Configure federation on the Active Directory Federation Services side

Last update: February 22 2024

Configure federation on the Active Directory Federation Services side

For your information

The AD FS configuration in these instructions is described using Windows Server 2019 as an example, the steps may be different for other versions.

You should configure Active Directory Federation Services (AD FS) according to Microsoft's recommendations for deploying AD FS clusters and proxy servers.

1. Configure trust relationship.
2. Configure Claims Mapping.

Build a relationship of trust⁠

1. On the AD FS server, open Server Manager.
2. From the Tools menu, select AD FS Management.
3. In the Actions block, select Relying Party Trust → Add Relying Party Trust.
4. At the Welcome step, select Claims aware.
5. Press Start.
6. At the Select Data Source step, select Enter data about the relying party manually.
7. Press Next.
8. In the Display name field, enter a name for the trust relationship.
9. Press Next.
10. If you checked the Sign authentication requests checkbox when creating a federation, at the Configure Certificate step, insert a Selectel certificate for request signing, you can download it from the federation page.
11. Press Next.
12. At the Configure URL step, check the Enable support for the SAML 2.0 WebSSO protocol checkbox and specify the URL to which users will be redirected after authentication: https://api.selectel.ru/v1/auth/federations/<federation_id>/saml/acs. Specify <federation_id> — federation ID on Selectel side, you can view it in control panel: menu in the upper right corner → Profile & Settings → Federations → federation row → ID field.
13. Press Next.
14. In the Configure Identifiers step, specify the URL: https://api.selectel.ru/v1/federations/saml/<federation_id>.
15. Press Add → Next.
16. Optional: At the Choose Access Control Policy step, specify who will be able to authenticate using this federation. The default policy is Permit for everyone, which allows access for all users.
17. At the Ready to Add Trust step, verify the data and click Close.

Customize Claims Mapping⁠

After successful authentication in AD FS, a SAML message will be sent to Selectel. To correctly identify the user, you must customize the matching of the user data to the SAML message elements.

1. In the AD FS Management Console, in the Relying Party Trusts block, right-click on the trust relationship with the reviewing party and select Edit Claim Issuance Policy.

2. Press Add Rule.

3. At the Choose Rule Type step, in the Claim rule template field, select Send LDAP Attributes as Claims.

4. Press Next.

5. In the Configure Claim Rule step, enter a rule name in the Claim rule name field.

6. In the Attribute store field, select Active Directory.

7. In the LDAP Attribute column, specify what will be passed as the External ID. You may specify:

   • User-Principal-Name — user name;
   • email-Addresses — email.

8. In the Outgoing Claim Type column, select Name ID.

9. Press Finish → OK.