• SAML SSO for Solve

    When accessing Solve via a direct URL, you can configure SAML to enable Single Sign-On (SSO) authentication. The settings in Solve enable you to set up a trust relationship between the URL hosting Solve and your company's Identity Provider (IdP) so users can access Solve securely.

    Here is an overview of what you have to do to configure SAML with detailed steps provided below.

    • Enter the required URLs from your IdP into the Solve settings page.
    • Upload a trust certificate from your IdP into the Solve settings page.
    • Download the trust certificate from the Solve page and add it into your IdP.
    • Retrieve the necessary fields from the Solve settings page and enter them into your IdP.

    Below are the specific steps you have to perform regardless which IdP you use. Following this procedure, we have provided two use cases to demonstrate how to configure SAML/SSO in Solve for two specific Identity Providers:

    To configure SAML in the Solve interface:

      1. In your chosen IdP, locate the trust certificate to use for Solve and copy it to a location accessible to the local computer from where you are accessing Solve.
      2. Open the ControlUp Real-Time Console.
      3. Access Solve from the Solve menu on the top ribbon of the console. The Solve interface opens in a browser window.

    Click_Solve_Button_to_Launch.png

      1. In the Solve home page, click the settings link on bottom of the menu on the left side of the window.
      2. In the Solve Settings page, turn the toggle button on for Enable SAML (SSO) Authentication.

        Note: It is recommended not to enable both SAML and LDAP. If both are enabled, Solve uses SAML authentication.

      3. Enter the following URLs from your IdP: 

    - IdP Login URL. The URL used for logging into your IdP.
    - IdP Logout URL. This is an optional field to use for signing out of the IdP.For example, if ADFS is the IdP, the URLs could look like this with your company's domain:
    SignURLsDomain.jpg

      1. Click IdP Signing Certificate and locate the certificate from your IdP that you copied in Step 1.
      2. Enter the Entity/Issuer ID. The virtual server as configured in the IdP connection certificate.
        For example, the URL could look like this with your company's domain:

    VirtualServerIDsURL.jpg

      1. The Solve settings page provides you with the following values: 

    - Relying Party Trust Identifier. The uniform resource name that is a unique, persistent identifier.
    - Endpoint/Assertion Login URL. The endpoint that your IdP will use to redirect during the authentication process.
    - Assertion Logout URL
    Here's an example of what these values could look like:
    SOLVEvalues.jpg
    Copy these values and enter them into the appropriate locations in your IdP.

      1. Under Solve Signing Certificate, click the certificate link to download the trust certificate for Solve and save it in a location that your IdP can access. 
        SignRequest.jpg

    Now you can return to your chosen IdP and create an endpoint for Solve using the values provided and the downloaded certificate. 

    Use Case Example - Active Directory Federated Service (ADFS)

    Read here to get the basic details of how to configure secure SAML authentication if your Identity Provider (IdP) is ADFS. 

    1. Open your ADFS interface.
    1. Under the Service folder, click Certificates. Copy one of the certificates to a location accessible to the user configuring the SAML settings for Solve. 

    ADFS_Certificates.png
    This is step 1 from the generic steps above, and you upload this certificate in step 7 above.

    1. In the ADFS interface, select Relying Party Trusts. Right-click to open the Properties dialog.

    ADFS_RelyingPartyTrustsMenuBlank.png ADFS Properties Dialog

    1. In the Properties dialog, select the Endpoints tab and click Add SAML... The Edit Endpoint dialog opens.
    1. Under the Trusted URL field, copy the Assertion URL you retrieved from the Solve Settings page in step 9 of the procedure above.

    ADFS_AddEndpoint.png

    ADFS Edit Endpoint Dialog

    Ensure that:
    Endpoint type is SAML Assertion Consumer
    Binding is POST

    1. Click OK and this Endpoint is added.

    ADFS_EndpointAdded.png

    ADFS - Endpoint Added

    1. In the same Properties dialog, select the Signature tab, click Add and upload the Solve certificate you downloaded in step 10 of the procedure above.

    ADFS_Signature.png

    ADFS - Add Signature

    1. In the same Properties dialog, select the Identifiers tab, and under the Relying party identifier: field, enter the Relying Party Trust Identifier value you retrieved from the Solve Settings page in step 9 of the above procedure. Click Add next to the field and you'll see the URN added to the list of Relying party identifiers in the dialog.

    ADFS_Idenfifiers.png

    ADFS Identifiers

    Your Solve users should now be able to authenticate through your ADFS identity provider.

    Use Case Example - Azure Active Directory SAML

    Prerequisites:

    • Must have an Azure Enterprise account.
    • Azure Active Directory (AD) must be configured.
    • Must have the necessary permissions to create the application.
    • We assert the UPN and must match what Azure presents so we require the NameID attribute with the UPN value of the user. For example:

    <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">The user Marcel created</NameID>

    Preparation on Azure AD

    1. In the Browse Azure AD Gallery, select Create your own application

    Create an Enterprise Application Image Azure AD - App Creation Screenshot

    1. In the Create your own application page, enter a name of your choosing and select Integrate any other application you don't find in the gallery.
    1. Click Create.
    1. Review the app you’ve just created.

    Screen_Shot_2021-06-30_at_9.11.40_AM.png Azure AD - All Applications Menu

     

    Assignment Option

    Assign Users and Groups In the properties Management tab, set User Assignment required? to NO.
    Assign Users and Groups Set User Assignment Required to NO

     

    Side-by-side with comments  (Azure console and Solve settings)

    Here is a side-by-side comparison of the values from Azure AD that must be entered into the Solve SAML settings and vice versa. The arrows indicate from where you can obtain the applicable string and to where it goes in the other application.

    Azure AD Console                                                                                                     Solve SAML Settings

    Screen_Shot_2021-06-23_at_12.15.42_PM.png

     

  • Custom Dashboards and Widgets

    You can now create your own dashboards in Solve!

    If you have Solve Admin permissions in the Security Policy Pane, these dashboards can be published so other users in your organization can access them. If you are not an admin, you can create dashboards for your own use.

    Solve already includes the following default dashboard options to which you can add your own:

    • All: Displays metrics for both User Experience and Resources. This is the default display unless you change the default.
    • User Experience: Displays all the metrics relevant to the end-user computing experience. These can include logon duration, user sessions, etc. You can view the metrics that affect how your users are experiencing your IT environment.
    • Resources: Displays all the metrics relevant to the infrastructure of your IT environment. These can include CPU usage, memory, network, machines, disk space, etc.DefaultDashboards.png

    Custom Dashboards

    You select from the different available dashboards and create new dashboards from this menu at the top of the Solve Dashboard view:

    Select.png

     

    To create a new dashboard:

    1. Click the caret in the dashboard box to open the list of all dashboards.
    2. Click the plus sign Plus.png.
    3. Type a name into the field that opens at the bottom of the list. Use a name that reflects the data added to this dashboard. Click Enter and you can start adding widgets.
      Note: If you don't type a name within several seconds, an automatic name such as New Dashboard 1 is automatically assigned to the dashboard you just created.

    To add widgets to a dashboard: 

    In the Start Building Your Dashboard page, click Add Widget. The Add Widget dialog opens.
    AddWidget.png

    1. In Widget Type, click Custom if you want to create a widget with your own visualization and metrics.
      You can click from the other widget options to add a widget with the following out-of-the-box widget visualizations and metrics:
      - Resources Health. A double gauge that displays the health of your Hosts and Machines.
      - Sessions Stress Level. A single gauge displaying stress levels set in the system on sessions currently logging in.
      - Processes Stress Level. A single gauge displaying stress levels set in the system on the processes running in the context selected.
      - Top 5 Processes by CPU. Displays a bar graph of the 5 processes that are using the most CPU.
      - Top 5 Processes by Memory Utilization. Displays a bar graph of the 5 processes that are using the most memory.
      - Top 5 Processes by Disk Usage. Displays a bar graph of the 5 processes that are using the most disk usage.
      - Top 5 User Sessions by CPU Consumption. Displays a bar graph of the 5 sessions that are consuming the most CPUs.
      - Top 5 Slowest Logons. Displays a bar graph of the 5 connected users who have the slowest logon times.
      If you select one of these out-of-the-box widget options, you can change only the Scope or Widget Name.
      Note: You cannot change the Visualization and Metrics options when you select any of the out-of-the-box widgets. 
    2. If you selected Custom for your widget type, select how your widget looks with these Visualization options:
      - Gauge. Single counter that displays one percentage metric. The gauge displays the relativity of the metric value out of 100%.
      - Line Chart. Multi-counter that displays the change of the different values of metrics over time, displayed as a connected line.
      - Area Chart. Multi-counter that displays the change of the different values of metrics over time, displayed as a colored area.
      - Bar Chart. Multi-counter that displays different bars to indicate the value of every metric. The current value of each metric is displayed at the top of the bar.
      - Single Stat. Single counter that displays an aggregated count of metrics as a single number.
    3. If you selected Custom for your widget type, select which Metrics to display in the widget. Only those metrics that match the Visualization you selected in step 3 are available. 
    4. For both custom and out-of-the-box widgets, select the default Scope of the data to display in your widget from the dropdown representing your organization tree. This is the default selection for this widget. If you highlight a different folder in your organization tree while viewing the dashboard, the scope of the data for this widget changes to the highlighted folder but defaults back to this selected scope if nothing is selected in the tree.
    5. For both custom and out-of-the-box widgets, enter a useful Widget Name that others users can recognize.

    In the bottom right-hand corner of the Add Widget dialog, you can see a preview of the widget you just created.

    WidgetPreview.png

    In this example, we created a Custom widget using the Area Chart to display the metrics for Datastores Free Space and Total Datastores Capacity. In this case the Scope is the full "controlup demo" organization.