To configure SAML in Parallels RAS, you need the following:
- Microsoft Active Directory with the following two user accounts present:
- Enrollment agent user: used to enroll certificates through RAS Enrollment Server (ES) on behalf of the authenticated user.
- NLA User: used to initiate the NLA connection with RD Session Hosts and/or VDI guests.
See Active Directory user account configuration for required permissions and delegations. Note that Azure Active Directory Domain Services (AADDS) are not supported to be used with SAML SSO.
- Microsoft Enterprise Certification Authority (CA) including the following templates:
- Enrollment Agent Certificate Template
- Smartcard Logon Certificate Template
- Third-party Identity Provider (IdP) such as Azure, Okta, Ping Identity, Gemalto SafeNet, and others. This is where the user accounts will reside. User accounts in IdP must be synchronized with the Microsoft Active Directory environment. Please consult with the provider on how to properly synchronize users.
- Domain Controllers must have Domain Controller certificates. The certificates on the Domain Controllers must support smart card authentication. Certificates are created using the Microsoft CA certificate template named Domain Controller Authentication. Manually created Domain Controller certificates might not work. If you get an error "Request Not Supported", you may need to recreate Domain Controller certificates. Make sure RD Session Hosts and VDIs have the root certificate issued by the CA in the Trusted Root Certification Authorities store.
- A Parallels RAS Farm with RD Session Host and/or VDI workloads (running on 64-bit OS).
- For security reasons, the RAS Enrollment Server is recommended to be installed on a dedicated host. The host should be a standalone server that does not have any other components and roles installed.
- Both SAML and RAS Enrollment Server configurations are Site-specific settings within the RAS environment. RAS administrators must have "Allow viewing of site information" and "Allow site changes" permissions delegated.