Single Sign-On (SSO) is a mechanism that allows users to access multiple resources using a single action of authentication and authorization. Druva supports SSO for administrators. By enabling SSO, administrators can access all Druva services without the need for a separate login. An SSO login validates usernames and passwords against your corporate user database, typically managed by your Identity Provider (IdP). A successful validation ensures that users and administrators can log on to Druva Cloud Platform Console, without the need for a Druva generated password.
- Only a Druva Cloud administrator can set up Single Sign-On.
- Configure Single Sign-On based on the applicable scenarios:
- New Druva customers that is; Phoenix customers on-boarded after July 02, 2018 and inSync customers on-boarded after July 14, 2018 must refer to the instructions given in this article.
- Existing Phoenix and inSync customers who already have configured Single Sign-On must continue to use the existing Single Sign-on settings of Phoenix and the Single Sign-on settings of inSync as applicable.
How SSO works
Druva supports SSO by implementing federated authentication using Security Assertion Markup Language (SAML) version 2.0. Federated authentication allows Druva to skip validation of passwords.
To enable SSO, an administrator must first work with an Identity Provider (IdP) to create a corporate database that includes all Druva administrators. If you already have an IdP, you can configure Druva to work with this IdP. The IdP maintains a record of all usernames and their subsequent passwords in an encrypted format.
If you created a corporate database with an IdP for the first time, administrators logging on for the first time are redirected to an IdP login details page that prompts the user for a one-time provision of passwords. The IdP redirects the user to the Druva Cloud Platform Console. The administrators can now access the Druva Cloud Platform Console without individual passwords.
However, if you use a preconfigured IdP or if this is a subsequent login, Druva uses SAML assertions in an HTTP POST profile to communicate with your IdP. For every login attempt, Druva sends SAML requests to the IdP login URL specified under > Druva Cloud Settings > Access Settings > Single Sign-On > Edit. The IdP validates the SAML query, sets assertion in HTTP POST to True, and sends this response to Druva. Druva receives the assertion, which indicates that the administrator is validated, and allowed access to Druva Cloud Platform Console.
However, if the IdP does not find a match within its database, it sets assertion in HTTP POST to False, thus indicating that the administrator is not authorized to access Druva Cloud Platform Console. Upon receiving this response, Druva denies access to Druva Cloud Platform Console.
Supported Identity Providers (IdPs)
Druva integrates with the majority of the SAML IdPs. This section provides information on the SAML IdPs that Druva certifies and supports.
Support Levels Definition
Druva categorizes its IdP support levels as follows:
- Certified IdPs - A certified IdP is fully tested by Druva Quality Assurance (QA) team. Druva certifies these IdPs and performs regular testing with every cloud release to ensure the SSO functionality works as expected.
- Supported IdPs - A supported IdP is not tested by the Druva QA team with every cloud release, however, the SSO functionality should work as expected. Druva will provide support for such IdPs. Issues that require time and resources beyond commercial viability may not be addressed.
- Active Directory Federation Services (ADFS)
- Windows Server 2012 R2 (64-bit) is certified to work with ADFS 3.0
- Windows Server 2008 R2 (64-bit) is certified to work with ADFS 2.0
- All IdPs that support SAML 2.0.
Note: Contact Druva Support for assistance to configure a IdP that is not listed under Certified IdPs.
SSO Configuration Workflow
This table describes the chronology that you should follow for enabling SSO for the administrator and user access.
Before you enable SSO, you must first set up a corporate database with an Identity Provider (IdP). If your organization is using an IdP, you must work with your IdP to get details such as IdP URL and IdP certificate.
Druva supports leading IdPs such as Okta, PingIdentity, OneLogin, and Active Directory Federation Services (ADFS).
To enable SSO access for users and administrators you must configure Druva to recognize IdP details that you obtained when you performed Task 1.
After you configure Druva for Single sign-on, the Druva Cloud Platform Console provides an option to generate SSO Token. To allow your IdP to recognize requests that Druva sends, you must first generate an SSO token, and then update your IdP configuration with this token. The SSO token uniquely identifies Druva login requests. For login attempts, Druva sends a request to the IdP (typically using HTTP POST). In its response, the IdP attaches this token, thereby indicating the validity of authentication requests. When Druva receives this response, it uses the SSO token ID to validate the authenticity of the IdP response.
|3||Update IdP details||To provide the authentication token to your IdP, you must update your IdP configuration to include this token.|
For greater understanding, share this handy article describing the SSO workflow with your administrator
Work With Your IdP
To enable SSO for users and administrators in your organization, you must work with your Identity Provider (IdP) to create a corporate database that contains usernames and passwords of Druva administrators. If your organization is using an IdP, you can configure Druva to recognize this IdP. The IdP maintains a record of credentials and validates a username against its password for each login attempt. Druva supports leading IdPs such as Okta, PingIdentity, OneLogin, and Active Directory Federation Services (ADFS).
Free Okta Sign-up
Before you begin to work with your preferred IdP and configure SSO for your account, you may choose the option to sign-up with Okta for free on the Druva Cloud Platform Console. The Okta sign-up process features the Embedded Okta Cloud Connect (OCC) and provides an accelerated experience for the SSO configuration from the Druva Cloud Platform Console and comes with the following benefits:
- Absolutely free, forever, and for unlimited users
- One-stop solution to enable SSO
- Seamless migration experience for first time SSO adopters
Note: OCC free subscription is limited to one application per organization and applicable only to customers who have licensed Druva Phoenix after July 02, 2018 and Druva inSync after July 14, 2018.
To create Okta Tenant, perform the following steps on the Druva Cloud Platform Console:
- Click the Druva logo to access the Global Navigation Panel > Druva Cloud Settings > Access Settings. The Access Settings window appears.
- In the Single Sign-On section, click Okta Sign-up. A prompt is displayed to proceed further.
- Provide the appropriate information for each field:
Type the subdomain on which you want to register your organization.
Type a unique name for your organization.
Type the URL for your organization with https://www. as prefix.
First Name Type your first name. Last Name Type your last name. Type a unique email address. This will be the username for your Okta application. Password
Type a password. The password must meet the Okta Tenant password policy and must be a combination of the following:
- Minimum eight characters
- At least one uppercase character
- At least one lowercase character
- Must not contain parts from your username
Confirm Password Re-type the password. Security Question Select one security question from the drop-down menu. Security Answer Type an answer to the selected security question. The correct answer is required in case of a password recovery.
- Select the check-box to accept the end-user agreement, and click Signup.
- Upon verification of the submitted details, Okta Tenant is successfully created for your organization.
- Log into the Okta Tenant and add user details using active directory.
Obtain IdP details
To configure Druva for SSO, you must obtain the following information from your IdP.
- ID Provider Login URL
- ID Provider Certificate
Configure Druva for Single Sign-On
If you are a Druva Cloud administrator, you can configure SSO for your Druva account. At the time of configuration, you must provide IdP details that you obtained at the time of working with your IdP.
To configure Single Sign-On settings
- Click the Druva logo to access the Global Navigation Panel > Druva Cloud Settings > Access Settings. The Access Settings window appears.
- In the Single Sign-On section, click Edit. The Edit Single Sign-On Settings window appears.
- Provide the appropriate information for each field.
ID Provider Login URL
Type the identity provider's URL. The URL that you provide in this field points to the identity provider's authentication page.
When the email is entered on the Druva Cloud Platform Console login page, the administrator is directed to the identity provider's authentication page.
ID Provider Certificate
Copy the content of the public key certificate that your IdP provided. This certificate ensures that the communication between Druva and your IdP is secure.
Select this checkbox if you want to sign SAML Authentication Requests.
By default, SAML Authentication Requests are not signed.
Select this checkbox, if you want to enable encryption for the SAML assertions.
By default, encryption is disabled.
Single Sign-On for Administrators Enable the Administrators log into Druva Cloud through SSO provider setting to let administrators use the SSO configuration to log in to Druva Cloud Platform Console and use Druva services. Failsafe for Administrators Enable the Failsafe for Administrators setting to provide Druva Cloud administrators an option to use a password to log in to Druva Cloud Platform Console even if SSO is enabled for administrators.
Only Druva Cloud administrators get the privilege to use a password to log in to Druva Cloud Platform Console.
By default, this setting is enabled, and Druva recommends that you DO NOT disable this setting.
Single Sign-On for inSync End Users To let inSync end users log in using SSO configuration, enable the setting through the general section of their profile. For more information, see Enable SSO for inSync users.
- Click Save.
- After the configuration is complete, you can see the Generate SSO Token button. Click this button to generate an SSO token for your IdP and click the Copy button to copy the token on your clipboard. Save it as plain text using a text editor for later use.
Update IdP Details
To allow your IdP to recognize requests that Druva sends, update your IdP configuration with the token you generated in step 5 above. The SSO token uniquely identifies Druva login requests. For login attempts, Druva sends a request to the IdP (typically using HTTP POST). In its response, the IdP attaches this token, thereby indicating the veracity of authentication requests. When Druva receives this response, it uses the SSO token ID to validate the authenticity of the IdP response.
Before updating IdP details, ensure that:
- You have the SAML_Identifier/entity ID parameter handy.
- You have access to the documentation for the Identity Provider that you are using. This article contains instructions that serve as a guide, and not as exact tasks that you must perform.
Unless otherwise noted, use the following procedure as a guide. Use the documentation provided by your IdP for the correct configuration procedure.
To update IdP details
- Log on to the IdP administrator console with elevated rights.
For example, the Global Administrator role supported by PingOne provides full access to manage and control all aspects of the administrator console.
- Create a SAML application.
- Provide the Assertion Consumer Service URL or the SSO URL.
The Assertion Consumer Service is a SAML-compliant URL that is hosted on your IdP. It acts as a receptor for form submissions and page redirects. The Assertion service URL or the SSO URL for the Druva Cloud Platform Console
- For Public Cloud: https://login.druva.com/api/commonlogin/samlconsume
- For Governance Cloud: https://loginfederal.druva.com/api/commonlogin/samlconsume
- Provide the SAML_Identifier value as the entity ID. In Okta, this is the Audience URI field. In this field, provide:
Note: This value is case sensitive.
- DCP-login for Public Cloud
- DCP-loginfederal for Governance Cloud
- In the Name ID format field, select EmailAddress.
- Leave the Default RelayState field blank.
- If the identity provider requires an application URL
- Provide the Name ID Format, SSO token, and other details that your IdP mandates.
- In the druva_auth_token. SSO token section, enter the name as
- In the value field, paste the SSO token that you generated in step 5 of the previous procedure.
- If you have enabled AuthnRequests Signed as per step 3 of the previous procedure, provide the following certificate in the applicable field on the IdP:
- If you have enabled Encrypt Assertions as per step 3 of the previous procedure, provide the following certificate in the applicable field on the IdP:
- Save your changes.
The Single Sign-on is set up after all the steps are completed successfully, and administrators can log in to the Druva Cloud Platform Console by using SSO in your organization.
Change the Failsafe Administrator
If you are a Druva Cloud administrator, you can change the failsafe administrator or the Druva Cloud administrator who enabled SSO, and become the failsafe administrator yourself.
You might require to perform this activity in case you are changing the role of the Druva Cloud administrator who enabled SSO or failsafe administrator to some other role.
Before you begin
Ensure you are able to log on to Druva Cloud Platform Console using SSO.
To change the failsafe administrator
- Click the Druva logo to access the Global Navigation Panel > Druva Cloud Settings. The Settings window appears.
- Disable the Administrators log into Druva Cloud through SSO provider setting.
- Enable the Administrators log into Druva Cloud through SSO provider setting.
After you set up SSO, as a result:
- Failsafe admins (Druva Cloud administrators) receive an email with a password when Single sign-on is enabled.
- The password is reset for all administrators when Single sign-on is disabled.
- Password policy is enabled for Druva Cloud administrators when Single sign-on is enabled. After a Druva Cloud administrators logs in using Single sign-on, the Druva Cloud Platform Console prompts the administrator to reset the password.
- Administrators are not notified if the Failsafe for Administrators setting is disabled.