Jul 2022

Table of Contents
INTRODUCTION 3

REQUIREMENTS 3

ADFS AND OPENID CONNECT 4

CREATE AN ACTIVE DIRECTORY USER GROUP 4
INSTALL AND CONFIGURE AD FS 5
CREATE THE AD FS APPLICATION GROUP 7
ADDING RULES TO THE APPLICATION GROUP 10
CONFIGURING THE CONNECTION TO THE HYPERCORE SYSTEM 12

FEEDBACK & SUPPORT 14

©2020 Scale Computing. All rights reserved. Any and all other trademarks used are owned by their respective holders. 2
INTRODUCTION
Scale Computing understands that Microsoft Active Directory (AD) is vital to storing and managing company
directory data that helps administrators monitor and manage their network’s users and computers. AD is important
for both organization and security, thus being able to administer HyperCore with users and groups of users that are
managed with Active Directory Domain Services can be a huge help to IT departments by allowing them to extend
Single Sign-On to their Scale Computing environments.

This quickstart document is intended to provide an introduction on how Scale Computing HyperCore can be
connected to AD using Active Directory Federation Services (AD FS) and OpenID Connect. AD FS provides users
a way to access applications that are incapable of using Integrated Windows Authentication (IWA). OpenID
Connect, on the other hand, is an identity layer based on OAuth 2.0 that allows Clients to identify users based on
an Authorization Server, which in this case is AD FS.

NOTE

Contact ScaleCare Support if you need assistance with your Scale Computing Platform
environment.

Contact ScaleCare Support

REQUIREMENTS
● Microsoft Active Directory domain controller
● Microsoft Active Directory Federation Services server
● Windows Server 2012 R2 or later
● Administrator access in the domain that will be connected to HyperCore
● Administrator access in HyperCore
● SSL Certificate for AD FS

NOTE

The SSL Certificate used for AD FS must be issued by a trusted certificate authority. Self-signed
certificates will not be accepted as valid.

©2020 Scale Computing. All rights reserved. Any and all other trademarks used are owned by their respective holders. 3
ADFS AND OPENID CONNECT
CREATE AN ACTIVE DIRECTORY USER GROUP
We will now create the Active Directory (AD) user group that will be granted access to the HyperCore system. If the
group that will be given access already exists within the AD environment, proceed to Install and Configure AD FS.

1. Navigate to the Active Directory domain controller, open Windows Server Manager, then select Tools,
then Active Directory Users and Computers in the upper right corner.

2. We will now create a group of users that will have access to HyperCore. Right click on Users and create a
new user Group.

3. Name the group and make sure Group Scope = Global and Group Type = Security. After this group is
created, it will show up in the right pane of the Active Directory Users and Computers window.

©2020 Scale Computing. All rights reserved. Any and all other trademarks used are owned by their respective holders. 4
 4. Right click on the group and select Properties.

5. Select the Members tab at the top of the new window, then click Add. Enter all users in AD that should
have access to HyperCore.

6. Click OK on the Select Users, Contacts, Computers, Service Accounts, or Groups window.

7. Click OK on the group Properties window.

INSTALL AND CONFIGURE AD FS

NOTE

You can also install the AD FS role from the PowerShell console with this command:

Add-WindowsFeature adfs-federation –IncludeManagementTools.

1. Navigate to a separate VM running Windows

Server 2012 R2 or later. This is where we will
configure the AD FS role.

2. Log in to the server with a domain

administrator account, navigate to
Windows Server Manager, then click
Manage > Add Roles and Features.

3. Verify the information on the Before You

Begin page, then click Next.

4. Select Role-based or feature-based

installation, then click Next.

©2020 Scale Computing. All rights reserved. Any and all other trademarks used are owned by their respective holders. 5
 5. Select the server where the AD FS role should be installed, then click Next.

6. Select the Active Directory Federation Services checkbox, then click Next

7. On the Features page, click Next

8. On the AD FS page, click Next.

9. On the Confirmation page, click Install after confirming Active Directory Federation Services is listed.

NOTE

In order to continue configuring AD FS, you must have an SSL Certificate issued by a trusted
authority available to this server. For the purposes of this guide, the Active Directory
Certificate Authority (AD CA) was installed on the domain controller and a certificate was
created for the sole purpose of configuring AD FS. If you need guidance creating an SSL
Certificate, you can follow the steps here.

10. After AD FS is installed and a certificate has been

requested for the server, go back to the Server
Manager and select the yellow notice box next to
the flag icon at the top of the screen. Select
Configure the federation service on this server
link. This will open a configuration wizard for AD FS.

11. Make sure to select Create the first federation

server in a federation server farm and click Next.

12. On the Connect to AD DS screen, make sure that an

account with domain administrator permissions is
selected and click Next.

13. Select the previously requested SSL Certificate from

the dropdown and name your Federation Service.

14. On the Specify Service Account screen, provide

Administrator credentials for the domain containing
the HyperCore user group.

15. On the Specify Configuration Database screen,

leave the default selection to Create a database on
this server using Windows Internal Database
and click Next.

16. Review the configuration and click Configure on the

Pre-requisite Checks screen. If prompted, restart the
computer before continuing.

©2020 Scale Computing. All rights reserved. Any and all other trademarks used are owned by their respective holders. 6
CREATE THE AD FS APPLICATION GROUP
1. Open the Windows Server Manager, then click Tools, then select AD FS Management in the drop down
menu.

2. Right-click on the Application Groups folder and select Add Application Group…

3. In the Add Application Group Wizard, name the application group and select Server application
accessing a web API. Click Next.

©2020 Scale Computing. All rights reserved. Any and all other trademarks used are owned by their respective holders. 7
 4. Next, add the node IP addresses of your
cluster into the Redirect URI box, starting
with https://. Note the Client Identifier that
was generated. This will be required for later
steps.

NOTE

Make sure to save the Client Identifier

that was automatically generated. You
will need this later!

5. After clicking next, check the box next to

Windows Integrated Authentication and select
an account with Administrator access in your
AD. Check the box for Generate a shared
secret to generate the shared secret used for
additional configuration. Note the Shared
Secret. Click Next.

WARNING

Make sure to save this shared secret now.

You will not be able to view it again. It is
REQUIRED for the remainder of the
configuration.

©2020 Scale Computing. All rights reserved. Any and all other trademarks used are owned by their respective holders. 8
 6. Paste the Client Identifier that was
generated in the previous steps into the
Identifier box and click Add.

7. Click Next.

8. Select Permit everyone and click Next.

9. You should now be at the Configure

Application Permissions section. Select
the Server application you are creating in
the Client application section, then check
the allatclaims and openid boxes under
Permitted scopes.

10. Click Next.

11. Review your summary and click Next. You

now have a new Application Group in AD
FS.

©2020 Scale Computing. All rights reserved. Any and all other trademarks used are owned by their respective holders. 9
ADDING RULES TO THE APPLICATION GROUP

1. Right click the newly created application group and select

Properties.

2. Click on the Web API application and select Edit.

3. Navigate to the Issuance Transform Rules and click

Add. We are now going to add a pair of rules.

4. In Claim rule template, select Send Group

Membership as a Claim.

a. Under User’s group, enter the AD group

that will be given access to HyperCore.

b. Under Outgoing claim type, input

“roles”.

c. Under Outgoing claim value, enter the

name of the AD user group that will be
given access to HyperCore.

d. Click OK.

©2020 Scale Computing. All rights reserved. Any and all other trademarks used are owned by their respective holders. 10
 5. Next we need to add another rule. In Claim rule
template, select Transform an Incoming Claim.

a. Under Claim rule name, enter “roles to

Roles”.

b. For Incoming claim type, enter “roles”.

c. For Outgoing claim type, enter “Roles”.

Make sure Pass through all claim values is
checked.

d. Click OK.

6. After creating the Issuance Transform Rules, navigate

to the Client Permissions tab of the Application
Group’s Web API properties box.

7. In Client application, select the server application

that was just created as a part of the Application
Group (in the example, this was the “Home_Cluster -
Server” application). If the application is not listed,
click Add… and add your server application.

Make sure this server application has both the

allatclaims and openid permission scopes enabled.

8. Click Apply, then click OK.

©2020 Scale Computing. All rights reserved. Any and all other trademarks used are owned by their respective holders. 11
CONFIGURING THE CONNECTION TO THE HYPERCORE SYSTEM
1. We will now need to retrieve the configuration URL to connect AD FS to the HyperCore system.

In the Start menu, locate the Windows Powershell folder and run Windows PowerShell. In PowerShell,
type the following command:

Get-AdfsEndpoint | Select FullUrl | Select-String openid-configuration

This will output your configuration

URL, indicated by the “FullUrl=”
value. Copy and save this
configuration URL for later use.

2. At this point you have configured everything

necessary to integrate HyperCore with AD FS.
Navigate to your HyperCore system
interface.

3. In the Control Center, navigate to Settings

and locate the OpenID Connect settings.

©2020 Scale Computing. All rights reserved. Any and all other trademarks used are owned by their respective holders. 12
 4. Click the OpenID Connect settings to open
the configuration dialog. Provide the credentials
generated earlier in this process.

NOTE

The Client ID and Shared Secret are the same

ones that were created in Create the AD FS
Application Group. The Config URL was
retrieved through Powershell at the start of the
Configuring the Connection to The
HyperCore System section.

5. After updating these settings, when logging

into HyperCore there will now be the option to
log in via typical HyperCore credentials or with
a Microsoft account that is in the AD group
that has been granted access. Select OpenID
Connect Login to connection via the Active
Directory integration.

6. Now you should be able to Login and logout of

HyperCore using your Windows user accounts.
By default, AD FS will log you out after one
hour. If you return to your Cluster UI after a
period of inactivity and see a message that
says “Disconnected” you can log back in by
refreshing the page.

©2020 Scale Computing. All rights reserved. Any and all other trademarks used are owned by their respective holders. 13
FEEDBACK & SUPPORT
DOCUMENT FEEDBACK
Scale Computing welcomes your suggestions for improving our documentation. Please send your feedback to
[email protected].

TECHNICAL SUPPORT AND RESOURCES

There are many technical support resources available for use. Access this document, and many others, at
http://www.scalecomputing.com/support/login/.

● Partner Portal - Partner and Distributor use only.

● User Community - Customer focused, including our online Forum.

©2020 Scale Computing. All rights reserved. Any and all other trademarks used are owned by their respective holders. 14