User group mapping in Microsoft Active Directory Federation Services
You can use Active Directory Federation Services
To configure mapping between user groups in AD FS and user groups in an identity federation:
- Collect AD FS farm data.
- Create a Yandex Cloud Organization federation.
- Add the AD FS certificate to the federation.
- Create and configure a relying party trust on the AD FS side.
- Configure attribute mapping on the AD FS side.
- Configure group mapping on the federation side.
- Test authentication.
Getting started
Make sure to meet the following prerequisites:
-
You have access to the Active Directory Users and Computers MMC snap-in to manage domain computers, users, and groups.
-
You have configured a AD FS farm with one or more valid
Token-signing
certificates to sign tokens. -
You have access to the following tools to manage this farm:
- AD FS Management MMC snap-in.
- PowerShell module
to manage AD FS.
Collect AD FS farm data
-
Get and save the certificate that will be used to sign messages from AD FS.
To get a
Token-Signing
certificate in Base64 format, run the following commands in PowerShell, providing the path where to save the certificate:$ADFS_CERT_PATH = "<certificate_file_path>/adfs_certificate.cer" $TEMP_CERT = (Get-AdfsCertificate -CertificateType Token-Signing | where {$_.IsPrimary -eq $true} | Select-Object -First 1 ).Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert) @( '-----BEGIN CERTIFICATE-----' [System.Convert]::ToBase64String($TEMP_CERT, 'InsertLineBreaks') '-----END CERTIFICATE-----' ) | Out-File -FilePath $ADFS_CERT_PATH -Encoding ascii
The certificate will be saved as
adfs_certificate.cer
. -
Get and save the credentials you will use to configure your identity federation:
-
Get the FS ID (Federation Service identifier):
Get-AdfsProperties | Select Identifier
The ID has the following format:
http://<federation_service_name>/adfs/services/trust
-
Get the federation service endpoint:
Get-AdfsEndpoint -AddressPath /adfs/ls/ | Select FullUrl
The endpoint has the following format:
https://<federation_service_name>/adfs/ls/
Note
The
http://
scheme in the ID is does not mean that data will be sent in plain text over HTTP.AD FS and Yandex Cloud will interact via an endpoint over HTTPS.
-
Create a Yandex Cloud Organization federation
-
Go to Yandex Cloud Organization
. -
In the left-hand panel, select Federations
. -
Click Create federation.
-
Enter a name for the federation, e.g.,
demo-federation
. It must be unique within the folder. -
You can also add a description, if required.
-
In the Cookie lifetime field, specify the time before the browser asks the user to re-authenticate.
-
In the IdP Issuer field, paste the federation service ID you got when collecting AD FS farm data.
-
Select
POST
from the Single Sign-On method drop-down list. -
In the Link to the IdP login page field, paste the federation service endpoint you got when collecting AD FS farm data.
-
Enable Automatically create users to automatically add a new user to your organization after authentication. Otherwise, you will need to manually add your federated users.
A federated user is created automatically only when they log in to a cloud for the first time. If you removed a user from the federation, you can only add them back manually.
-
(Optional) To make sure that all authentication requests from Yandex Cloud contain a digital signature, enable Sign authentication requests.
-
Enable Mandatory re-authentication (ForceAuthn) in IdP to set
true
for the ForceAuthn parameter in a SAML authentication request. If enabled, the IdP will request the user to re-authenticate once the Yandex Cloud session expires. -
Click Create federation.
-
Use the link in the Sign authentication requests field to download the certificate (if the option was enabled earlier).
You will need this certificate later when configuring the AD FS relying party trust.
Add the AD FS certificate to the federation
To enable Cloud Organization to verify the AD FS certificate during authentication, add the certificate to the federation:
-
Go to Yandex Cloud Organization
. -
In the left-hand panel, navigate to Federations
and select the federation to add the certificate to:demo-federation
. -
At the bottom of the page, click Adding a certificate.
-
Enter the certificate name and specify the path to the
adfs_certificate.cer
file you saved earlier. -
Click Add.
Tip
To ensure the authentication is not interrupted when the certificate expires, add multiple certificates to the federation, i.e., both the current one and those to use afterwards. If one certificate goes invalid, Yandex Cloud will try another one to verify the signature.
Create and configure a relying party trust on the AD FS side
AD FS acts as the identity provider (IdP), with a relying party trust configured. To create and configure a relying party trust:
-
Open the AD FS Management MMC snap-in.
-
In the console tree, under AD FS, right-click Relying Party Trusts and select Add Relying Party Trust.
This will open the Add Relying Party Trust wizard.
-
At the Welcome step, select Claims aware. Click Start.
-
At the Select Data Source step, select Enter data about the relying party manually. Click Next.
-
At the Specify Display Name step, specify a name for the relying party trust, e.g.,
Yandex Cloud
, and its description, if required. Click Next. -
Skip the Configure Certificate step by clicking Next.
-
At the Configure URL step, specify the redirect URL.
-
Check the Enable support for the SAML 2.0 Web SSO protocol box.
-
Specify the redirect URL in the Relying party SAML 2.0 SSO service URL field.
The redirect URL must be in the following format:
https://console.cloud.yandex.ru/federations/<federation_ID>
How to get the federation ID
-
Go to Yandex Cloud Organization
. -
In the left-hand panel, select Federations
. -
Copy the ID of the federation you are configuring access for.
-
-
Click Next.
-
-
At the Configure Identifiers step, specify the relying party ID:
-
In the Relying party identifier field, specify the redirect URL from the previous step.
-
Click Add.
-
Click Next.
-
-
Enable I do not want to configure access control policies at this time. No user will be permitted access for this application at the Choose Access Control Policy step. Click Next.
You will configure access control policies later.
-
At the Ready to Add Trust step, make sure all the parameters are correct. Click Next.
-
Disable Configure claims issuance policy for this application at the Finish step. Click Close.
You will configure claim issuance policies later.
-
Optionally, if you enabled Sign authentication requests when creating a federation in Yandex Cloud Organization, configure the associated relying party trust parameters:
-
Open the context menu of the relying party trust you created and select Properties.
This will open the window with relying party trust properties.
-
Go to the Encryption tab and add the previously obtained certificate:
- Click Browse.
- Select the certificate file, such as
YandexCloud.cer
.
-
Go to the Signature tab and add the same certificate:
- Click Add.
- Select the certificate file.
-
Click OK.
-
Enable required claim encryption and request signing for the created relying party trust:
Set-AdfsRelyingPartyTrust ` -TargetName "Yandex Cloud" ` -EncryptClaims $true ` -SignedSamlRequestsRequired $true ` -SamlResponseSignature MessageAndAssertion
-
Configure attribute mapping on the AD FS side
Create a user
-
Open the Active Directory Users and Computers MMC snap-in.
-
In the console tree, select the organization unit (OU) where you need to create a user, right-click it, and select New → User.
This will open the New Object - User wizard.
-
Specify user info:
-
User logon name: Username, such as
adfs_demo_user
, in combination with the domain, e.g.,example.com
.Note
In the steps below, we will use the
example.com
domain name. If your domain has a different name, adjust the following steps accordingly. -
Full name: Full name of the user, e.g.,
Ivan Ivanov
.
You may provide other user info, if required.
-
-
Click Next.
-
Specify a password and configure the associated policies:
-
Enter and confirm the password.
-
Optionally, disable User must change password at next login.
Otherwise, the user will be prompted to change the password the first time they get authenticated in AD FS.
-
Make sure to uncheck Account is disabled.
Warning
Otherwise, the user account will be disabled.
The user will be unable to get authenticated in AD FS and access Yandex Cloud.
-
If required, select other options based on the relevant password policies.
-
-
Click Next and then Finish.
Create a group
-
Open the Active Directory Users and Computers MMC snap-in.
-
In the console tree, select the organization unit where you need to create a group, right-click it and select New → Group.
This will open the New Object - Group wizard.
-
Specify the group info:
-
Group name: Name of the group, e.g.,
adfs_group
. -
Group name (pre-Windows 2000): Group name in the legacy format to use with pre-Windows 2000 systems.
By default, this name is the same as the group name you specify. You can enter a different name, if required.
-
-
Specify the group settings:
- Group scope:
Global
- Group type:
Security
- Group scope:
-
Click OK.
Add the user to the group
-
Open the Active Directory Users and Computers MMC snap-in.
-
In the console tree, select the organization unit containing the
adfs_group
group. -
In the result pane, select the
adfs_group
group. Then, right-click the group and select Properties from the context menu.This will open the window with group properties.
-
Go to the Members tab and click Add.
-
Enter the
adfs_demo_user
username and click OK. -
Click OK.
Configure the access control policy
This policy enables authentication of users belonging to the previously created group.
To configure such a policy:
-
Open the AD FS Management MMC snap-in.
-
In the console tree, select AD FS → Relying Party Trusts.
-
Select the
Yandex Cloud
relying party trust in the result pane. -
Right-click the trust and select Edit Access Control Policy.
This will open the window with a list of policies.
-
Select the
Permit Specific Group
policy from the Choose an access control policy list. -
Click the
parameter
link in the Policy field with the selected policy description. -
Click Add.
-
Enter the
adfs_group
group name and click OK. -
In the Select Groups window, click OK.
-
In the Edit Access Control Policy for Yandex Cloud window, click OK.
Configure LDAP attribute mapping
-
Open the AD FS Management MMC snap-in.
-
In the console tree, select AD FS → Relying Party Trusts.
-
Select the
Yandex Cloud
relying party trust in the result pane. -
Right-click the trust and select Edit Claim Issuance Policy.
This will open the window with a list of policies.
-
Click Add Rule.
This will open the Add Transform Claim Rule wizard.
-
Select
Send LDAP Attributes as Claims
from the Claim rule template drop-down list at the Choose rule type step. Click Next. -
Configure the rule at the Configure Claim Rule step:
-
Claim rule name: Rule name, e.g.,
LDAP Mappings
. -
Attribute store:
Active Directory
. -
Mapping of LDAP attributes to outgoing claim types: List of mappings in the form of attribute/outgoing claim type pairs.
Add the following required mappings to the list to enable proper communication with Yandex Cloud:
Attribute
Outgoing claim type
User-Principal-Name
Attribute to use to identify the user.
In this case, the user will be identified by their user principal name (UPN)
. The UPN of the previously created user will look like this:adfs_demo_user@example.com
You may use a different attribute as long as it is permanent and unique to ensure unambiguous user identification. In this case, adjust the following steps.
Name ID
Token-Groups - Unqualified Names
List of groups the user belongs to. This list will be used for group mapping when authenticating the user in Yandex Cloud.
This specific attribute enables sending short group names, such as
adfs_group
orDomain Users
, that do not specify a domain.You may use a different attribute from the
Token-Groups
family, e.g.,Token-Groups as SIDs
. In this case, adjust the following steps.Group
Tip
To send other supported user attributes, add more mappings, if required.
-
-
Click Finish.
-
Click OK.
Configure group mapping on the federation side
-
Go to Yandex Cloud Organization
. -
Create a user group named
yc-demo-group
in Yandex Cloud Organization and authorize it to view resources in the cloud or a separate folder (theviewer
role). -
In the left-hand panel, select Federations
. -
Select
demo-federation
you created previously and navigate to the IdP group tab. -
Enable group mapping in the Mapping group in IdP field.
-
Click Add.
-
In the Group name field, enter the group ID provided in AD FS claims.
When using
Token-Groups - Unqualified Names
, specify the short group name, i.e.,adfs_group
, as the ID. -
In the IAM group field, select the
yc-demo-group
group you created in Yandex Cloud Organization from the list. -
Click Save.
Test authentication
-
Open your browser in guest or private browsing mode.
For this, you must use a domain-joined computer with access to AD FS.
-
Use this URL to log in to the management console:
https://console.cloud.yandex.com/federations/<federation_ID>
How to get the federation ID
-
Go to Yandex Cloud Organization
. -
In the left-hand panel, select Federations
. -
Copy the ID of the federation you are configuring access for.
If you have set up everything correctly, the browser will redirect you to the authentication page in AD FS.
-
-
Enter the credentials of the
adfs_demo_user@example.com
user you created earlier and click Sign in.On successful authentication, the IdP server will redirect you to the URL (
https://console.cloud.yandex.ru/federations/<federation_ID>
) you specified in the relying party trust settings, and then to the management console home page. -
Make sure the signed in user belongs to
yc-demo-group
and has the viewer permissions for resources according to the role assigned to the group.