Active Directory Federation Services (ADFS) SAML Setup
This guide walks through a basic setup for connecting Kasm to ADFS on Windows Server 2016 via SAML. Active Directory user accounts are assumed to have a populated email address attribute.
ADFS Signing Certificate
From the ADFS Management console, expand Service, and select Certificates.
Right-Click the Token-signing certificate and select View Certificate.
Select the Details tab, then click Copy to File.
In the Certificate Export Wizard, click Next.
Select Base-64 encoded X.509 (CER) . Click Next.
Select a desired output file and click Next.
Click Finish.
Open the certificate in your preferred text editor. This data will be used in the creation of the Kasm SAML configuration in the next section.
Create a new SAML configuration in Kasm
Log into the Kasm UI as an administrator.
Select Authentication -> SAML -> Create New Configuration.
The SAML 2.0 Configuration page will auto-generate the Entity ID, Single Sign On Service, Single Logout Server, and Relay State values.
Edit the auto-generated Entity ID value to remove the query argument in the URL. (e.g https://kasm.server/api/metadata/?id=123 => https://kasm.server/api/metadata/ )
Update the form with the following entries.
Setting |
Value |
ADFS |
Checked |
Debug |
Checked |
Digest Algorithm |
|
Enabled |
Checked |
Group Member Attribute |
|
Identity Provider: Entity Id |
http://<adfs server>/adfs/services/trust |
Identity Provider: Single Logout Service: |
https://<adfs server>/adfs/ls/?wa=wsignout1.0 |
Identity Provider: Single Sign On Service |
https://<adfs server>/adfs/ls/ |
Identity Provider: X509 Certificate |
Certificate data from the previous section |
Name |
ADFS |
NameID Attribute |
emailAddress |
Signature Algorithm |
|
Want Attribute Statement |
Checked |
Want Assertion Signed |
Checked |
Want Name ID |
Checked |
Click Submit to save the changes.
Click the Edit icon to re-open to SAML configuration. Leave this page open and continue to the next steps.
ADFS Party Trust
Log into the ADFS Management Console.
Right-Click Relying Party Trusts and select Add Relying Party Trust. The wizard will open.
Select Claims aware then click Start.
Select Enter data about the relying party manually and click Next.
Enter a Display Name and select Next e.g (Kasm ADFS).
Click Next to accept the defaults for the Configure Certificate step.
Select Enable support for the SAML 2.0 WebSSO Protocol. Enter the Single Sign On Server URL from the Service Provider section of the KASM SAML configuration page started in the previous section. Click Next.
In the Relay party trust identifier, enter the Entity ID from the Service Provider section from the Kasm SAML configuration page started in the previous section. Click Add, then Click Next.
Select Permit Everyone, then click Next.
No changes are needed for the Ready to Add Trust section. Click Next.
At the Finish screen, Uncheck Configure claims issuance policy for this application, then click Close.
Right click the new trust (e.g Kasm ADFS) and select Properties.
Select the Endpoints tab, then click Add SAML.
Select SAML Logout as the Endpoint type and select POST as the Binding.
Enter https://<adfs.server>/adfs/ls/?wa=wsignout1.0 in the Trusted URL. Click OK, then OK again.
ADFS Edit Claim Issuance Policy
From the ADFS management console, select Relying Party Trusts, right click trust previously configured (.e.g Kasm ADFS) and select Edit Claim Issuance Policy.
Click Add Rule.
In the Claim rule template field, select Send LDAP Attributes as Claims. Click Next.
Enter a name in Claim rule name, then select Active Directory in the Attribute store drop down.
Select E-Mail-Addresses as the LDAP Attribute. Select E-Mail-Address as the Outgoing Claim Type.
In another entry, select Is-Member-Of-DL in LDAP Attribute and select Group in the Outgoing Claim Type. Click Finish.
Create another rule to expose the email address as the NameID. Click Add Rule.
Select Transform an Incoming Claim from the Claim rule template dropdown. Click Next.
Enter a name in Claim rule name.
Select E-Mail Address for Incoming claim type.
Select Name ID for Outgoing claim type.
Select Email for Outgoing name ID format and click Finish.
Back in the Edit Claim Issuance Policy window, click OK
Verifying Access
Navigate to the Kasm UI Login screen. An “ADFS” button is visible representing the SAML config.
Click ADFS
The user is navigated to the ADFS login portal. Enter the username/password of the desired user.
The user is redirected and logged into Kasm.
From the Kasm UI select Logout. The user is logged out and redirected to the ADFS logout page.
ADFS Group Mapping
In the previous configuration ADFS was configured to pass along the user’s Active Directory group membership in the SAML assertions. Administrators can leverage this to automatically map users to groups defined in Kasm based off their group membership in Active Directory.
Log into the Kasm UI as an administrator.
Select Groups then click Create New Group.
Enter a Name and Priority.
Save the new group by clicking Submit.
On the groups screen, using the three dot menu select View on the group that was just created.
Scroll to the bottom of the screen and select Add SSO Mapping.
Select the SAML IDP that was created above “SAML - ADFS” for the SSO Provider.
Enter the group DN in Group Attributes (e.g CN=MyGroup,OU=MyOrg,DC=kasm,DC=core).
Click Add.
Login via SAML as a user that is a member of the group. Notice the users is automatically placed in the Kasm group.