Illumio Core 22.2 Administration Guide

Add a UPN suffix. On your system under Server Manager Tools, click Active Directory Domains and Trusts.

From the left side of the window, right-click Active Directory Domains and Trusts, and select Properties. In this dialog, you can create new suffixes for Active Directory usernames.

Enter a suffix that matches the external namespace you'll be using and click Add. For example, add illumioeval.com as an alternative UPN suffix.

You can now assign to an Active Directory user your custom UPN for the SAML response.

You can add multiple UPNs if needed. You can select the UPN created in the previous steps.

Your UPN configuration is set up, and you can begin configuring AD FS for SSO with the PCE.

Open Microsoft Server Manager and click the notification icon.

Click the “Configure the federation service on this server” link.

Select the “Create the first federation server in a federation server farm” option and click Next.

Specify a domain admin account for AD FS configuration and click Next.

Select or import a certificate. This certificate can be a self-signed certificate.

At the same page, also specify your Federated Service Name (for example, *.llumioeval.com based on what you specified in the previous procedure), enter a Federation Service Display Name for this instance of AD FS, and click Next.

Specify your service account, enter its password, and click Next.

Select Create a database on this server using Windows Internal Database or choose the SQL server option, and click Next.

Review your selected options and click Next.

Click Configure to finish the basic configuration of AD FS.

In the results screen, click Close.

AD FS is now installed with the basic configuration on this host.

From Server Manager/Tools, open the AD FS Manager.

From the left panel, choose Relying Party Trusts > Add Relying Party Trust.

The Add Relying Party Trust Wizard appears.

Click Start.

Select the “Enter data about the relying party manually option and click Next.

Name your Relying Party Trust (for example, Illumio PCE) and click Next.

Select ADFS profile and click Next.

If you have a separate certificate for token encryption, browse to it, select it, and click Next.

Select Enable support for the SAML 2.0 WebSSO protocol. In the Relying party SAML 2.0 SSO service URL field, add your “Assertion Consumer URL” (obtained from the PCE web console). For example, this URL might look like https://pce-mnc.illumioeval.com:8443/login/acs/2402fb18-3d75-4432-ab6d-10475897b476.

To locate the “Assertion Consumer URL,” go to Settings > Authentication > Information for Identity Provider in the PCE web console:

On the Configure Identifiers page, use the same URL for the Relying Party Trust identifier, without the /acs/<randomNumbers>. For example: https://pce-mnc.illumioeval.com:8443/login. Click Next.

Select the I do not want to configure multi-factor authentication... option and click Next.

Select “Permit all users to access this relying party and click Next.

On the Ready to Add Trust page, click Next.

Leave the Open the Edit Claim Rules checkbox selected and click Close.

In the Edit Claim Rules dialog, click Add Rule.

At the Select Rule Template page, in the Claim rule template field select Send LDAP Attributes as Claims and click Next.

In Claim rule name enter “Illumio Attributes, and under Attribute store select Active Directory.

Under the first row of the mapping table, as the first LDAP Attribute, select User-Principal-Name and E-Mail Address as its Outgoing Claim Type. As the next LDAP Attribute, select Surname and enter the custom field name of User.LastName as its Outgoing Claim Type. As the next LDAP Attribute, select Given-Name and User.FirstName for its Outgoing Claim Type, and click Finish.

In the Edit Claim Rules dialog with your new rule added, click Add Rule to add the final rule.

At Select Rule Template, under the Claim Rule Template, select Transform an Incoming Claim and click Next.

In Claim rule name enter Email to NameID Transform and change the Incoming claim type value to E-Mail Address. Set the Outgoing claim type to Name ID and the Outgoing name ID format to Email.

Make sure to select the Pass through all claim values option, and click Finish.

The Edit Claim Rules window opens.

(Windows 2016 and Windows 2019) Skip to step 12 to create a Group Claim Rule for RBAC with groups.

The Edit Claim Rules window has three tabs. You have already filled out the first tab. The other two tabs are not available in Windows 2016 or Windows 2019. Therefore, skip steps 8 through 11 if using these releases.

Select the Issuance Authorization Rules tab.

To allow all your Active Directory Users to access the PCE, leave the Permit Access to All Users rule as is. Otherwise, you should restrict access to a single group or multiple groups of users.

At Select Rule Template (the Choose Rule Type step), Select Permit or Deny Users Based on an Incoming Claim and click Next.

At Configure Rule (the Configure Rule Type step), enter a name in Claim rule name (for example, AD FS Users) and change the Incoming claim type to Group SID (you might have to scroll to find it). In Incoming claim value, browse to the group of users you want to give access. Make sure Permit access is selected and click Finish.

If you are using RBAC with groups, you need to create a Groups Claim Rule.

To add groups to an AD FS claim rule configuration, click Edit Rule. Add the requirement for the LDAP Attribute of Token-Groups by selecting the Outgoing Claim Type as User.MemberOf. Click OK.

To find the certificate in your AD FS configuration, log into the AD FS server and open the management console.

Browse to Service > Certificates and display a list of certificate, where you can export the Token-signing certificate.

Right-click the Token-signing certificate and select View Certificate.

Select the Details tab.

Click Copy to File.

When the Certificate Export Wizard launches, click Next.

Verify that the “No - do not export the private key option is selected and click Next.

Select Base 64 encoded binary X.509 (.cer) and click Next.

Select where you want to save the file, name the file, and click Next.

Click Finish.

After exporting the certificate to a file, open the file with a text editor. Copy and paste the contents of the exported x.509 certificate, including the BEGIN CERTIFICATE and END CERTIFICATE delimiters in to the SAML Identity Provider Certificate field.

To find the Remote Login URL (which AD FS calls “Sign-On URL”), download and open the following metadata file from your AD FS server by navigating to https://server.mydomain/FederationMetadata/2007-06/FederationMetadata.xml and search for SingleSignOnService.

To find the Logout Landing URL for the PCE, you can use the login URL of the PCE (preferred):

https://<myPCENameAndPort>/login

Or, use a generic logout URL of AD FS:

https://<URLToMyADFSServer>/adfs/ls/?wa=wsignout1.0

You are now ready to configure the PCE to use AD FS for SSO.

From the PCE web console menu, choose Settings >SSO Config.

Click Edit.

Select the Enabled checkbox next to SAML Status.

In the Information From Identity Provider section, enter the following information:

Select the authentication method from the drop-down list:

To require users to re-enter their login information to access Illumio (even if the session is still valid), check the Force Re-authentication checkbox. This allows users to log into the PCE using a different login than their default computer login. This option is disabled by default.

Click Save.

Your PCE is now configured to use AD FS for SSO authentication.