When utilizing AD & ADFS for SAML authentication, there are multiple ways to pass the required information as a 'claim rule'. Based on the documentation in v.3.2 and higher, you can pass the user's identity as well as the role with which to associate them. This removes the need for a local user to be created and for all information to be pulled from the assertion from ADFS. The most pertinent information for mapping in the assertion are the <attributes>. These dictate what Aqua should be looking for, as well as the values Aqua is receiving and is good for troubleshooting ADFS configurations. This can be seen from SAML POST networking tools that requires decoding.
To enable Group membership, you will need to create a Claims Rule for AD groups and provide them with a value. This will need to be done for each group which should correlate to each Role available in Aqua. Presently, there are 3 that can be utilized (case sensitive); administrator, auditor, and vulnerability_operator.
- Ensure you have a Relying Party Trust configured with Aqua as an endpoint. You can find them here.
- Right click the Relying Party Trust and 'edit claim issuance policy'. This will create a claim that ADFS will send in the assertion.
- By selecting the User's Group, this will provide the appropriate values for the users that have membership to that group. The outgoing claim type relates to the attribute_Name in the assertion, which is what will be mapped in Aqua. The Outgoing Claim Value should relate to the role that you are attempting to pass for a user in the above group.
This will be seen in the assertion below, in which you can see the Attribute Value equates to the role we want to pass as well as a schema from AD that is associated with 'Group' and needs to be mapped directly to Aqua. Please note that the emailAddress attribute was set via another claim rule found in the documentation.
<AttributeStatement><Attribute Name="emailAddress"><AttributeValue>ADFSadmin@aqua.ad.com</AttributeValue></Attribute> <Attribute Name="http://schemas.xmlsoap.org/claims/Group"><AttributeValue>auditor</AttributeValue></Attribute>
Once configured, you can attempt a SAML authentication and the assertion should provide the group claim rule, as well as the email address claim rule passing the user, as well as the user's group, associating them with a role for Aqua to consume.
Did you find it helpful?Send feedback