Configuring ADFS integration

Expand all | Collapse all

To allow the users registered in Active Directory (AD) in your organization to sign in to Kaspersky Security Center Cloud Console, you must configure integration with Active Directory Federation Services (ADFS).

Kaspersky Security Center Cloud Console supports ADFS 3 (Windows Server 2016) or a later version. ADFS must be published and available on the internet. As the service communication certificate ADFS uses publicly trusted certificate.

To change ADFS integration settings, you must have the access right to change user permissions.

Before you proceed, make sure that you completed Active Directory polling.

To configure ADFS integration:

1. In the main menu, click the settings icon () next to the name of the Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the ADFS integration settings section.
3. Copy the callback URL.

   You will need this URL to configure the integration in ADFS Management Console.

4. In ADFS Management Console, add a new application group, and then add a new application by selecting the Server application template (the names of the Microsoft interface elements are provided in English.).

   ADFS Management Console generates client ID for the new application. You will need the client ID to configure the integration in Kaspersky Security Center Cloud Console.

5. As a redirect URI, specify the callback URL that you copied in the Administration Server properties window.
6. Generate a client secret. You will need the client secret to configure the integration in Kaspersky Security Center Cloud Console.
7. Save the properties of the added application.
8. Add a new application to the created application group. This time select the Web API template.
9. On the Identifiers tab, to the Relying party identifiers list, add the client ID of the server application that you added before.
10. On the Client Permissions tab, in the Permitted scopes list, select the allatclaims and openid scopes.
11. On the Issuance Transform Rules tab, add a new rule by selecting the Send LDAP Attributes as Claims template:
    1. Name the rule. For example, you can name it 'Group SID'.
    2. Select Active Directory as an attribute store, and then map Token-Groups as SIDs as a LDAP attribute to 'Group SID' as an outgoing claim type.
12. On the Issuance Transform Rules tab, add a new rule by selecting the Send Claims Using a Custom Rule template:
    1. Name the rule. For example, you can name it 'ActiveDirectoryUserSID'.
    2. In the Custom rule field, type:

       c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSID;{0}", param = c.Value);

13. In Kaspersky Security Center Cloud Console, open again the ADFS integration settings section.
14. Switch the toggle button to the ADFS integration Enabled position.
15. Click the Settings link, and then specify the file that contains the certificate or several certificates for the federation server.
16. Click the ADFS integration settings link, and then specify the following settings:
    • Issuer URL

      The URL address of the federation server working in your organization.

      In particular, Kaspersky Security Center Cloud Console adds '/.well-known/openid-configuration' to the issuer URL address and tries to open the resulting URL address (issuer_URL/.well-known/openid-configuration) to discover the issuer configuration automatically.

    • Client ID

      Client ID that the federation server generates to identify Kaspersky Security Center Cloud Console. You can find the Client ID in ADFS Management Console in the properties window of the server application that corresponds to Kaspersky Security Center Cloud Console.

    • Client secret

      You generate a client secret in ADFS Management Console when you specify the properties of the server application that corresponds to Kaspersky Security Center Cloud Console.

    • Domain to authenticate users from

      The members of the domain that you select will be able to sign in to Kaspersky Security Center Cloud Console with their domain account credentials. The domain names appear in the list after you complete the network polling.

    • Field name for user SID in ID token

      Name of the field that refers to the user SID in the ID token. The field name is required to identify the user in Kaspersky Security Center Cloud Console. By default, this field in the ID token is called 'primarysid'.

    • Field name for array of SIDs of user's groups in ID token

      Name of the field that refers to the array of SIDs of Active Directory security groups in which the user is included. By default, this field in the ID token is called 'groupsid'.

17. Click the Save button.

The integration with ADFS is complete. To sign in to Kaspersky Security Center Cloud Console with an AD account credentials, use the link provided in the ADFS integration settings section (Login link to Kaspersky Security Center Cloud Console with ADFS).

When you sign in to Kaspersky Security Center Cloud Console through ADFS for the first time, the console might respond with a delay.

Page top