When you make use of ADFS for Single Sign On, and have a previous relying party trust configured please take the following steps to migrate the connection. 

If you require the Token to be encrypted please open a ticket with CloudHealth Support first as we will need to request a change be made to the connection on our side before you can proceed with the migration.

1. Open the ADFS Management Console
2. Open the Relying Party Trust folder, and right click the Relying Party Trust setup for CloudHealth, and select properties.
3. Under the Monitoring tab, if the Monitor Relying Party is checked, uncheck the box to allow the configuration to be modified.
   
   
   
   
   

4.  Switch to the Identifiers tab - 

   Update the Display Name field if required (display name for relying party trust), and remove the existing Relying Party Identifier - 
   
   
   
   
   

5. Once removed add the following Identifier - https://access.broadcom.com/default in the Relying Party identifier field and select Add -
   
   
   
   
6. Navigate to the Endpoints tab – remove the existing endpoints
   
   
   
   
7. Select the Add SAML option, and add the following Endpoints -
   
   - https://access.broadcom.com/default/saml/v1/sp/acs
   
   
    
   
   - https://access.broadcom.com/default/saml/v1/sp/acs?sp=53359bda-9a9c-4264-a114-9a246544c372
   
   
   
   
   
   
   
8. Navigate to the Signature tab -
   
   You will find the Certificate references CN=cloudhealthtech.auth0.com
   
   
   
   
   Remove the Certificate as it will need to be updated to the Certificate for Authhub
   
   AuthHub Cert - 
   
   

   -----BEGIN CERTIFICATE----- MIIDMjCCAhqgAwIBAgIQFlW71gOejlw0kFtQui5TMjANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQK DAhCcm9hZGNvbTEMMAoGA1UECwwDU0VEMRAwDgYDVQQDDAdkZWZhdWx0MB4XDTI0MDIyNzIwMjI0 M1oXDTI2MTEyMzIwMjI0M1owMzERMA8GA1UECgwIQnJvYWRjb20xDDAKBgNVBAsMA1NFRDEQMA4G A1UEAwwHZGVmYXVsdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmjAZZhGDhum73X kIgPAPxvzedDxXeIJTpgCGEF3UI8SPAJw42w9JB6kN5jLKkIGjwf3Hxaepkuu5j3H2VvpmF0Vy+o AbuOBqouZJkN3e6Po82Rb6ryYL8UwNxxCqCd+2OeZUbXfyTTemqtmQCOAnSnwYtT2BpGmQPM+rwE 0qSeHHLqIz6RbwIP77pXq0/6LrP37vl8kExFxxUgixJhBykl3oL9KCD+fkLyf7mkqe77IFXCbfs3 9z4oH1/oVnZv5yUF6acfwo5bvpZv15brpU5gUypLpIzJ4dygQwEt5ajEGRZxYb8BarBeqc1raSjs H2lxLo40f87gQrTBFOvqHCMCAwEAAaNCMEAwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBaAw IAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQAyVu2B TeOu3qVGqzwq5L2w1gWMIosKDRv8OiP5qofevJz/TaUCl4wam30oekuGUREbs/asb4rTD9kJXj9C T2Dm11patLf91HMGKpgpGWRO6HRzVG3yQYRwaynVzirlrxydjB2fqBEi/FK13ROJPjMDkS0m7tDI ozTpSOtLqPH19exu9M8V7kVYfqNTrwdcxG6ZBsyAur0cT9nJp3yF925/d01Gm17IezGR5JZtq1K/ jVThkOgb6iM+azwjaxDrLoWybnDi3Bvc1X6UqgbPZjAIX+uGMZcPrSBSeI0h2hXgl/RuzEBeOJwH 4vWUczZ/kcss6zzSFzscr9kCiLOX9O+z -----END CERTIFICATE-----

   
   
   Add the following Certificate by:
   
   1. Copy the value above into notepad.
   2. Save as AH.CER into a directory
   3. Select Add -> and select the AH.CER file from the directory.
   
   
9. The Signature tab should now appear as -
   
   
   
   
   
10. Navigate to the Encryption tab. This will be filled with a Certificate by default if you imported the connection from the Auth0 Federation Metadata file.
    
    This is optional however, if you do not require the SSO token/assertion to be encrypted remove the certificate and move to the next step.
    
    If you do require the token to be encrypted replace the certificate with the AH.CER certificate from Step 9, there is a further step required by Engineering on the CloudHealth side to enable this however please submit a support ticket and do not publish the changes to the connection.
    
    
    
11. Confirm the changes and hit apply. Right click the Relying Party Trust and select Edit Claim Issuance Policy -
    
    Ensure that the email claim is setup as the following by selecting the rule, and selecting edit rule
    
    
    
    If the outgoing claim type is set to another value, overwrite it by typing email”
    
    If you need to create this claim rule, select Add Rule -> Send LDAP Attributes as Claims, and specify a name and populate the values in the screenshot above.
    
    
12. Edit the Name claim, the following example uses “upn” as the source attribute -
    
    
    
    No matter what attribute you’re using as the source, ensure that the Type under the => issue portion of the rule is set to name, and does not include a namespace -
    
    See following examples of Display Name, and Windows Account Name below also -
    
    Windows Account Name -
    
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(Type = "name", Value = c.Value);
    
    Display name -
    
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(store = "Active Directory", types = ("name"), query = ";displayName;{0}", param = c.Value); 
    
    
    UPN -
    
    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
     => issue(Type = "name", Value = c.Value);
     
    If you need to add this in manually select Add Rule -> Send LDAP Attributes as Claims and then populate the rule syntax as above.
    
    
13. If you are making use of a claim rule to pass roles - ensure that the "Outgoing claim type" field is overwritten with roles as per the screenshot below - repeat this for all roles claim rules.
    
    
    
    
    
14. If you are making use of a claim rule to pass a value for user group mapping, ensure that similar to step 13 that the =>Issue Type is set to the key name, without a namespace. 
    
15. Under AD FS Management -> select Certificates -> right click Token – Signing Certificate -> View Certificate.
    
    In the window select the Details tab ->
    
    
    
    
    
16. Under the Certificate Export Wizard select Base-64 encoded X.509 (.CER) option -
    
    
    
    Select Next
    
    
17. Set a Path for the Certificate -> and hit Next and then Finish on the next page.
    
    Open the Certificate and capture the value, this will need to be set as the Signing Certificate in CloudHealth AuthHub SAML.
    
    
18. Open the Federation Metadata file for the ADFS server, typically available from https://<server host name>/FederationMetadata/2007-06/FederationMetadata.xml
    
    Within the file locate the Entity ID, found under the EntityDescriptor element under Entity ID =
    
    Typically in format – http://<domain name> /adfs/services/trust
    
    
19. Pull the Login Service URL – this will be located within the Federation Metadata document – typically in format https://<server domain name>/adfs/ls
    
    
20. Populate these values under Setup -> Admin -> Single Sign On -> AuthHub SAML
    
    
21. Validate the connection by attempting to sign in via an incognito browser.