Setting up SAML with Microsoft Active Directory Federation Services

After you configure SAML in QRadar, you can configure your Identity Provider by using the XML metadata file that you created during that process. This example includes instructions for configuring Microsoft Active Directory Federation Services (AD FS) to communicate with QRadar using the SAML 2.0 single sign-on framework.

Before you begin

To configure the AD FS server, you must first configure SAML in QRadar. Then copy the QRadar SAML XML metadata file you created during that process to a location accessible to the AD FS server.

Procedure

  1. On the AD FS Management console, select the Relying Party Trusts folder.
  2. On the Actions sidebar, click Standard Relying Party Trust, and click Start.
    This opens the Add Relying Party Trust wizard.
  3. On the Select Data Source window, select Import data about the relying party from a file, browse to the QRadar SAML XML metadata file, and click Open.
  4. Click Next.
  5. Type a Display name and add any relevant Notes, then click Next.
  6. Select an access control policy, and click Next.
  7. Configure any additional options you require, and click Next.
  8. Click Close.
  9. In the Relying Party Trusts folder, select the new trust you created, then click Edit Claim Issuance Policy.
  10. Click Add Rule.
  11. Select Send LDAP Attributes as Claims from the Claim rule template menu, then click Next.
  12. Type a Claim rule name, and select the Attribute store.
  13. select the attributes to be sent in the assertion, map to the appropriate Outgoing Claim Type, and click Finish.
  14. Click Add Rule.
  15. Select Transform an Incoming Claim from the Claim rule template menu, then click Next.
  16. Configure the following options:
    • Claim rule name
    • Incoming claim type - use value UPN
    • Outgoing claim type as NameID
    • Outgoing NameID format
  17. Select Pass through all claim values, then click Finish.
  18. If you configured QRadar to use the provided QRadar_SAML certificate for SAML, copy the previously downloaded Root CA, intermediate CA, and CRL files to a directory on the Windows server. Then open a command line window as administrator on Windows OS and type the following commands: 
    certutil -addstore -f ROOT <local_path>root-qradar-ca_ca
certutil -addstore -f CA <local_path>QRadarSAML_ca.crt
certutil -addstore -f ROOT <local_path>QRadarSAML_ca.crl
certutil -addstore -f Root <local_path>root-qradar-ca_ca.crl

    The files are located in /opt/qradar/ca/www.