Vault
Use Active Directory Federation Services for SAML
Enterprise
Appropriate Vault Enterprise license or HCP Vault Dedicated cluster required.
Configure your Vault instance to work with Active Directory Federation Services (AD FS) and use AD FS accounts for SAML authentication.
Before you start
- You must have Vault Enterprise or HCP Vault v1.15.5+.
- You must be running AD FS on Windows Server.
- You must have a SAML plugin enabled.
- You must have a Vault admin token. If you do not have a valid admin
token, you can generate a new token in the Vault GUI or using
vault token createwith the Vault CLI.
Step 1: Enable the SAML authN method for Vault
Set the
VAULT_ADDRenvironment variable to your Vault instance URL. For example:$ export VAULT_ADDR="https://myvault.example.com:8200"Set the
VAULT_TOKENenvironment variable with your admin token:$ export VAULT_TOKEN="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"Enable the SAML plugin. Use the
-namespaceflag to enable the plugin under a specific namespace. For example:$ vault -namespace=ns_admin auth enable saml
Step 2: Create a new relying party trust in AD
Open your Windows Server UI.
Go to the Server Manager screen.
Click Tools and select AD FS Management.
Right-click Relying Party Trusts and select Add Relying Party Trust....
Follow the prompts to create a new party trust with the following settings:
Option Setting Claims aware checked Enter data about relying party manually checked Display name "Vault" Certificates None Enable support for the SAML 2.0 WebSSO protocol checked SAML callback URL Callback endpoint for your SAML plugin Relying party trust identifier Any meaningful, unique string. For example "VaultIdentifier" Access control policy Any valid policy or Permit everyoneConfigure claims issuance policy for this application checked
Tip
The callback endpoint for your SAML plugin is:
https://${VAULT_ADDRESS}/v1/<NAMESPACE>/<MOUNT_PATH>/auth/<PLUGIN_NAME>/callback
For example, if you mounted the plugin under the ns_admin namespace on the
path org/security, the callback endpoint URL would be:
https://${VAULT_ADDRESS}/v1/ns_admin/auth/org/security/saml/callback
Step 3: Configure the claim issuance policy in AD
Open your Windows Server UI.
Go to the Server Manager screen.
Click Tools and select AD FS Management.
Right-click your new Relying Party Trust entry and select Edit Claim Issuance Policy....
Click Add Rule... and follow the prompts to create a new Transform Claim Rule with the following settings:
Option Setting Send LDAP Attributes as Claims selected Rule name Any meaningful string (e.g., "Vault SAML Claims") Attribute store Active Directory.Complete the LDAP attribute array with the following settings:
LDAP attribute Outgoing claim type E-Mail-AddressesName IDE-Mail-AddressesE-Mail AddressToken-Groups - Unqualified NamesgroupsorGroup
Step 4: Update the SAML signature in AD
Open a PowerShell terminal on your Windows server.
Set the SAML signature for your relying party trust identifier to
false:Set-ADFSRelyingPartyTrust ` -TargetName "<RELYING_PARTY_TRUST_IDENTIFIER>" ` -SignedSamlRequestsRequired $falseFor example:
Set-ADFSRelyingPartyTrust ` -TargetName "MyVaultIdentifier" ` -SignedSamlRequestsRequired $false
Step 5: Create a default AD FS role in Vault
Use the Vault CLI to create a default role for users authenticating with AD FS where:
SAML_PLUGIN_PATHis the full path (<NAMESPACE>/MOUNT_PATH/NAME) to your SAML plugin.VAULT_ROLEis the name of your new AD FS role. For example,adfs-default.DOMAIN_LISTis a comma separated list of target domains in Active Directory. For example:*@example.com,*@ext.example.com.GROUP_ATTRIBUTES_REFis:groupsif your LDAP token group isgroupshttp://schemas.xmlsoap.org/claims/Groupif your LDAP token group isGroup
AD_GROUP_LISTis a comma separated list of Active Directory groups that will authenticate with SAML. For example:VaultAdmin,VaultUser.
$ vault write <SAML_PLUGIN_PATH>/role/<VAULT_ROLE> \
bound_subjects="<DOMAIN_LIST>" \
bound_subjects_type="glob" \
groups_attribute=<GROUP_ATTRIBUTES_REF> \
bound_attributes=groups="<AD_GROUP_LIST>" \
token_policies="default" \
ttl="1h"
For example:
$ vault write auth/saml/role/adfs-default \
bound_subjects="*@example.com,*@ext.example.com" \
bound_subjects_type="glob" \
groups_attribute=groups \
bound_attributes=groups="VaultAdmin,VaultUser" \
token_policies="default" \
ttl="1h"
Step 6: Configure the SAML plugin in Vault
Use the Vault CLI to finish configuring the SAML plugin where:
SAML_PLUGIN_PATHis the full path to your SAML plugin:<NAMESPACE>/auth/<MOUNT_PATH>/<PLUGIN_NAME>.VAULT_ROLEis the name of your new AD FS role in Vault.TRUST_IDENTIFIERis the ID of your new relying party trust in AD FS.SAML_CALLBACK_URLis the callback endpoint for your SAML plugin:http://${VAULT_ADDR}/<NAMESPACE>/auth/<MOUNT_PATH>/<PLUGIN_NAME>/callback.ADFS_URLis the discovery URL for your AD FS instance.METADATA_FILE_PATHis the path on your AD FS instance to the federation metadata file.
$ vault write <SAML_PLUGIN_PATH>/config \
default_role="<VAULT_ROLE>" \
entity_id="<TRUST_IDENTIFIER>" \
acs_urls="<SAML_CALLBACK_URL> \
idp_metadata_url="<AD FS_URL>/<METADATA_FILE_PATH>"
For example:
$ vault write ns_admin/auth/org/security/saml/config \
default_role="adfs-default" \
entity_id="MyVaultIdentifier" \
acs_urls="${VAULT_ADDR}/v1/ns_admin/auth/org/security/saml/callback" \
idp_metadata_url="https://adfs.example.com/metadata/2007-06/federationmetadata.xml"