1. Support Center
  2. Documentation
  3. Enterprise Edition
  4. Administration tasks
  5. Enabling single sign-on
  6. SAML
  7. Additional ADFS configuration

Additional configuration for Active Directory Federation Services

If you are using Active Directory Federation Services (ADFS) as your identity provider, you need to complete some additional configuration steps. This ensures that the group membership of your users is sent to Burp Suite Enterprise Edition in a format that it can recognize and consume. You have the following options for doing this, each of which has its pros and cons:

Note

It is also possible to use a combination of both approaches. In this case, the groups available to Burp Suite Enterprise Edition would be the union of the groups covered by the claim issuance policy and any additional groups for which you created individual claim rules.

Create a central claim issuance policy

To expose all of your users' groups to Burp Suite Enterprise Edition, you can configure a central claim issuance policy. This approach allows you to manage the claim rules for all of your groups in one place. It also removes the need to configure claim rules each time you add a new group.

The downside to this approach is that your groups will be emitted using their existing group names. For example, if your group is called BSEE_View_Scans in Active Directory, you will need to use this exact name for the corresponding user group in Burp Suite Enterprise Edition. For more information, see Configuring user permissions for SSO.

  1. Open the ADFS Management tool and go to the list of relying party trusts.
  2. Right-click on the entry you created for Burp Suite Enterprise Edition and select "Edit claim issuance policy".
  3. Use the wizard to configure the following rules.
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5

All of the groups to which the user belongs will now be sent with every claim to Burp Suite Enterprise Edition. If you add new groups in the future, these rules will automatically be applied to them as well.

Create claim rules for each group individually

Alternatively, you can create claim rules on a group-by-group basis. This gives you more granular control over which groups and related information are exposed to Burp Suite Enterprise Edition in each claim.

This approach also gives you the flexibility to output the group using a different name than the one used in Active Directory. For example, if your group is called BSEE_View_Scans, you could output this with a more user-friendly name, such as "Scan viewers". You can then use this name for the corresponding group in Burp Suite Enterprise Edition. For more information, see Configuring user permissions for SSO.

  1. Open the ADFS Management tool and go to the list of relying party trusts.
  2. Right-click on the entry you created for Burp Suite Enterprise Edition and select "Edit claim issuance policy".
  3. From the "Claim rule template" drop-down list, select "Send Group Membership as Claim", then click "Next".
  4. Enter any name for the claim rule. Under "User's group", select the group for which you want to configure a claim rule.
  5. From the "Outgoing claim type" drop-down list, select "Group".
  6. In the "Outgoing claim value" field, enter a new name that you want to use for this group when sending a claim. You must use this exact name for the corresponding group that you create in Burp Suite Enterprise Edition later.
  7. Repeat this process for each group that you want to expose to Burp Suite Enterprise Edition. If you add new groups in the future, you will need to repeat this process for each of them.