IBM Support

QRadar: How to configure Microsoft Active Directory Federation Services as Identity Provider (IdP) for User Attribute authentication

How To


The purpose of this article is to help the administrator to configure Microsoft® Active Directory Federation Services (Microsoft® AD FS) as Identity Provider by using SAML 2.0 "User Attributes" authentication in QRadar®. The instructions in this technote apply only when SAML with "User Attributes" is used for authentication.


To configure this integration, the administrator must have:
  1. A Microsoft® AD FS service configured.
    Check the QRadar® documentation for general steps to configure it: Setting up SAML with Microsoft® Active Directory Federation Services.
  2. SAML 2.0 authentication enabled in QRadar®
    Note: SAML authentication is not available in versions prior QRadar® 7.3.2


This configuration requires the fields in the Microsoft® AD FS Management console and QRadar® Authentication must match.
In this technote, the "Last name" matches the Tenant by using the "Surname" attribute. However, these fields might vary on different Microsoft® AD FS implementations.
Microsoft® AD FS 
  1. Create the user.
    Note: The "Last name" is the Tenant in QRadar®.
  2. Right-click in the User, select Properties, and select the Organization Tab.
    1. In the Department section, use the QRadar® User Role.
    2. In the Company section, use the QRadar® Security Profile.

  3. At the left pane, navigate until the Claim rule name section by following:
    1. In the Relying Party Trusts folder, select the new trust you created, then click Edit Claim Issuance Policy.
    2. Click Add Rule (or Edit if there is one already created).
    3. Select Send LDAP Attributes as Claims from the Claim rule template menu, then click Next.
    4. Type a Claim rule name, and select in the Attribute store drop-down menu, Active Directory.
    5. In the “Mapping of LDAP attributes to outgoing claim types” section, modify it to match the 3 fields outlined in the screen capture:
QRadar® Authentication
The parameters required here are, User Role Attribute, Security Profile Attribute. The Tenant Attribute is optional if the QRadar® uses tenants, otherwise, the tenant-related configuration can be omitted. 
This technote covers the steps with Tenants.
  1. Create the User RolesSecurity profiles, and Tenants.
  2. Enable SAML 2.0 authentication.
    1. On the Admin tab, click Authentication.
    2. Click Authentication Module Settings.
    3. From the Authentication Module list, select SAML 2.0.
  3. Metadata File: Import the metadata file provided by the Microsoft® AD FS server.
  4. Select "User Attributes" in the How to authorize section
  5. From the drop-down menu select:
    1. User Role Attribute: Role
    2. Security Profile Attribute: Group 
    3. Tenant Attribute: Surname
  6. Click Save Authentication Module
  7. Save the metadata file in a safe and accessible location. This file is required in the Microsoft® AD FS.
  8. Finally, deploy the changes.
The user SAMLUser1 can authenticate now to QRadar® by using SAML without being configured previously in QRadar® as when local authentication is used. It is expected for QRadar® to automatically create this new user automatically and assign it to the proper Tenant. 

Document Location


[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQNH","label":"IBM Security QRadar Log Manager"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
11 June 2021