Identity Services with ADFS with SAML2.0

To configure Zentera zCenter Identity Services to authenticate external admins or users against ADFS with SAML2.0, you will need to perform several steps to establish a trust relationship and configure the appropriate settings.  Users and admins require separate configurations, and may be authenticated against completely independent user directories.

Any authentication security considerations, such as MFA, device trust, etc that are configured within the ADFS service are out of scope of this document.

Identity Services Configuration

Zentera CoIP Access Platform supports multiple user authentication mechanisms:

• SAML2.0 Identity Providers

• LDAP-based Directory Services

• zCenter locally configured users

There are independent configuration options available for the different types of users and locations for authentication.

• Admin Portal - Service Admins

• Admin Portal - Customer Admins

• CoIP Launcher Users - End users within the scope of individual Customers

Please note, the external Identity Providers are used by the CoIP Access Platform for authentication only, and not for resource authorization.  Roles and permissions are managed on the zCenter portal.

This article discusses the SAML2.0 Identity Services configuration, specifically with the ADFS service.  First described is the CoIP Launcher Users’s Identity Service configuration, then for Admin Portal admins.  These are very similar, differing mostly in where in zCenter they are configured.

ADFS Configuration

The configuration of the ADFS server is out of the scope of this article.  For reference, we used the below resources to configure the ADFS server in our testing:

• https://www.virtuallyboring.com/how-to-setup-microsoft-active-directory-federation-services-adfs/

• http://arnaudpain.com/2019/08/05/windows-server-2019-adfs-step-by-step/#sthash.ilVpaIQb.DVSy2ste.dpbs

• http://vcloud-lab.com/entries/active-directory/install-and-configure-active-directory-federation-service-adfs–

ADFS/SAML2.0 Identity Service Configuration for CoIP Users

1. Login to your zCenter account and select the drop down for the Customer you would like to create the ADFS trust in.

2. Select “Settings / Manage Identity Services”

3. In the “Authentication method for external CoIP User accounts” drop down select “Customized SAML 2.0” and select Yes in the “Change Authentication method” pop-up

4. Click the button for “New Identity Provider” and provide the following information from your ADFS server (the settings displayed are default configurations for a newly created ADFS)

   1. Display Name (Any descriptive name)

   2. Entity ID

   3. SSO Service URL

   4. Logout Service URL (need more information)

   5. For “Signing Option” select “Sign SAML Assertion”

   6. X509 Certificate (in a default install you will create a local certificate)

5. Click “Save”

6. Click the button for “View Service Provider Info” and record the information for your ADFS server configuration.

Configure ADFS server with zCenter information

1. Create new Relying Party Trust

   1. In your ADFS control panel add a new Relying Party Trust

2. Configure Signature

   1. On your ADFS server save the X509 Certificate from zCenter as zcenter.cert

   2. In the “Signature” tab. Click the “Add” button and select the cert from created in step 1

3. Configure the Logout endpoint

   1. In the Endpoints tab click the “Add SAML” button.  

   2. In the Add Endpoint box

   3. Change the “Binding” drop down to “Post”

   4. In the “Trusted URL” field enter the “Assertion Consumer URL” from zCenter

   5. Click “OK”

   6. The below diagram shows the final look of the Endpoints tab

4. Configure “Identifiers”

   1. In the “Identifiers” tab insert the following

   2. Display Name (any descriptive name)

   3. Input the “Issuer (Entity ID)” from zCenter in the “Relying party identifier”

   4. Click the “Add” button

5. Click the “OK” button to save the Relying Party Trust

Create Users for External Login

1. In OBF select “Onboarding and Management / Users”

2. Click the “Onboard User+” button

3. In the Add User screen enter the following information

   1. UserID (this must match an AD username with ADFS access)

   2. In the “Authentication Type” drop down select “External”

   3. Email

   4. Fill any additional information needed

Test ADFS login with zCenter Launcher login

When logging into the CoIP Launcher with the username configured for External Authentication, you will be redirected to your ADFS server/proxy to enter the password information.  After successful authentication on the ADFS page, the user will be redirected to the CoIP Launcher dashboard.

ADFS/SAML2.0 Identity Service Configuration for CoIP Admins

To configure the ADFS for Admins, the same procedure can be applied as above so far in this document, except the starting point within zCenter as per below:

• Global Service Admins

  • Advanced Management menu → Service Management → Identity Services → Admin Account

• Per-Customer Admins

  • Advanced Management menu → Portal Management → Customers → Manage Identity Services for a specific Customer

Please note, the “Service Provider Info” obtained from the zCenter will vary slightly depending on whether it is for Portal Admins or for CoIP Launcher Users.