Configuring ADFS integration
To allow the users registered in Active Directory (AD) in your organization to sign in to Kaspersky Security Center Cloud Console, you must configure integration with Active Directory Federation Services (ADFS).
Kaspersky Security Center Cloud Console supports ADFS 3 (Windows Server 2016) or a later version. ADFS must be published and available on the internet. As the service communication certificate ADFS uses publicly trusted certificate.
To change ADFS integration settings, you must have the access right to change user permissions.
Before you proceed, make sure that you completed Active Directory polling.
To configure ADFS integration:
- In the main menu, click the settings icon () next to the name of the Administration Server.
The Administration Server properties window opens.
- On the General tab, select the ADFS integration settings section.
- Copy the callback URL.
You will need this URL to configure the integration in ADFS Management Console.
- In ADFS Management Console, add a new application group, and then add a new application by selecting the Server application template (the names of the Microsoft interface elements are provided in English.).
ADFS Management Console generates client ID for the new application. You will need the client ID to configure the integration in Kaspersky Security Center Cloud Console.
- As a redirect URI, specify the callback URL that you copied in the Administration Server properties window.
- Generate a client secret. You will need the client secret to configure the integration in Kaspersky Security Center Cloud Console.
- Save the properties of the added application.
- Add a new application to the created application group. This time select the Web API template.
- On the Identifiers tab, to the Relying party identifiers list, add the client ID of the server application that you added before.
- On the Client Permissions tab, in the Permitted scopes list, select the allatclaims and openid scopes.
- On the Issuance Transform Rules tab, add a new rule by selecting the Send LDAP Attributes as Claims template:
- Name the rule. For example, you can name it 'Group SID'.
- Select Active Directory as an attribute store, and then map Token-Groups as SIDs as a LDAP attribute to 'Group SID' as an outgoing claim type.
- On the Issuance Transform Rules tab, add a new rule by selecting the Send Claims Using a Custom Rule template:
- Name the rule. For example, you can name it 'ActiveDirectoryUserSID'.
- In the Custom rule field, type:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSID;{0}", param = c.Value);
- In Kaspersky Security Center Cloud Console, open again the ADFS integration settings section.
- Switch the toggle button to the ADFS integration Enabled position.
- Click the Settings link, and then specify the file that contains the certificate or several certificates for the federation server.
- Click the ADFS integration settings link, and then specify the following settings:
- Click the Save button.
The integration with ADFS is complete. To sign in to Kaspersky Security Center Cloud Console with an AD account credentials, use the link provided in the ADFS integration settings section (Login link to Kaspersky Security Center Cloud Console with ADFS).
When you sign in to Kaspersky Security Center Cloud Console through ADFS for the first time, the console might respond with a delay.