Appendix B. Configuring AD FS for SAML Authentication

In this article

    Active Directory Federation Service (AD FS) is a hosted identity provider (IdP) implemented as a feature in the Windows Server OS. It provides single sign-on capabilities for Active Directory (AD) users. If AD FS is used as the IdP in the organization, to let AD users log in to the Veeam Backup Enterprise Manager website and vSphere Self-Service Backup Portal using the single sign-on service, an IT administrator must register the Veeam Backup Enterprise Manager website and vSphere Self-Service Backup Portal as service providers (SPs) in AD FS.

    To add a service provider in AD FS:

    1. Obtain the SP metadata exported from Veeam Backup Enterprise Manager. For more information, see Configuring SAML Authentication Settings.
    2. In AD FS, add a Relying Party Trust using the SP metadata.
    3. Edit the Claim Issuance Policy for the added Relying Party Trust to add an issuance transform rule with the following properties:
    • Claim rule template = Transform an Incoming Claim
    • Incoming claim type = UPN
    • Outgoing claim type = NameID
    • Outgoing name ID format = Persistent Identifier
    1. [Optional] To provide single sign-on capabilities to AD groups, add to the Claim Issuance Policy an issuance transform rule with the following properties:
    • Claim rule template = Send Group Membership as a Claim
    • User's group = <Name>

    where <Name> is a name of the AD group that includes users that will access the SP.

    When a user that belongs to the specified group attempts to access the SP, the IdP will issue an authentication assertion confirming that the user belongs to the group.

    • Outgoing claim type = Group

    Alternatively, if a different value is specified for the Group claim type option of advanced SAML settings in Enterprise Manager, the same value must be specified as the outgoing claim type in AD FS.

    • Outgoing claim value = <Name>

    where <Name> is a name of the group that will be returned to the SP in authentication assertions.

    This value can be different from the User's group value, for example, if you do not want the SP to display AD group names. This value must be the same as the name of the account of the External Group type added in Enterprise Manager. For more information, see Configuring Accounts and Roles and Adding Tenant Account.

    For example, you want to provide single sign-on capabilities to users that belong to the Backup AD group. In Enterprise Manager, you have the EnterpriseUsers account of the External Group type, and the default group claim type is specified in advanced SAML settings.

    To allow these users to log in to Enterprise Manager with the single sign-on service, you must create an issuance transform rule with the following properties:

    • Claim rule template = Send Group Membership as a Claim
    • User's group = Backup
    • Outgoing claim type = Group
    • Outgoing claim value = EnterpriseUsers

    Related Topics