Active Directory Federation Services (ADFS) SAML Setup

This guide walks through a basic setup for connecting Kasm to ADFS on Windows Server 2016 via SAML. Active Directory user accounts are assumed to have a populated email address attribute.

ADFS Signing Certificate

  1. From the ADFS Management console, expand Service, and select Certificates.

  2. Right-Click the Token-signing certificate and select View Certificate.

../../_images/view_certificate.png
  1. Select the Details tab, then click Copy to File.

../../_images/copy_certificate.png
  1. In the Certificate Export Wizard, click Next.

../../_images/certificate_export_wizard.png
  1. Select Base-64 encoded X.509 (CER) . Click Next.

  2. Select a desired output file and click Next.

  3. Click Finish.

  4. Open the certificate in your preferred text editor. This data will be used in the creation of the Kasm SAML configuration in the next section.

../../_images/cert_data.png

Create a new SAML configuration in Kasm

  1. Log into the Kasm UI as an administrator.

  2. Select Authentication -> SAML -> Create New Configuration.

  3. The SAML 2.0 Configuration page will auto-generate the Entity ID, Single Sign On Service, Single Logout Server, and Relay State values.

  4. Edit the auto-generated Entity ID value to remove the query argument in the URL. (e.g https://kasm.server/api/metadata/?id=123 => https://kasm.server/api/metadata/ )

  5. Update the form with the following entries.

Setting

Value

ADFS

Checked

Debug

Checked

Digest Algorithm

http://www.w3.org/2001/04/xmlenc#sha256

Enabled

Checked

Group Member Attribute

http://schemas.xmlsoap.org/claims/Group

Identity Provider: Entity Id

http://<adfs server>/adfs/services/trust

Identity Provider: Single Logout Service:

https://<adfs server>/adfs/ls/?wa=wsignout1.0

Identity Provider: Single Sign On Service

https://<adfs server>/adfs/ls/

Identity Provider: X509 Certificate

Certificate data from the previous section

Name

ADFS

NameID Attribute

emailAddress

Signature Algorithm

http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

Want Attribute Statement

Checked

Want Assertion Signed

Checked

Want Name ID

Checked

../../_images/kasm_saml_configurations.png

Kasm SAML Configurations

  1. Click Submit to save the changes.

  2. Click the Edit icon to re-open to SAML configuration. Leave this page open and continue to the next steps.

ADFS Party Trust

  1. Log into the ADFS Management Console.

  2. Right-Click Relying Party Trusts and select Add Relying Party Trust. The wizard will open.

  3. Select Claims aware then click Start.

../../_images/claims_aware.png
  1. Select Enter data about the relying party manually and click Next.

../../_images/manual.png
  1. Enter a Display Name and select Next e.g (Kasm ADFS).

../../_images/display_name.png
  1. Click Next to accept the defaults for the Configure Certificate step.

../../_images/encrypt_claims.png
  1. Select Enable support for the SAML 2.0 WebSSO Protocol. Enter the Single Sign On Server URL from the Service Provider section of the KASM SAML configuration page started in the previous section. Click Next.

../../_images/enable_sso.png
  1. In the Relay party trust identifier, enter the Entity ID from the Service Provider section from the Kasm SAML configuration page started in the previous section. Click Add, then Click Next.

../../_images/trust_providers.png
  1. Select Permit Everyone, then click Next.

../../_images/access_control_policy.png
  1. No changes are needed for the Ready to Add Trust section. Click Next.

  2. At the Finish screen, Uncheck Configure claims issuance policy for this application, then click Close.

  3. Right click the new trust (e.g Kasm ADFS) and select Properties.

../../_images/trust_properties.png
  1. Select the Endpoints tab, then click Add SAML.

  2. Select SAML Logout as the Endpoint type and select POST as the Binding.

  3. Enter https://<adfs.server>/adfs/ls/?wa=wsignout1.0 in the Trusted URL. Click OK, then OK again.

../../_images/saml_logout.png

ADFS Edit Claim Issuance Policy

  1. From the ADFS management console, select Relying Party Trusts, right click trust previously configured (.e.g Kasm ADFS) and select Edit Claim Issuance Policy.

../../_images/edit_issuance_policy.png
  1. Click Add Rule.

../../_images/issuance_policy.png
  1. In the Claim rule template field, select Send LDAP Attributes as Claims. Click Next.

../../_images/select_template.png
  1. Enter a name in Claim rule name, then select Active Directory in the Attribute store drop down.

  2. Select E-Mail-Addresses as the LDAP Attribute. Select E-Mail-Address as the Outgoing Claim Type.

  3. In another entry, select Is-Member-Of-DL in LDAP Attribute and select Group in the Outgoing Claim Type. Click Finish.

../../_images/email_claim.png
  1. Create another rule to expose the email address as the NameID. Click Add Rule.

  2. Select Transform an Incoming Claim from the Claim rule template dropdown. Click Next.

../../_images/transform_claim.png
  1. Enter a name in Claim rule name.

  2. Select E-Mail Address for Incoming claim type.

  3. Select Name ID for Outgoing claim type.

  4. Select Email for Outgoing name ID format and click Finish.

../../_images/transform_email_claim.png
  1. Back in the Edit Claim Issuance Policy window, click OK

../../_images/finish_issuance_policy.png

Verifying Access

  1. Navigate to the Kasm UI Login screen. An “ADFS” button is visible representing the SAML config.

  2. Click ADFS

../../_images/kasm_login.png
  1. The user is navigated to the ADFS login portal. Enter the username/password of the desired user.

../../_images/adfs_login.png
  1. The user is redirected and logged into Kasm.

  2. From the Kasm UI select Logout. The user is logged out and redirected to the ADFS logout page.

../../_images/adfs_logout.png

ADFS Group Mapping

In the previous configuration ADFS was configured to pass along the user’s Active Directory group membership in the SAML assertions. Administrators can leverage this to automatically map users to groups defined in Kasm based off their group membership in Active Directory.

  1. Log into the Kasm UI as an administrator.

  2. Select Groups then click Create New Group.

  3. Enter a Name and Priority.

  4. Save the new group by clicking Submit.

../../_images/edit_group.png
  1. On the groups screen, using the three dot menu select View on the group that was just created.

  2. Scroll to the bottom of the screen and select Add SSO Mapping.

  3. Select the SAML IDP that was created above “SAML - ADFS” for the SSO Provider.

  4. Enter the group DN in Group Attributes (e.g CN=MyGroup,OU=MyOrg,DC=kasm,DC=core).

  5. Click Add.

../../_images/saml_group.png
  1. Login via SAML as a user that is a member of the group. Notice the users is automatically placed in the Kasm group.