Configuring connection between KUMA and Active Directory Federation Services

To configure domain authentication in KUMA and ensure that users can log in to KUMA using their accounts without specifying a user name and password, first create a connection group and configure the rules in AD FS or make sure that the necessary connection groups and rules already exist.

After configuration, the Sign in via ADFS button appears on the KUMA login page.

The Sign in via ADFS button is hidden on the KUMA login page in the following conditions:

• The FreeIPA option is selected in the Authorization type drop-down list.
• The AD/ADFS option is selected in the Authorization type drop-down list and the settings for AD FS are not specified or the State toggle switch is enabled for AD FS settings.

You can connect only to one ADFS domain. To do so, you must configure a connection to the domain controller.

To configure a connection to an AD FS domain controller:

1. In the application web interface, select Settings → Access → Domain authorization.
2. In the Authorization type drop-down list, select AD/ADFS.
3. Under Active Directory Federation Services (ADFS), enable the State toggle switch.
4. In the Client ID field, enter the KUMA ID from the Client ID field in AD FS.
5. In the Relying party identifier field, enter the KUMA ID from the Relying party identifiers field in the AD FS.
6. Enter the Connect Metadata URI from the Connect Metadata URI field. The URI consists of the host of the AD FS (https://adfs.example.com) and the endpoint configuration parameter (/adfs/.well-known/openid-configuration).

   For example, https://adfs.example.com/adfs/.well-known/openid-configuration.

7. Enter the Redirect URL from the Redirect URL field in the AD FS. The value of the Redirect URL field in the AD FS is defined when the Application group is configured. In the AD FS, you need to indicate the KUMA FQDN and the </sso-callback> substring. In KUMA, the URL must be indicated without the substring, for example: https://kuma-example:7220/

   In a distributed installation with KUMA Core in a Raft cluster, you must configure the balancer and then specify the FQDN of the balancer. For example, in the AD FS settings, you need to specify https://kuma-load-balancer.com:7220</sso-callback>, and in KUMA, in the Redirect URL field, you need to specify https://kuma-load-balancer.com:7220

8. If you want to configure domain authentication for a user with the KUMA general administrator role, use the General administrators group field to specify the DistinguishedName of the Active Directory Federation Services group containing the user. Additional roles for the General administrator are automatically activated in KUMA, therefore, you do not need to add them separately.

   In the case when multiple groups are specified for a user in the same tenant, the role with the highest-level rights is used, with additional rights, if additional roles are assigned.

   Filter input example: CN=KUMA team,OU=Groups,OU=Clients,DC=test,DC=domain.

9. Click the Save button.

A connection with the Active Directory Federation Services domain controller is now configured.

If, when trying to log in to KUMA via ADFS, the user gets an Access denied pop-up message, click the Reset certificate button. A new certificate will be generated automatically.

For domain authentication, add the groups for the KUMA user roles.

You can specify the groups only for the roles that require the configuration of domain authentication. You can leave the rest of the fields empty.

To add groups of user roles:

1. In the application web interface, select Settings → Access → Domain authorization.
2. Under Administration groups, click Add group.
3. In the Tenant drop-down list, select the tenant of the users for whom you want to configure domain authentication.
4. In the Roles drop-down list, specify the roles for the user. You can select multiple roles. The following values are available:
   • Tenant administrator
   • Tier 2 analyst
   • Tier 1 analyst
   • Junior analyst
   • Access to shared dashboards. The role is only available when the Shared tenant is selected from the Tenant drop-down list. For the Shared tenant, this is the only role that can be added via the domain authentication settings.

   After you select the roles, a group filter field is displayed for each role. In the fields for each role, specify the full path to the domain group. The users of this domain group must have the capability to perform authentication with their domain accounts. Example of group specification: CN=KUMA team, OU=Groups, OU=Clients, DC=test, DC=domain.

   You can define a separate set of role filters for each tenant.

   If no filter is specified for a role, this means that conditions for creating an account through domain authentication are not specified for that role. Authentication with that role is impossible.

   After the first authentication under a domain account, domain user cards are created for users in the Settings → Access → Users section. For a domain user, the ability to change the main role (General administrator, Tenant administrator, Tier 2 analyst, Tier 1 analyst, Junior analyst) is blocked in the user card, while additional roles can be added or removed (Access to CII, Interaction with NCIRCC, Read shared resources), including management of additional role assignment to tenants. Roles assigned in the Domain authorization section and roles assigned in the user card supplement each other. For the General administrator, additional roles in KUMA are automatically activated, therefore you do not need to add them separately. If the General administrator role was assigned to a domain user, and the General administrator role was subsequently revoked, additional roles must be reassigned in the user card in the Settings → Access → Users section.

   You can specify only one domain group for each role. If you want to specify multiple groups, you must repeat steps 2 to 4 for each group while specifying the same tenant.

5. If necessary, repeat steps 2–4 for each tenant for which you want to configure domain authentication with the following roles: Junior analyst, Tier 1 analyst, Tier 2 analyst, or Tenant administrator.
6. Click Add.

The groups of user roles will be added. The defined settings will be applied the next time the user logs in to the KUMA web interface.

After the first authentication of the user, information about this user is displayed in the Settings → Access → Users section. The Login and Password fields received from the domain cannot be edited. The user role will also be unavailable for editing. To edit a role, you will have to change the user role groups. Changes to a role are applied after the next authentication of the user. The user continues working under the current role until the current session expires.

If the user name or email address is changed in the domain account properties, these changes must be manually made in the KUMA account.

Page top