- Only a Druva Cloud administrator can configure and manage Single Sign-on.
- Single Sign-on configured on the Druva Cloud Platform Console is replicated automatically over the inSync Management Console. And Single Sign-on configured on the inSync Management Console is replicated automatically over the Druva Cloud Platform Console.
Configure Single Sign-on based on the applicable scenarios:
- New inSync customers (on-boarded after July 14th, 2018), must configure Single Sign-on using the Druva Cloud Platform Console. For more information, see Set up Single sign-on.
- Existing inSync customers who already have configured Single Sign-on must continue to use the existing Single Sign-on settings of inSync.
- Existing inSync customers who have not configured Single Sign-on until July 14th, 2018, must configure Single Sign-on using the Druva Cloud Platform Console. For more information, see Set up Single sign-on.
- Existing Phoenix customers with Single Sign-on enabled and have purchased inSync license, must replicate the Phoenix Single Sign-on settings to inSync.
Single sign-on (SSO) is a mechanism that allows users to access multiple resources using a single action of authentication and authorization. inSync supports SSO for users, as well as administrators. By enabling SSO, users and administrators can access all inSync resources without the need for a separate login. An SSO login validates usernames and passwords against your corporate user database, typically managed by your Identity Provider (IdP). A successful validation ensures that users and administrators can log on to inSync Web and inSync Master Management Console respectively, without the need for an inSync-generated password.
Why implement SSO
You should implement SSO for your inSync setup for the following reasons:
- Reduced human errors: SSO eliminates the need for remembering multiple passwords, thus reducing to a great extent, the possibility of human errors while accessing inSync resources.
- Reduced administration efforts: With single sign-on, inSync users and administrators logging in from their corporate network are rarely prompted for a username or password. With fewer passwords to manage, system inSync administrators receive fewer requests to reset forgotten passwords.
- Central management of user database: Many organizations maintain a database of users. By enabling single sign-on for inSync, changes to this database also reflect on the inSync setup. This means that if you delete credentials from this database, users to whom these credentials were previously assigned cannot log in to inSync using the same credentials.
- Reduced login time: Typically, a user needs 5 to 20 seconds to log in to an online application. SSO eliminates the efforts required for a manual login thus increasing productivity.
- Increased security: The password policies enforced across your organization are applicable when you use SSO for inSync. The one-time authentication tokens used to validate SSO attempts translate to added security for users having access to sensitive data.
How SSO works
inSync supports Single Sign-On by implementing federated authentication using Security Assertion Markup Language (SAML) version 2.0. Federated authentication allows inSync to skip validation of passwords.
To enable SSO, you or another administrator must first work with an Identity Provider (IdP) to create a corporate database that includes all inSync users and administrators. If you already have an IdP, you can configure inSync to work with this IdP. The IdP maintains a record of all usernames and their subsequent passwords in an encrypted format.
If you created a corporate database with an IdP for the first time, users or administrators logging on for the first time are redirected to an IdP login details page that prompts for a one-time provision of passwords. The IdP maintains a record of previously stored usernames and their passwords in an encrypted format. The IdP performs a redirect to the inSync login page that the users and administrators can now access without passwords.
However, if you use an IdP that you configured previously, or this is a subsequent login, inSync uses SAML assertions in an HTTP POST profile to communicate with your IdP. For every login attempt, inSync sends SAML requests to the IdP Login URL specified under > Settings > Single Sign-On. The IdP validates the SAML query, sets assertion in HTTP POST to True, and sends this response to inSync. inSync receives the assertion, which indicates that the user is validated, and allowed access to inSync resources. inSync now grants access to inSync Web or inSync Master Management Console, depending on the type of login (user or administrator).
However, if the IdP does not find a match within its database, it sets assertion in HTTP POST to False, thus indicating that the user (or administrator) is not authorized to access inSync resources. Upon receiving this response, inSync denies access to inSync Web or inSync Master Management Console, depending on the type of login (user or administrator).
Supported Identity Providers (IdPs)
inSync integrates with the majority of the SAML IdPs. This section provides information on the SAML IdPs that inSync certifies and supports.
Support Levels Definition
Druva categorizes its IdP support levels as follows:
- Certified IdPs - A certified IdP is fully tested by Druva Quality Assurance (QA) team. Druva certifies these IdPs and performs regular testing with every cloud release to ensure the SSO functionality works as expected.
- Supported IdPs - A supported IdP is not tested by the Druva QA team with every cloud release, however, the SSO functionality should work as expected. Druva will provide support for such IdPs. Issues that require time and resources beyond commercial viability may not be addressed.
- Active Directory Federation Services (ADFS)
- All IdPs that support SAML 2.0.
Note: Contact Druva Support for assistance to configure a IdP that is not listed under Certified IdPs.