User group mapping in Microsoft Active Directory Federation Services

Written by

Yandex Cloud

Updated at October 17, 2024

Getting started
Collect AD FS farm data
Create a Yandex Cloud Organization federation
Add the AD FS certificate to the federation
Create and configure a relying party trust on the AD FS side
Configure attribute mapping on the AD FS side
Configure group mapping on the federation side
Test authentication

You can use Active Directory Federation Services (AD FS) to authenticate users in an organization.

To configure mapping between user groups in AD FS and user groups in an identity federation:

Getting started

Make sure to meet the following prerequisites:

You have access to the Active Directory Users and Computers MMC snap-in to manage domain computers, users, and groups.
You have configured a AD FS farm with one or more valid Token-signing certificates to sign tokens.
You have access to the following tools to manage this farm:
- AD FS Management MMC snap-in.
- PowerShell module to manage AD FS.

Collect AD FS farm data

Get and save the certificate that will be used to sign messages from AD FS.

To get a Token-Signing certificate in Base64 format, run the following commands in PowerShell, providing the path where to save the certificate:

$ADFS_CERT_PATH = "<certificate_file_path>/adfs_certificate.cer"

$TEMP_CERT = (Get-AdfsCertificate -CertificateType Token-Signing |
                where {$_.IsPrimary -eq $true} | Select-Object -First 1
             ).Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)

@(
    '-----BEGIN CERTIFICATE-----'
    [System.Convert]::ToBase64String($TEMP_CERT, 'InsertLineBreaks')
    '-----END CERTIFICATE-----'
) | Out-File -FilePath $ADFS_CERT_PATH -Encoding ascii

The certificate will be saved as adfs_certificate.cer.

Get and save the credentials you will use to configure your identity federation:
1. Get the FS ID (Federation Service identifier):
```
Get-AdfsProperties | Select Identifier
```
  The ID has the following format:
```
http://<federation_service_name>/adfs/services/trust
```
2. Get the federation service endpoint:
```
Get-AdfsEndpoint -AddressPath /adfs/ls/ | Select FullUrl
```
  The endpoint has the following format:
```
https://<federation_service_name>/adfs/ls/
```
Note

The http:// scheme in the ID is does not mean that data will be sent in plain text over HTTP.

AD FS and Yandex Cloud will interact via an endpoint over HTTPS.

Create a Yandex Cloud Organization federation

Go to Yandex Cloud Organization.
In the left-hand panel, select Federations.
Click Create federation.
Enter a name for the federation, e.g., demo-federation. It must be unique within the folder.
You can also add a description, if required.
In the Cookie lifetime field, specify the time before the browser asks the user to re-authenticate.
In the IdP Issuer field, paste the federation service ID you got when collecting AD FS farm data.
Select POST from the Single Sign-On method drop-down list.
In the Link to the IdP login page field, paste the federation service endpoint you got when collecting AD FS farm data.
Enable Automatically create users to automatically add a new user to your organization after authentication. Otherwise, you will need to manually add your federated users.

A federated user is created automatically only when they log in to a cloud for the first time. If you removed a user from the federation, you can only add them back manually.
(Optional) To make sure that all authentication requests from Yandex Cloud contain a digital signature, enable Sign authentication requests.
Enable Mandatory re-authentication (ForceAuthn) in IdP to set true for the ForceAuthn parameter in a SAML authentication request. If enabled, the IdP will request the user to re-authenticate once the Yandex Cloud session expires.
Click Create federation.
Use the link in the Sign authentication requests field to download the certificate (if the option was enabled earlier).

You will need this certificate later when configuring the AD FS relying party trust.

Add the AD FS certificate to the federation

To enable Cloud Organization to verify the AD FS certificate during authentication, add the certificate to the federation:

Go to Yandex Cloud Organization.
In the left-hand panel, navigate to Federations and select the federation to add the certificate to: demo-federation.
At the bottom of the page, click Adding a certificate.
Enter the certificate name and specify the path to the adfs_certificate.cer file you saved earlier.
Click Add.

Tip

To ensure the authentication is not interrupted when the certificate expires, add multiple certificates to the federation, i.e., both the current one and those to use afterwards. If one certificate goes invalid, Yandex Cloud will try another one to verify the signature.

Create and configure a relying party trust on the AD FS side

AD FS acts as the identity provider (IdP), with a relying party trust configured. To create and configure a relying party trust:

Open the AD FS Management MMC snap-in.
In the console tree, under AD FS, right-click Relying Party Trusts and select Add Relying Party Trust.

This will open the Add Relying Party Trust wizard.
At the Welcome step, select Claims aware. Click Start.
At the Select Data Source step, select Enter data about the relying party manually. Click Next.
At the Specify Display Name step, specify a name for the relying party trust, e.g., Yandex Cloud, and its description, if required. Click Next.
Skip the Configure Certificate step by clicking Next.
At the Configure URL step, specify the redirect URL.
1. Check the Enable support for the SAML 2.0 Web SSO protocol box.
2. Specify the redirect URL in the Relying party SAML 2.0 SSO service URL field.
  
  The redirect URL must be in the following format:
```
https://console.cloud.yandex.ru/federations/<federation_ID>
```
  How to get the federation ID
  1. Go to Yandex Cloud Organization.
  2. In the left-hand panel, select Federations .
  3. Copy the ID of the federation you are configuring access for.
3. Click Next.
At the Configure Identifiers step, specify the relying party ID:
1. In the Relying party identifier field, specify the redirect URL from the previous step.
2. Click Add.
3. Click Next.
Enable I do not want to configure access control policies at this time. No user will be permitted access for this application at the Choose Access Control Policy step. Click Next.

You will configure access control policies later.
At the Ready to Add Trust step, make sure all the parameters are correct. Click Next.
Disable Configure claims issuance policy for this application at the Finish step. Click Close.

You will configure claim issuance policies later.
Optionally, if you enabled Sign authentication requests when creating a federation in Yandex Cloud Organization, configure the associated relying party trust parameters:
1. Open the context menu of the relying party trust you created and select Properties.
  
  This will open the window with relying party trust properties.
2. Go to the Encryption tab and add the previously obtained certificate:
  1. Click Browse.
  2. Select the certificate file, such as YandexCloud.cer.
3. Go to the Signature tab and add the same certificate:
  1. Click Add.
  2. Select the certificate file.
4. Click OK.
5. Enable required claim encryption and request signing for the created relying party trust:
```
Set-AdfsRelyingPartyTrust `
    -TargetName "Yandex Cloud" `
    -EncryptClaims $true `
    -SignedSamlRequestsRequired $true `
    -SamlResponseSignature MessageAndAssertion
```

Configure attribute mapping on the AD FS side

Create a user

Open the Active Directory Users and Computers MMC snap-in.
In the console tree, select the organization unit (OU) where you need to create a user, right-click it, and select New → User.

This will open the New Object - User wizard.
Specify user info:
- User logon name: Username, such as adfs_demo_user, in combination with the domain, e.g., example.com.
  
  Note
  
  In the steps below, we will use the example.com domain name. If your domain has a different name, adjust the following steps accordingly.
- Full name: Full name of the user, e.g., Ivan Ivanov.
You may provide other user info, if required.
Click Next.
Specify a password and configure the associated policies:
1. Enter and confirm the password.
2. Optionally, disable User must change password at next login.
  
  Otherwise, the user will be prompted to change the password the first time they get authenticated in AD FS.
3. Make sure to uncheck Account is disabled.
  
  Warning
  
  Otherwise, the user account will be disabled.
  
  The user will be unable to get authenticated in AD FS and access Yandex Cloud.
4. If required, select other options based on the relevant password policies.
Click Next and then Finish.

Create a group

Open the Active Directory Users and Computers MMC snap-in.
In the console tree, select the organization unit where you need to create a group, right-click it and select New → Group.

This will open the New Object - Group wizard.
Specify the group info:
- Group name: Name of the group, e.g., adfs_group.
- Group name (pre-Windows 2000): Group name in the legacy format to use with pre-Windows 2000 systems.
  
  By default, this name is the same as the group name you specify. You can enter a different name, if required.
Specify the group settings:
- Group scope: Global
- Group type: Security
Click OK.

Add the user to the group

Open the Active Directory Users and Computers MMC snap-in.
In the console tree, select the organization unit containing the adfs_group group.
In the result pane, select the adfs_group group. Then, right-click the group and select Properties from the context menu.

This will open the window with group properties.
Go to the Members tab and click Add.
Enter the adfs_demo_user username and click OK.
Click OK.

Configure the access control policy

This policy enables authentication of users belonging to the previously created group.

To configure such a policy:

Open the AD FS Management MMC snap-in.
In the console tree, select AD FS → Relying Party Trusts.
Select the Yandex Cloud relying party trust in the result pane.
Right-click the trust and select Edit Access Control Policy.

This will open the window with a list of policies.
Select the Permit Specific Group policy from the Choose an access control policy list.
Click the parameter link in the Policy field with the selected policy description.
Click Add.
Enter the adfs_group group name and click OK.
In the Select Groups window, click OK.
In the Edit Access Control Policy for Yandex Cloud window, click OK.

Configure LDAP attribute mapping

Open the AD FS Management MMC snap-in.
In the console tree, select AD FS → Relying Party Trusts.
Select the Yandex Cloud relying party trust in the result pane.
Right-click the trust and select Edit Claim Issuance Policy.

This will open the window with a list of policies.
Click Add Rule.

This will open the Add Transform Claim Rule wizard.
Select Send LDAP Attributes as Claims from the Claim rule template drop-down list at the Choose rule type step. Click Next.

Configure the rule at the Configure Claim Rule step:

Claim rule name: Rule name, e.g., LDAP Mappings.
Attribute store: Active Directory.

Mapping of LDAP attributes to outgoing claim types: List of mappings in the form of attribute/outgoing claim type pairs.

Add the following required mappings to the list to enable proper communication with Yandex Cloud:

Attribute

Outgoing claim type

User-Principal-Name

Attribute to use to identify the user.

In this case, the user will be identified by their user principal name (UPN). The UPN of the previously created user will look like this:

adfs_demo_user@example.com

You may use a different attribute as long as it is permanent and unique to ensure unambiguous user identification. In this case, adjust the following steps.

Name ID

Token-Groups - Unqualified Names

List of groups the user belongs to. This list will be used for group mapping when authenticating the user in Yandex Cloud.

This specific attribute enables sending short group names, such as adfs_group or Domain Users, that do not specify a domain.

You may use a different attribute from the Token-Groups family, e.g., Token-Groups as SIDs. In this case, adjust the following steps.

Group

Tip

To send other supported user attributes, add more mappings, if required.

Click Finish.
Click OK.

Configure group mapping on the federation side

Go to Yandex Cloud Organization.
Create a user group named yc-demo-group in Yandex Cloud Organization and authorize it to view resources in the cloud or a separate folder (the viewer role).
In the left-hand panel, select Federations.
Select demo-federation you created previously and navigate to the IdP group tab.
Enable group mapping in the Mapping group in IdP field.
Click Add.
In the Group name field, enter the group ID provided in AD FS claims.

When using Token-Groups - Unqualified Names, specify the short group name, i.e., adfs_group, as the ID.
In the IAM group field, select the yc-demo-group group you created in Yandex Cloud Organization from the list.
Click Save.

Test authentication

Open your browser in guest or private browsing mode.

For this, you must use a domain-joined computer with access to AD FS.
Use this URL to log in to the management console:
```
https://console.cloud.yandex.com/federations/<federation_ID>
```
How to get the federation ID
1. Go to Yandex Cloud Organization.
2. In the left-hand panel, select Federations .
3. Copy the ID of the federation you are configuring access for.
If you have set up everything correctly, the browser will redirect you to the authentication page in AD FS.
Enter the credentials of the adfs_demo_user@example.com user you created earlier and click Sign in.

On successful authentication, the IdP server will redirect you to the URL (https://console.cloud.yandex.ru/federations/<federation_ID>) you specified in the relying party trust settings, and then to the management console home page.
Make sure the signed in user belongs to yc-demo-group and has the viewer permissions for resources according to the role assigned to the group.

User group mapping in Microsoft Active Directory Federation Services

Getting startedGetting started

Collect AD FS farm dataCollect AD FS farm data

Create a Yandex Cloud Organization federationCreate a Yandex Cloud Organization federation

Add the AD FS certificate to the federationAdd the AD FS certificate to the federation

Create and configure a relying party trust on the AD FS sideCreate and configure a relying party trust on the AD FS side

Configure attribute mapping on the AD FS sideConfigure attribute mapping on the AD FS side

Create a userCreate a user

Create a groupCreate a group

Add the user to the groupAdd the user to the group

Configure the access control policyConfigure the access control policy

Configure LDAP attribute mappingConfigure LDAP attribute mapping

Configure group mapping on the federation sideConfigure group mapping on the federation side

Test authenticationTest authentication

Was the article helpful?