SP side configuration (RAS side)
On the service provider side (the Parallels RAS side), you need to enable Web (SAML) authentication and add the identity provider to the RAS Farm.
Enable Web (SAML) authentication
In the RAS Console, navigate to Connection > Authentication.
In the Allowed authentication types section, select the Web (SAML) option.
Adding an IdP to the RAS Farm
To add an IdP:
In the RAS Console, navigate to Connection > SAML. If the tab page is disabled, make sure you enabled Web (SAML). See above.
Click Tasks > Add.
In the Add Identity Provider wizard, specify a provider name.
In the Use with Theme drop-down list, select a Theme to which the IdP will be assigned. If you don't have a specific Theme yet, you can use the default Theme or you can select "<not used>" and assign a Theme later. Note that there can be multiple IdPs configured in the same RAS Farm. However, at this time, one IdP can be assigned to one Theme.
Select one of the following methods that the wizard will use to obtain the IdP information:
Import published IdP metadata: Import from an XML document published on the Internet. Specify the document URL taken from the IdP side configuration.
Import IdP metadata from file: Import from a local XML file downloaded from the IdP application. Specify the file name and path in the field provided.
Manually enter the IdP information: Select this option and then enter the information manually on the next wizard page.
Click Next.
If the configuration was imported in the previous step, the next page will be populated with data obtained from the XML file. If you've selected to enter the IdP data manually, you'll have to enter the values yourself:
IdP entity ID: Identity provider entity ID.
IdP certificate: Identity provider certificate data. To populate this field, you need to download the certificate from the IdP side, then open the downloaded file, copy its contents and paste it into this field.
Logon URL: Logon URL.
Logout URL: Logout URL.
Select the Allow unencrypted assertion option if needed.
Note: By default, the Allow unencrypted assertion option is disabled. Ensure that the IdP configuration is set to encrypt assertion or change the default setting within the RAS configuration.
At this point, you can configure service provider (SP) settings to be imported on the IdP side (IdP portal). You can do it now or you can do it later. To do it now, follow the steps below. To do it later, click Finish and then, when needed, open the identify provider object properties, select the SP tab and do the same steps as described below.
To configure SP settings, click the Service provider information button.
In the dialog that opens, enter the host address. The IdP will redirect to this address, which should be accessible from the end user browser.
The other fields including SP Entity ID, Reply URL, Logon URL and Logout URL are prepopulated based on the host address. The SP Certificate is autogenerated.
Next step is to complete the IdP configuration based on the values above. These values can be manually copied or exported as a metadata file (XML). Click the Export SP metadata to file link. Save the metadata as an XML file. Import the XML file into your IdP.
Close the dialog and click Finish.
Configuring user account attributes
When user authentication is performed by the IdP, user account attributes in Active Directory are compared with the matching attributes in the IdP user database. You can configure which attributes should be used for comparison as described below.
The following table lists available attributes:
RAS name | SAML name * | AD name | Description |
---|---|---|---|
UserPrincipalName | NameID | userPrincipalName | User Principal Name (UPN) is the name of a system user in an email address format. |
Immutable ID | ImmutableID | objectGUID | A Universally Unique Identifier. |
SID | SID | objectSid | An ObjectSID includes a domain prefix identifier that uniquely identifies the domain and a Relative Identifier (RID) that uniquely identifies the security principal within the domain. |
sAMAccountName | sAMAccountName | sAMAccountName | The sAMAccountName attribute is a logon name used to support clients and servers from previous version of Windows, such as Windows NT 4.0 and others. |
Custom | A custom attribute that can be used to allow any SAML attribute name to match any AD attribute value. By default, it is the email address. |
* The attributes in the SAML name column are editable and can be customized based on the IdP that you are using.
To configure attributes:
In the RAS Console, right-click an IdP that you've added in previous steps.
In the IdP Properties dialog, select the Attributes tab. On this tab, you can select or clear the attributes to be used for comparison or create custom ones:
Attributes that are selected will be compared for a match.
The names of all of the preconfigured SAML attributes (the IdP side) can be modified to match the AD attributes as required.
The custom attribute can be used to allow any SAML attribute name to match any AD attribute value. By default, it is the email address.
Configure and enable the desired attributes as needed based on the attributes configured on the IdP side.
Click OK to close the dialog.
Note 1: Multiple attributes are used in the presented order. If an attribute fails, the next configured attribute is used. Only one attribute is used at a time (in either/or fashion).
Note 2: If multiple AD users are configured with the same AD attribute value, user matching will fail. For example, if the email attribute is chosen and different AD users have the same email address, attribute matching between IdP account and AD User account will not be successful.
Attributes configuration tips
When possible, use automation for user synchronization (such as Microsoft Azure AD Connect for Azure IdP configuration) between your Active Directory and the IdP to minimize user identity management overhead.
Choose a user identification attribute that is unique to your environment, such as the User Principal Name (UPN) or Immutable ID (ObjectGuid) when possible. Alternatively, you can use other unique identifiers such as email address. In this case make sure that the Email address field in the user object in the AD is configured. If you use Microsoft Exchange Server, use the Exchange Addresses tab and Exchange policies.
If using UPN as an attribute, you can also configure alternative UPN suffixes. This can be done from Active Directory Domains and Trusts (select root > right-click to open the Properties dialog). Once a new alternative UPN suffix is created, you can change the UPN on the user object properties from Active Directory Users and Computers.
Adding an account picture
For additional personalization, you can add a custom account picture which will be shown on the Windows logon screen during the user login when using Single Sign-On. This can be done as described in https://kb.parallels.com/en/129028.
Last updated