Active Directory Federation¶
VaultStream integrates with on-premises Active Directory through Microsoft Entra Connect and ADFS.
Supported Topologies¶
| Configuration | Description |
|---|---|
| Entra ID Connect (Cloud Sync) | AD → Entra ID → VaultStream (recommended) |
| ADFS 2019+ | Direct federation via SAML |
| Entra Domain Services | Managed domain with LDAP/Kerberos |
Entra ID Connect Setup¶
- Deploy Entra Connect Cloud Sync agent on a domain-joined server
- Configure attribute flow:
mail,displayName,userPrincipalName - Set up group writeback for team-based access control
- Register VaultStream as an Enterprise Application in Entra ID
- Assign users and groups to the application
ADFS Setup¶
- Add VaultStream as a Relying Party Trust in ADFS
- Configure claim rules:
E-Mail Address→Name IDDisplay Name→urn:oid:2.5.4.42Token-Groups - Unqualified Names→ group claims- Import the CYFR SP metadata
- Enable the Relying Party Trust
Conditional Access¶
When federated through Entra ID, customers can apply Conditional Access policies:
- Require MFA
- Require hybrid-joined or compliant device
- Block by location (geo-fencing)
- Sign-in risk policies
Kerberos Constrained Delegation¶
For on-premises integrations, VaultStream supports Kerberos constrained delegation to allow the VaultStream agent to impersonate users when accessing internal file shares for content ingestion. See the Content Ingestion Guide for watch-folder configuration.