---
layout: docs
page_title: Use Active Directory Federation Services for SAML
description: >-
Use Active Directory Federation Services (AD FS) as a SAML provider for Vault.
---
> [!IMPORTANT]
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
# Use Active Directory Federation Services for SAML
@include 'alerts/enterprise-and-hcp.mdx'
Configure your Vault instance to work with Active Directory Federation Services
(AD FS) and use AD FS accounts for SAML authentication.
## Before you start
- **You must have Vault Enterprise or HCP Vault v1.15.5+**.
- **You must be running AD FS on Windows Server**.
- **You must have a [SAML plugin](/vault/docs/auth/saml) enabled**.
- **You must have a Vault admin token**. If you do not have a valid admin
token, you can generate a new token in the Vault GUI or using
[`vault token create`](/vault/docs/commands/token/create) with the Vault CLI.
## Step 1: Enable the SAML authN method for Vault
1. Set the `VAULT_ADDR` environment variable to your Vault instance URL. For
example:
```shell-session
$ export VAULT_ADDR="https://myvault.example.com:8200"
```
1. Set the `VAULT_TOKEN` environment variable with your admin token:
```shell-session
$ export VAULT_TOKEN="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
```
1. Enable the SAML plugin. Use the `-namespace` flag to enable the plugin under
a specific namespace. For example:
```shell-session
$ vault -namespace=ns_admin auth enable saml
```
@include 'gui-instructions/enable-authn-plugin.mdx'
- Enable the SAML plugin:
1. Select the **SAML** token.
1. Set the mount path.
1. Click **Enable Method**.
## Step 2: Create a new relying party trust in AD
1. Open your Windows Server UI.
1. Go to the **Server Manager** screen.
1. Click **Tools** and select **AD FS Management**.
1. Right-click **Relying Party Trusts** and select **Add Relying Party Trust...**.
1. Follow the prompts to create a new party trust with the following settings:
| Option | Setting
| ----------------------------------------------------- | -------
| Claims aware | checked
| Enter data about relying party manually | checked
| Display name | "Vault"
| Certificates | None
| Enable support for the SAML 2.0 WebSSO protocol | checked
| SAML callback URL | Callback endpoint for your SAML plugin
| Relying party trust identifier | Any meaningful, unique string. For example "VaultIdentifier"
| Access control policy | Any valid policy or `Permit everyone`
| Configure claims issuance policy for this application | checked
The callback endpoint for your SAML plugin is:
`https://${VAULT_ADDRESS}/v1///auth//callback`
For example, if you mounted the plugin under the `ns_admin` namespace on the
path `org/security`, the callback endpoint URL would be:
`https://${VAULT_ADDRESS}/v1/ns_admin/auth/org/security/saml/callback`
## Step 3: Configure the claim issuance policy in AD
1. Open your Windows Server UI.
1. Go to the **Server Manager** screen.
1. Click **Tools** and select **AD FS Management**.
1. Right-click your new **Relying Party Trust** entry and select
**Edit Claim Issuance Policy...**.
1. Click **Add Rule...** and follow the prompts to create a new **Transform
Claim Rule** with the following settings:
| Option | Setting
| ------------------------------- | -------
| Send LDAP Attributes as Claims | selected
| Rule name | Any meaningful string (e.g., "Vault SAML Claims")
| Attribute store | `Active Directory`.
1. Complete the LDAP attribute array with the following settings:
| LDAP attribute | Outgoing claim type |
|------------------------------------|-------------------------------|
| `E-Mail-Addresses` | `Name ID` |
| `E-Mail-Addresses` | `E-Mail Address` |
| `Token-Groups - Unqualified Names` | `groups` or `Group` |
## Step 4: Update the SAML signature in AD
1. Open a PowerShell terminal on your Windows server.
1. Set the SAML signature for your relying party trust identifier to `false`:
```powershell
Set-ADFSRelyingPartyTrust `
-TargetName "" `
-SignedSamlRequestsRequired $false
```
For example:
```powershell
Set-ADFSRelyingPartyTrust `
-TargetName "MyVaultIdentifier" `
-SignedSamlRequestsRequired $false
```
## Step 5: Create a default AD FS role in Vault
Use the Vault CLI to create a default role for users authenticating
with AD FS where:
- `SAML_PLUGIN_PATH` is the full path (`/MOUNT_PATH/NAME`) to your
SAML plugin.
- `VAULT_ROLE` is the name of your new AD FS role. For example, `adfs-default`.
- `DOMAIN_LIST` is a comma separated list of target domains in Active Directory.
For example: `*@example.com,*@ext.example.com`.
- `GROUP_ATTRIBUTES_REF` is:
- `groups` if your LDAP token group is `groups`
- `http://schemas.xmlsoap.org/claims/Group` if your LDAP token group is
`Group`
- `AD_GROUP_LIST` is a comma separated list of Active Directory groups that
will authenticate with SAML. For example: `VaultAdmin,VaultUser`.
```shell-session
$ vault write /role/ \
bound_subjects="" \
bound_subjects_type="glob" \
groups_attribute= \
bound_attributes=groups="" \
token_policies="default" \
ttl="1h"
```
For example:
```shell-session
$ vault write auth/saml/role/adfs-default \
bound_subjects="*@example.com,*@ext.example.com" \
bound_subjects_type="glob" \
groups_attribute=groups \
bound_attributes=groups="VaultAdmin,VaultUser" \
token_policies="default" \
ttl="1h"
```
## Step 6: Configure the SAML plugin in Vault
Use the Vault CLI to finish configuring the SAML plugin where:
- `SAML_PLUGIN_PATH` is the full path to your SAML plugin:
`/auth//`.
- `VAULT_ROLE` is the name of your new AD FS role in Vault.
- `TRUST_IDENTIFIER` is the ID of your new relying party trust in AD FS.
- `SAML_CALLBACK_URL` is the callback endpoint for your SAML plugin:
`http://${VAULT_ADDR}//auth///callback`.
- `ADFS_URL` is the discovery URL for your AD FS instance.
- `METADATA_FILE_PATH` is the path on your AD FS instance to the federation
metadata file.
```shell-session
$ vault write /config \
default_role="" \
entity_id="" \
acs_urls=" \
idp_metadata_url="/"
```
For example:
```shell-session
$ vault write ns_admin/auth/org/security/saml/config \
default_role="adfs-default" \
entity_id="MyVaultIdentifier" \
acs_urls="${VAULT_ADDR}/v1/ns_admin/auth/org/security/saml/callback" \
idp_metadata_url="https://adfs.example.com/metadata/2007-06/federationmetadata.xml"
```
## Next steps
- [Link your Active Directory groups to Vault](/vault/docs/auth/saml/link-vault-group-to-ad)
- [Troubleshoot your SAML + AD FS configuration](/vault/docs/auth/saml/troubleshoot-adfs)