Configure federation on the Active Directory Federation Services side

Last update: September 26 2024

Configure federation on the Active Directory Federation Services side

For your information

The AD FS configuration in these instructions is described using Windows Server 2019 as an example, steps may differ for other versions.

You should configure Active Directory Federation Services (AD FS) according to Microsoft's recommendations for deploying AD FS clusters and proxy servers.

1. Build a relationship of trust.
2. Configure Claims Mapping.

Build a relationship of trust⁠

1. On the AD FS server, open Server Manager.
2. On the menu. Tools select AD FS Management.
3. In the block Actions select Relying Party Trust → Add Relying Party Trust.
4. In step Welcome select Claims aware.
5. Click Start.
6. In step Select Data Source select Enter data about the relying party manually.
7. Click Next.
8. In the field Display name enter a name for the trust relationship.
9. Click Next.
10. If at federation you checked the box Sign authentication requests, on the step Configure Certificate insert Selectel certificate for signing requests It can be downloaded on the federation page.
11. Click Next.
12. In step Configure URL check the box Enable support for the SAML 2.0 WebSSO protocol and specify the URL to which users will be redirected after authentication: https://api.selectel.ru/v1/auth/federations/<federation_id>/saml/acs. Specify <federation_id> — ID of the federation on the Selectel side, you can look in the control panels: go to the section Access control →Federations → federation line → field ID.
13. Click Next.
14. In step Configure Identifiers Specify URL: https://api.selectel.ru/v1/federations/saml/<federation_id>
15. Click Add →Next.
16. Optional: at step Choose Access Control Policy Specify who will be able to authenticate with this federation. The default policy is Permit for everyonewhich allows access for all users.
17. In step Ready to Add Trust check the data and press Close.

Customize Claims Mapping⁠

After successful authentication in AD FS, Selectel will receive a SAML message. To correctly identify the user, you must configure the user data to match the elements of the SAML message.

1. In the management console AD FS en bloc Relying Party Trusts right-click on the trust relationship with the verifying party and select Edit Claim Issuance Policy.

2. Click Add Rule.

3. In step Choose Rule Type in the field Claim rule template select Send LDAP Attributes as Claims.

4. Click Next.

5. In step Configure Claim Rule in the field Claim rule name enter the name of the rule.

6. In the field Attribute store select Active Directory.

7. In the column LDAP Attribute specify what will be passed as the user ID (External ID). You can specify:

   • User-Principal-Name — username;
   • E-Mail-Addresses — email.

8. In the column Outgoing Claim Type select Name ID.

9. Click Finish → OK.