Configure federation on the Active Directory Federation Services side

Last update: May 27 2025

Configure federation on the Active Directory Federation Services side

For your information

The AD FS configuration in these instructions is described using Windows Server 2019 as an example, the steps may be different for other versions.

You should configure Active Directory Federation Services (AD FS) according to Microsoft's recommendations for deploying AD FS clusters and proxy servers.

1. Build a relationship of trust.
2. If you checked the Sign authentication requests checkbox when creating the federation, upload a certificate to sign the requests.
3. Customize Claims Mapping.

1. Build a relationship of trust⁠

1. On the AD FS server, open Server Manager.

2. From the Tools menu, select AD FS Management.

3. In the Actions block, select Relying Party Trust → Add Relying Party Trust.

4. In the Welcome step:

   4.1 Select Claims aware.

   4.2 Press Start.

5. In the Select Data Source step:

   5.1 Select Enter data about the relying party manually.

   5.2 Press Next.

6. In the Specify Display Name step:

   6.1 In the Display name field, enter a name for the trust relationship.

   6.2 Press Next.

7. At the Configure Certificate step:

   7.1 If you checked the Sign authentication requests checkbox when creating a federation, download a certificate to sign requests and insert it.

   7.2 Press Next.

8. In the Configure URL step:

   8.1 Check the Enable support for the SAML 2.0 WebSSO protocol checkbox.

   8.2. In the URL field, enter the address to which users will be redirected after authentication — https://api.selectel.ru/v1/auth/federations/<federation_id>/saml/acs.

   Specify <federation_id> — fed eration ID on the Selectel side, can be viewed in the control panel: in the top menu click Account → federation section → federation row → ID field.

   8.3 Press Next.

9. In the Configure Identifiers step:

   9.1. Enter the URL field enter the address — https://api.selectel.ru/v1/federations/saml/<federation_id>.

   9.2 Click Add → Next.

10. At the Choose Access Control Policy step:

    10.1 Optional: Specify who will be allowed to authenticate with this federation. By default, the Permit for everyone policy is selected, which allows access for all users.

    10.2 Press Next.

11. At the Ready to Add Trust step:

    11.1 Check the data.

    11.2 Press Close.

2. Download a certificate to sign requests⁠

A certificate for signing requests must be downloaded if you checked the Sign authentication requests checkbox when creating the federation.

1. On the AD FS server, open the Service → Relaying Party Trust folder.
2. Click on the Relaying Party Trust that has been created.
3. On the right side of the Actions section, in the box with the name of the Relying Party Trust you created, click Properties.
4. Open the Signature tab.
5. Click Add.
6. Download the certificate for signing requests that you downloaded when configuring the trust relationship in step 7.1.

3. Customize Claims Mapping⁠

After successful authentication in AD FS, Selectel will receive a SAML message.To correctly identify the user, you must configure the user data to match the elements of the SAML message.

1. On the AD FS server, open the Service → Relying Party Trusts folder.

2. Right click on your Relying Party Trusts and select Edit Claim Issuance Policy.

3. Click Add Rule.

4. In the Choose Rule Type step:

   4.1 In the Claim rule template field, select Send LDAP Attributes as Claims.

   4.2.Click Next.

5. In the Configure Claim Rule step:

   5.1 Enter a rule name in the Claim rule name field.

   5.2 In the Attribute store field, select Active Directory.

   5.3 In the LDAP Attribute column, specify what will be passed as the user ID (External ID). You can specify:

   • User-Principal-Name — user name;
   • E-Mail-Addresses — email.

   5.4.In the Outgoing Claim Type column, select Name ID.

6. Click Finish → OK.