Contact UsGet started
© 2024 Iron Hive LLC Belgrade

User group mapping in Microsoft Active Directory Federation Services

Written by
Updated at November 7, 2024

You can use Active Directory Federation Services (AD FS) to authenticate users in an organization.

To configure mapping between user groups in AD FS and user groups in an identity federation:

  1. Collect AD FS farm data.
  2. Create a Yandex Cloud Organization federation.
  3. Add the AD FS certificate to the federation.
  4. Create and configure a relying party trust on the AD FS side.
  5. Configure attribute mapping on the AD FS side.
  6. Configure group mapping on the federation side.
  7. Test authentication.

Getting started

Make sure to meet the following prerequisites:

  1. You have access to the Active Directory Users and Computers MMC snap-in to manage domain computers, users, and groups.

  2. You have configured a AD FS farm with one or more valid Token-signing certificates to sign tokens.

  3. You have access to the following tools to manage this farm:

Collect AD FS farm data

  1. Get and save the certificate that will be used to sign messages from AD FS.

    To get a Token-Signing certificate in Base64 format, run the following commands in PowerShell, providing the path where to save the certificate:

    $ADFS_CERT_PATH = "<path_to_certificate>/adfs_certificate.cer"

$TEMP_CERT = (Get-AdfsCertificate -CertificateType Token-Signing |
                where {$_.IsPrimary -eq $true} | Select-Object -First 1
             ).Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)

@(
    '-----BEGIN CERTIFICATE-----'
    [System.Convert]::ToBase64String($TEMP_CERT, 'InsertLineBreaks')
    '-----END CERTIFICATE-----'
) | Out-File -FilePath $ADFS_CERT_PATH -Encoding ascii

    The certificate will be saved as adfs_certificate.cer.

  2. Get and save the credentials you will use to configure your identity federation:

    1. Get the FS ID (Federation Service identifier):

      Get-AdfsProperties | Select Identifier

      The ID has the following format:

      http://<federation_service_name>/adfs/services/trust

    2. Get the federation service endpoint:

      Get-AdfsEndpoint -AddressPath /adfs/ls/ | Select FullUrl

      The endpoint has the following format:

      https://<federation_service_name>/adfs/ls/

    Note

    The http:// scheme in the ID is does not mean that data will be sent in plain text over HTTP.

    AD FS and Yandex Cloud will interact via an endpoint over HTTPS.

Create a Yandex Cloud Organization federation

  1. Go to Yandex Cloud Organization.

  2. In the left-hand panel, select Federations.

  3. Click Create federation in the top-right corner of the page. In the window that opens:

    1. Enter a name for the federation, e.g., demo-federation. It must be unique within the folder.

    2. You can also add a description, if required.

    3. In the Cookie lifetime field, specify the time before the browser asks the user to re-authenticate.

    4. In the IdP Issuer field, paste the federation service ID you got when collecting AD FS farm data.

    5. Select POST from the Single Sign-On method drop-down list.

    6. In the Link to the IdP login page field, paste the federation service endpoint you got when collecting AD FS farm data.

    7. Enable Automatically create users to automatically add a new user to your organization after authentication. Otherwise, you will need to manually add your federated users.

      A federated user is created automatically only when they log in to a cloud for the first time. If you removed a user from the federation, you can only add them back manually.

    8. (Optional) To make sure that all authentication requests from Yandex Cloud contain a digital signature, enable Sign authentication requests.

    9. Enable Mandatory re-authentication (ForceAuthn) in IdP to set true for the ForceAuthn parameter in a SAML authentication request. If enabled, the IdP will request the user to re-authenticate once the Yandex Cloud session expires.

    10. Click Create federation.

  4. Use the link in the Sign authentication requests field to download the certificate (if the option was enabled earlier).

    You will need this certificate later when configuring the AD FS relying party trust.

Add the AD FS certificate to the federation

To enable Cloud Organization to verify the AD FS certificate during authentication, add the certificate to the federation:

  1. Go to Yandex Cloud Organization.

  2. In the left-hand panel, select Federations.

  3. Click the row with the federation you need to add a certificate for: demo-federation.

  4. At the bottom of the page, under Certificates, click Adding a certificate.

  5. Enter the certificate name and specify the path to the adfs_certificate.cer file you saved earlier.

  6. Click Add.

Tip

To ensure the authentication is not interrupted when the certificate expires, add multiple certificates to the federation, i.e., both the current one and those to use afterwards. If one certificate goes invalid, Yandex Cloud will try another one to verify the signature.

Create and configure a relying party trust on the AD FS side

AD FS acts as the identity provider (IdP), with a relying party trust configured. To create and configure a relying party trust:

  1. Open the AD FS Management MMC snap-in.

  2. In the console tree, under AD FS, right-click Relying Party Trusts and select Add Relying Party Trust.

    This will open the Add Relying Party Trust wizard.

  3. At the Welcome step, select Claims aware. Click Start.

  4. At the Select Data Source step, select Enter data about the relying party manually. Click Next.

  5. At the Specify Display Name step, specify a name for the relying party trust, e.g., Yandex Cloud, and its description, if required. Click Next.

  6. Skip the Configure Certificate step by clicking Next.

  7. At the Configure URL step, specify the redirect URL.

    1. Check the Enable support for the SAML 2.0 Web SSO protocol box.

    2. Specify the redirect URL in the Relying party SAML 2.0 SSO service URL field.

      The redirect URL must be in the following format:

      https://console.cloud.yandex.ru/federations/<federation_ID>
      How to get the federation ID

      1. Log in to Yandex Cloud Organization.

      2. In the left-hand panel, select Federations.

      3. Select the required federation and copy the Identifier field value on the federation info page.

    3. Click Next.

  8. At the Configure Identifiers step, specify the relying party ID:

    1. In the Relying party identifier field, specify the redirect URL from the previous step.

    2. Click Add.

    3. Click Next.

  9. Enable I do not want to configure access control policies at this time. No user will be permitted access for this application at the Choose Access Control Policy step. Click Next.

    You will configure access control policies later.

  10. At the Ready to Add Trust step, make sure all the parameters are correct. Click Next.

  11. Disable Configure claims issuance policy for this application at the Finish step. Click Close.

    You will configure claim issuance policies later.

  12. Optionally, if you enabled Sign authentication requests when creating a federation in Yandex Cloud Organization, configure the associated relying party trust parameters:

    1. Open the context menu of the relying party trust you created and select Properties.

      This will open the window with relying party trust properties.

    2. Go to the Encryption tab and add the previously obtained certificate:

      1. Click Browse.
      2. Select the certificate file, such as YandexCloud.cer.

    3. Go to the Signature tab and add the same certificate:

      1. Click Add.
      2. Select the certificate file.

    4. Click OK.

    5. Enable required claim encryption and request signing for the created relying party trust:

      Set-AdfsRelyingPartyTrust `
    -TargetName "Yandex Cloud" `
    -EncryptClaims $true `
    -SignedSamlRequestsRequired $true `
    -SamlResponseSignature MessageAndAssertion

Configure attribute mapping on the AD FS side

Create a user

  1. Open the Active Directory Users and Computers MMC snap-in.

  2. In the console tree, select the organization unit (OU) where you need to create a user, right-click it, and select NewUser.

    This will open the New Object - User wizard.

  3. Specify user info:

    • User logon name: Username, such as adfs_demo_user, in combination with the domain, e.g., example.com.

      Note

      In the steps below, we will use the example.com domain name. If your domain has a different name, adjust the following steps accordingly.

    • Full name: Full name of the user, e.g., Ivan Ivanov.

    You may provide other user info, if required.

  4. Click Next.

  5. Specify a password and configure the associated policies:

    1. Enter and confirm the password.

    2. Optionally, disable User must change password at next login.

      Otherwise, the user will be prompted to change the password the first time they get authenticated in AD FS.

    3. Make sure to uncheck Account is disabled.

      Warning

      Otherwise, the user account will be disabled.

      The user will be unable to get authenticated in AD FS and access Yandex Cloud.

    4. If required, select other options based on the relevant password policies.

  6. Click Next and then Finish.

Create a group

  1. Open the Active Directory Users and Computers MMC snap-in.

  2. In the console tree, select the organization unit where you need to create a group, right-click it and select NewGroup.

    This will open the New Object - Group wizard.

  3. Specify the group info:

    • Group name: Name of the group, e.g., adfs_group.

    • Group name (pre-Windows 2000): Group name in the legacy format to use with pre-Windows 2000 systems.

      By default, this name is the same as the group name you specify. You can enter a different name, if required.

  4. Specify the group settings:

    • Group scope: Global
    • Group type: Security

  5. Click OK.

Add the user to the group

  1. Open the Active Directory Users and Computers MMC snap-in.

  2. In the console tree, select the organization unit containing the adfs_group group.

  3. In the result pane, select the adfs_group group. Then, right-click the group and select Properties from the context menu.

    This will open the window with group properties.

  4. Go to the Members tab and click Add.

  5. Enter the adfs_demo_user username and click OK.

  6. Click OK.

Configure the access control policy

This policy enables authentication of users belonging to the previously created group.

To configure such a policy:

  1. Open the AD FS Management MMC snap-in.

  2. In the console tree, select AD FSRelying Party Trusts.

  3. Select the Yandex Cloud relying party trust in the result pane.

  4. Right-click the trust and select Edit Access Control Policy.

    This will open the window with a list of policies.

  5. Select the Permit Specific Group policy from the Choose an access control policy list.

  6. Click the parameter link in the Policy field with the selected policy description.

  7. Click Add.

  8. Enter the adfs_group group name and click OK.

  9. In the Select Groups window, click OK.

  10. In the Edit Access Control Policy for Yandex Cloud window, click OK.

Configure LDAP attribute mapping

  1. Open the AD FS Management MMC snap-in.

  2. In the console tree, select AD FSRelying Party Trusts.

  3. Select the Yandex Cloud relying party trust in the result pane.

  4. Right-click the trust and select Edit Claim Issuance Policy.

    This will open the window with a list of policies.

  5. Click Add Rule.

    This will open the Add Transform Claim Rule wizard.

  6. Select Send LDAP Attributes as Claims from the Claim rule template drop-down list at the Choose rule type step. Click Next.

  7. Configure the rule at the Configure Claim Rule step:

    • Claim rule name: Rule name, e.g., LDAP Mappings.

    • Attribute store: Active Directory.

    • Mapping of LDAP attributes to outgoing claim types: List of mappings in the form of attribute/outgoing claim type pairs.

      Add the following required mappings to the list to enable proper communication with Yandex Cloud:

      Attribute

      Outgoing claim type

      User-Principal-Name

      Attribute to use to identify the user.

      In this case, the user will be identified by their user principal name (UPN). The UPN of the previously created user will look like this:

      adfs_demo_user@example.com

      You may use a different attribute as long as it is permanent and unique to ensure unambiguous user identification. In this case, adjust the following steps.

      Name ID

      Token-Groups - Unqualified Names

      List of groups the user belongs to. This list will be used for group mapping when authenticating the user in Yandex Cloud.

      This specific attribute enables sending short group names, such as adfs_group or Domain Users, that do not specify a domain.

      You may use a different attribute from the Token-Groups family, e.g., Token-Groups as SIDs. In this case, adjust the following steps.

      Group

      Tip

      To send other supported user attributes, add more mappings, if required.

  8. Click Finish.

  9. Click OK.

Configure group mapping on the federation side

  1. Go to Yandex Cloud Organization.

  2. Create a user group named yc-demo-group in Cloud Organization and authorize it to view resources in the cloud or a separate folder (the viewer role).

  3. In the left-hand panel, select Federations.

  4. Select demo-federation you created previously and navigate to the IdP group tab.

  5. Enable Mapping group in IdP.

  6. Click Add.

  7. In the Group name field, enter the group ID provided in AD FS claims.

    When using Token-Groups - Unqualified Names, specify the short group name, i.e., adfs_group, as the ID.

  8. In the IAM group field, select the yc-demo-group group you created in Yandex Cloud Organization from the list.

  9. Click Save.

Test authentication

  1. Open your browser in guest or private browsing mode.

    For this, you must use a domain-joined computer with access to AD FS.

  2. Use this URL to log in to the management console:

    https://console.cloud.yandex.com/federations/<federation_ID>
    How to get the federation ID

    1. Log in to Yandex Cloud Organization.

    2. In the left-hand panel, select Federations.

    3. Select the required federation and copy the Identifier field value on the federation info page.

    If you have set up everything correctly, the browser will redirect you to the authentication page in AD FS.

  3. Enter the credentials of the adfs_demo_user@example.com user you created earlier and click Sign in.

    On successful authentication, the IdP server will redirect you to the https://console.cloud.yandex.ru/federations/<federation_ID> URL you specified in the relying party trust settings and then to the management console home page.

  4. Make sure the signed in user belongs to yc-demo-group and has the viewer permissions for resources according to the role assigned to the group.

Previous
Authentication using Keycloak
Next
User group mapping in Microsoft Entra ID