Appendix B. Configuring AD FS for SAML Authentication

Active Directory Federation Service (AD FS) is a hosted identity provider (IdP) implemented as a feature in the Windows Server OS. It provides single sign-on capabilities for Active Directory (AD) users. If AD FS is used as the IdP in the organization, to let AD users log in to Veeam Backup Enterprise Manager using the single sign-on service, an IT administrator must register Enterprise Manager as a service provider (SP) in AD FS.

To add Veeam Backup Enterprise Manager as a SP in AD FS:

  1. Obtain the SP metadata exported from Veeam Backup Enterprise Manager. For more information, see Configuring SAML Authentication Settings.
  2. In AD FS, add a Relying Party Trust using SP metadata exported from Veeam Backup Enterprise Manager.
  3. Edit the Claim Assurance Policy for the added Relying Party Trust to add an issurance transform rule with the following properties:
  • Claim rule template = Transform an Incoming Claim
  • Incoming claim type = UPN
  • Outgoing claim type = NameID
  • Outgoing name ID format = Persistent Identifier
  1. [Optional] If you want to provide single sign-on capabilities to AD groups, you must additionally add to the Claim Issurance Policy an issurance transform rule with the following properties:
  • Claim rule template = Send Group Membership as a Claim
  • User's group = <Name>

where <Name> is a name of the AD group to which a user attempting to access Enterprise Manager belongs.

When a user who belongs to the specified group attempts to access Enterprise Manager, the IdP will issue an authentication assertion confirming that this user belongs to this group.

  • Outgoing claim type = Group

Alternatively, if a different value is specified for the Group claim type option of advanced SAML settings in Enterprise Manager, the same value must be specified as the outgoing claim type in AD FS.

  • Outgoing claim value = <Name>

where <Name> is a name of the group that will be returned to the SP in authentication assertions.

This value can be different from the User's group value, for example, if you do not want to display AD group names in Enterprise Manager. This value must be the same as the name of the account of the External Group type to which a security role will be assigned in Enterprise Manager. For more information, see Managing Accounts and Roles.

For example, you want to provide single sign-on capabilities to users who belong to the Backup AD group. In Veeam Backup Enterprise Manager, a security role for these users will be assigned to the EnterpriseUsers account of the External Group type. The default group claim type is specified in advanced SAML settings in Enterprise Manager.

To allow these users to log in to Enterprise Manager with the single sign-on service, you must create an issurance transform rule with the following properties:

  • Claim rule template = Send Group Membership as a Claim
  • User's group = Backup
  • Outgoing claim type = Group
  • Outgoing claim value = EnterpriseUsers

Related Topics

I want to report a typo

There is a misspelling right here:

 

I want to let the Veeam Documentation Team know about that.