Link Active Directory SAML groups to Vault

Appropriate Vault Enterprise license or HCP Vault Dedicated cluster required.

Configure your Vault instance to link your Active Directory groups to Vault policies with SAML.

Before you start

You must have Vault Enterprise or HCP Vault v1.15.5+.
You must be running AD FS on Windows Server.
You must have a SAML plugin configured for AD FS.
You must have a Vault admin token. If you do not have a valid admin token, you can generate a new token in the Vault GUI or using vault token create with the Vault CLI.

Step 1: Enable a `kv` plugin instance for AD clients

Enable an instance of the KV secret engine for AD FS under a custom path:

$ vault secrets enable -path=<ADFS_KV_PLUGIN_PATH> kv-v2

For example:

$ vault secrets enable -path=adfs-kv kv-v2

Open the Enable a Secrets Engine page:
1. Open the GUI for your Vault instance.
2. Login under the namespace for the plugin or select the namespace from the selector at the bottom of the left-hand menu and re-authenticate.
3. Select Secrets Engines from the left-hand menu.
4. Click Enable new engine + on the Secrets Engines page.

Enable the KV plugin:
1. Select the KV token.
2. Set a mount path that reflects the plugin purpose. For example: dfs-kv.
3. Click Enable engine.

Step 2: Create a read-only policy for the `kv` plugin

Use vault write to create a read-only policy for AD FS clients that use the new KV plugin:

$ vault policy write <RO_ADFS_POLICY_NAME> - << EOF
# Read and list policy for the AD FS KV mount
path "<ADFS_KV_PLUGIN_PATH>/*" {
  capabilities = ["read", "list"]
}
EOF

For example:

$ vault policy write ro-saml-adfs - << EOF
# Read and list policy for the AD FS KV mount
path "adfs-kv/*" {
  capabilities = ["read", "list"]
}
EOF

Open the Create ACL Policy page:
1. Open the GUI for your Vault instance.
2. Login under the namespace for the policy or select the namespace from the selector at the bottom of the left-hand menu and re-authenticate.
3. Select Policies from the left-hand menu.
4. Select ACL Policies from the left-hand menu.
5. Click Create ACL policy + on the ACL Policies page.

Set the policy details and click Create policy:

Name: "ro-saml-adfs"

Policy:

# Read and list policy for the AD FS KV mount
path "<ADFS_KV_PLUGIN_PATH>/*" {
  capabilities = ["read", "list"]
}

Step 3: Create and link a Vault group to AD

Create an external group in Vault and save the group ID to a file named group_id.txt:

$ vault write                            \
  -format=json                           \
  identity/group name="SamlVaultReader"  \
  policies="ro-adfs-test"                \
  type="external" | jq -r ".data.id" > group_id.txt

Retrieve the mount accessor for the AD FS authentication method and save it to a file named accessor_adfs.txt:

$ vault auth list -format=json |               \
  jq -r '.["<SAML_PLUGIN_PATH>/"].accessor' >  \
  accessor_adfs.txt

Create a group alias:

$ vault write identity/group-alias         \
  name="<YOUR_EXISTING_AD_GROUP>"          \
  mount_accessor=$(cat accessor_adfs.txt)  \
  canonical_id="$(cat group_id.txt)"

Open the Create Group page:
1. Open the GUI for your Vault instance.
2. Login under the namespace for the group or select the namespace from the selector at the bottom of the left-hand menu and re-authenticate.
3. Select Access from the left-hand menu.
4. Select Groups from the left-hand menu.
5. Click Create group + on the Groups page.

Follow the prompts to create an external group with the following information:
- Name: your new Vault group name
- Type: external
- Policies: the read-only AD FS policy you created. For example, ro-adfs-test.
Click Add alias and follow the prompts to map the Vault group name to an existing group in Active Directory:
- Name: the name of an existing AD group (must match exactly).
- Auth Backend: <SAML_PLUGIN_PATH>/ (saml)

Step 4: Verify the link to Active Directory

Use the Vault CLI to login as an Active Directory user who is a member of the linked Active Directory group:
```
$ vault login -method saml -path <SAML_PLUGIN_PATH>
```
Read your test value from the KV plugin:
```
$ vault kv get adfs-kv/test
```