To register IBM StreamSets as a
service provider in AD FS, use the IdP information that you retrieved from Control Hub to
create a relying party trust in AD FS.
Then, configure a claims issuance policy for the trust to send email addresses and
optionally user names of Active Directory Domain Services (AD DS) users to IBM StreamSets. Any user in AD DS can log in to IBM StreamSets, as long as the user is invited to the Control Hub
organization using the AD DS email address.
Note: These steps provide brief instructions to create a relying party trust using
the AD FS Management tool installed on Windows Server 2019. For detailed steps,
see the
Microsoft AD FS documentation.
-
Open Server Manager on the server that is running AD FS, and then click .
-
Right-click the Relying Party Trusts folder, and then
select Add Relying Party Trust.
-
In the Welcome page of the wizard, select
Claims aware, and then click
Start.
-
In the Select Data Source page of the wizard, select
Import data about the relying party from a file, and
then click Browse and select the metadata XML file that
you downloaded from Control Hub.
-
Click Next.
-
In the Specify Display Name page of the wizard, enter a
display name.
For example, you might enter StreamSets SAML.
-
Click Next.
-
In the Choose Access Control Policy page of the wizard,
choose the policy required by your corporate regulations, and then click
Next.
-
In the Ready to Add Trust page of the wizard, verify your
configurations, and then click Next.
-
In the Finish page of the wizard, select
Configure claims issuance policy for the application,
and then click Close.
The Edit Claims Issuance Policy for <relying trust
name> dialog box appears.

-
Click Add Rule.
-
In the Choose Rule Type page of the claim rule wizard,
select Send LDAP Attributes as Claims for the
Claim rule template property.
-
Click Next.
-
In the Configure Claim Rule page of the wizard, enter a
name for the rule.
For example, you might enter StreamSets Attribute
Mappings.
-
For the Attribute store property, select
Active Directory.
-
In the Mappings table, configure the following attribute
mappings so that AD FS passes user information to IBM StreamSets.
Configuring the email address is required. Configuring the user names is
optional. For more information, see IdP Attribute Mappings.
LDAP Attribute |
Outgoing Claim Type |
E-Mail-Addresses |
Select Name ID from the drop-down
menu. |
Given-Name (optional) |
Type firstName. |
Surname (optional) |
Type lastName. |
Display-Name (optional) |
Type displayName. |
For example, the following image displays mappings for the required email
address and the optional user names:

-
Click OK.
-
In the Edit Claims Issuance Policy for <relying trust
name> dialog box, click OK.
The AD FS Management tool displays the relying party trust added for IBM StreamSets.
-
Use Microsoft PowerShell to run the following command on the server where AD FS
is installed:
Set-AdfsRelyingPartyTrust -TargetName "<relying trust name>" -SamlResponseSignature "MessageAndAssertion"
-
To enable IdP-initiated logins from AD FS, use PowerShell to run the following
command on the server where AD FS is installed:
Set-AdfsProperties -EnableIdPInitiatedSignonPage $true
-
Retrieve the AD FS metadata file.
-
Append the following endpoint to the DNS address of the server where AD
FS is installed:
/FederationMetadata/2007-06/FederationMetadata.xml
For
example, enter the following URL in the address bar of a
browser:
https://<DNS
address>/FederationMetadata/2007-06/FederationMetadata.xml
-
Download the generated metadata file from the browser.