Skip to main content
Druva Documentation

Set Up Single Sign-On (SSO)

Overview

Single Sign-On (SSO) is a mechanism that allows users to access multiple resources using a single action of authentication and authorization. Druva supports SSO for administrators. By enabling SSO, administrators can access all Druva services without the need for a separate login. An SSO login validates usernames and passwords against your corporate user database, typically managed by your Identity Provider (IdP). A successful validation ensures that users and administrators can log on to Druva Cloud Platform Console, without the need for a Druva generated password. 

 

 

Only a Druva Cloud administrator can set up Single Sign-On. 

 

To learn about Single Sign-on, see the following video.  

 
 
 

How SSO works

Druva supports SSO by implementing federated authentication using Security Assertion Markup Language (SAML) version 2.0. Federated authentication allows Druva to skip the validation of passwords. 

To enable SSO, an administrator must first work with an Identity Provider (IdP) to create a corporate database that includes all Druva administrators. If you already have an IdP, you can configure Druva to work with this IdP. The IdP maintains a record of all usernames and their subsequent passwords in an encrypted format.

If you created a corporate database with an IdP for the first time, administrators logging on for the first time are redirected to an IdP login details page that prompts the user for a one-time provision of passwords.  The IdP redirects the user to the Druva Cloud Platform Console.  The administrators can now access the Druva Cloud Platform Console without individual passwords.

However, if you use a preconfigured IdP or if this is a subsequent login, Druva uses SAML assertions in an HTTP POST profile to communicate with your IdP. For every login attempt, Druva sends SAML requests to the IdP login URL specified under Druva_Icon.png > Druva Cloud Settings > Access Settings > Single Sign-On > Edit. The IdP validates the SAML query, sets assertion in HTTP POST to True, and sends this response to Druva. Druva receives the assertion, which indicates that the administrator is validated, and allowed access to Druva Cloud Platform Console.

However, if the IdP does not find a match within its database, it sets assertion in HTTP POST to False, thus indicating that the administrator is not authorized to access Druva Cloud Platform Console. Upon receiving this response, Druva denies access to Druva Cloud Platform Console.

Supported Identity Providers (IdPs) 

Druva integrates with the majority of the SAML IdPs. This section provides information on the SAML IdPs that Druva certifies and supports.

Support Levels Definition

Druva categorizes its IdP support levels as follows:

  • Certified IdPs - A certified IdP is fully tested by Druva Quality Assurance (QA) team. Druva certifies these IdPs and performs regular testing with every cloud release to ensure the SSO functionality works as expected.
  • Supported IdPs - A supported IdP is not tested by the Druva QA team with every cloud release, however, the SSO functionality should work as expected. Druva will provide support for such IdPs. Issues that require time and resources beyond commercial viability may not be addressed.

Certified IdPs

  • Okta
  • PingOne
  • Active Directory Federation Services (ADFS)
    • Windows Server 2012 R2 (64-bit) is certified to work with ADFS 3.0
    • Windows Server 2008 R2 (64-bit) is certified to work with ADFS 2.0

Supported IdPs

  • All IdPs that support SAML 2.0.
Note: Contact Druva Support for assistance to configure a IdP that is not listed under Certified IdPs.

SSO Configuration Workflow

This table describes the chronology that you should follow for enabling SSO for the administrator and user access. 

Task Number Task Description

1

Work with your IdP

Before you enable SSO, you must first set up a corporate database with an Identity Provider (IdP). If your organization is using an IdP, you must work with your IdP to get details such as IdP URL and IdP certificate. 

Druva supports leading IdPs such as Okta, PingIdentity, OneLogin, and Active Directory Federation Services (ADFS).

2

 

Configure Druva for Single sign-on  

To enable SSO access for users and administrators you must configure Druva to recognize IdP details that you obtained when you performed Task 1. 

3

Generate SSO token

After you configure Druva for Single sign-on, the Druva Cloud Platform Console provides an option to generate SSO Token. To allow your IdP to recognize requests that Druva sends, you must first generate an SSO token, and then update your IdP configuration with this token. The SSO token uniquely identifies Druva login requests. For login attempts, Druva sends a request to the IdP (typically using HTTP POST). In its response, the IdP attaches this token, thereby indicating the validity of authentication requests. When Druva receives this response, it uses the SSO token ID to validate the authenticity of the IdP response.
4 Update IdP details To provide the authentication token to your IdP, you must update your IdP configuration to include this token. This establishes a connection between SAML and Druva or vice-versa.
5

Enable SSO and Failsafe

As the last step, you must configure Druva to enable SSO and Failsafe.

For greater understanding, share this handy article describing the SSO workflow with your administrator

Work With Your IdP

To enable SSO for users and administrators in your organization, you must work with your Identity Provider (IdP) to create a corporate database that contains usernames and passwords of Druva administrators. If your organization is using an IdP, you can configure Druva to recognize this IdP. The IdP maintains a record of credentials and validates a username against its password for each login attempt. Druva supports leading IdPs such as Okta, PingIdentity, OneLogin, and Active Directory Federation Services (ADFS).

Obtain IdP details

To configure Druva for SSO, you must obtain the following information from your IdP. 

  • ID Provider Login URL: The page to which Druva sends a SAML request to initiate a login.
  • ID Provider Certificate: The authentication certificate that your IdP provides.

Free Okta Sign-up

Before you begin to work with your preferred IdP and configure SSO for your account, you may choose the option to sign-up with Okta for free on the Druva Cloud Platform Console. The Okta sign-up process features the Embedded Okta Cloud Connect (OCC) and provides an accelerated experience for the SSO configuration from the Druva Cloud Platform Console and  comes with the following benefits:

  • Absolutely free, forever, and for unlimited users
  • One-stop solution to enable SSO
  • Seamless migration experience for first time SSO adopters

Note: OCC free subscription is limited to one application per organization and applicable only to customers who have licensed Druva Phoenix after July 02, 2018 and Druva inSync after July 14, 2018. 

To create Okta Tenant, perform the following steps on the Druva Cloud Platform Console:

  1. Click the Druva logo logo.png to access the Global Navigation Panel > Druva Cloud Settings > Access Settings. The Access Settings window appears.

    DCPSettings.png

  2. In the Single Sign-On section, click Okta Sign-up. A prompt is displayed to proceed further.
  3. Provide the appropriate information for each field:
    Field Action

    Subdomain

    Type the subdomain on which you want to register your organization. 

    Example: druva.okta.com

    Organization Name

    Type a unique name for your organization.

    Organization Website

    Type the URL for your organization with https://www. as prefix.

    First Name Type your first name.
    Last Name Type your last name.
    Email Type a unique email address. This will be the username for your Okta application.
    Password

    Type a password. The password must meet the Okta Tenant password policy and must be a combination of the following: 

    • Minimum eight characters
    • At least one uppercase character
    • At least one lowercase character 
    • Must not contain parts from your username
    Confirm Password Re-type the password. 
    Security Question Select one security question from the drop-down menu.
    Security Answer Type an answer to the selected security question. The correct answer is required in case of a password recovery.
  4. Select the check-box to accept the end-user agreement, and click Signup.
  5. Upon verification of the submitted details, Okta Tenant is successfully created for your organization. 
  6. Log into the Okta Tenant and add user details using active directory. 

Configure Druva for Single Sign-On

If you are a Druva Cloud administrator, you can configure SSO for your Druva account. At the time of configuration, you must provide IdP details that you obtained at the time of working with your IdP.

To configure Single Sign-On settings:

  1. Click the Druva logo logo.png to access the Global Navigation Panel > Druva Cloud Settings > Access Settings. The Access Settings window appears. 

    DCPSettings.png

  2. In the Single Sign-On section, click Edit. The Edit Single Sign-On Settings window appears.
  3. Provide the appropriate information for each field.
    Field Action

    ID Provider Login URL

    Type the identity provider's URL.  The URL that you provide in this field points to the identity provider's authentication page. 

    When the email is entered on the Druva Cloud Platform Console login page, the administrator is directed to the identity provider's authentication page.

    ID Provider Certificate

    Copy the content of the public key certificate that your IdP provided. This certificate ensures that the communication between Druva and your IdP is secure. 

    AuthnRequests Signed

    Select this checkbox if you want to sign SAML Authentication Requests.

    By default, SAML Authentication Requests are not signed.

    Encrypt Assertions

    Select this checkbox, if you want to enable encryption for the SAML assertions.

    By default, encryption is disabled.

    Single Sign-On for Administrators Enable the Administrators log into Druva Cloud through SSO provider setting to let administrators use the SSO configuration to log in to Druva Cloud Platform Console and use Druva services. 
    Failsafe for Administrators Enable the Failsafe for Administrators setting to provide Druva Cloud administrators an option to use a password to log in to Druva Cloud Platform Console even if SSO is enabled for administrators.

    Only Druva Cloud administrators get the privilege to use a password to log in to Druva Cloud Platform Console.

    By default, this setting is enabled, and Druva recommends that you DO NOT disable this setting. 
    Single Sign-On for inSync End Users To let inSync end users log in using SSO configuration, enable the setting through the general section of their profile. For more information, see Enable SSO for inSync users.
  4. Click Save

Generate SSO token

To allow your IdP to recognize requests that Druva inSync and Phoenix sends, you must first generate an SSO token, and then update your IdP configuration with this token. The SSO token uniquely identifies Druva login requests. For login attempts, Druva sends a request to the IdP (typically using HTTP POST). In its response, the IdP attaches this token, thereby indicating the veracity of authentication requests. When Druva receives this response, it uses the SSO token ID to validate the authenticity of the IdP response. 

Note: We recommend that you generate the SSO token only once. If you generate the SSO token again, the old SSO token that you previously registered with your IdP becomes invalid. If you generate the SSO again, update your IdP details accordingly. 

If you have completed the configuration in the previous steps, do the following steps to  generate an SSO token:

  1. Click the Druva logo logo.png to access the Global Navigation Panel > Druva Cloud Settings > Access Settings. The Access Settings window appears. 
  2. In the Single Sign-On section, click Generate SSO Token. The Single Sign-On Token window appears.
  3. Click Copy. A message appears indicating that the token is copied to clipboard.
  4. Click Close.
  5. Save it as plain text using a text editor for later use. 
  6. Update your IdP configuration to reflect the SSO token.

Update IdP Details

To allow your IdP to recognize requests that Druva sends, update your IdP configuration with the token you generated in the Generate SSO token section. The SSO token uniquely identifies Druva login requests. For login attempts, Druva sends a request to the IdP (typically using HTTP POST). In its response, the IdP attaches this token, thereby indicating the veracity of authentication requests. When Druva receives this response, it uses the SSO token ID to validate the authenticity of the IdP response.

Before updating IdP details, ensure that:

  • You have the SAML_Identifier/entity ID parameter handy. The Single Sign-On settings page on the Druva Cloud Platform Console displays the entity ID for your account.
  • You have access to the documentation for the Identity Provider that you are using. This article contains instructions that serve as a guide, and not as exact tasks that you must perform.

Unless otherwise noted, use the following procedure as a guide. Use the documentation provided by your IdP for the correct configuration procedure.

  1. Log on to the IdP administrator console with elevated rights.  
    For example, the Global Administrator role supported by PingOne provides full access to manage and control all aspects of the administrator console. 
  2. Create a SAML application. 
  3. Provide the Assertion Consumer Service URL or the SSO URL.
    The Assertion Consumer Service is a SAML-compliant URL that is hosted on your IdP. It acts as a receptor for form submissions and page redirects. The Assertion service URL or the SSO URL for the Druva Cloud Platform Console
  4. Provide the SAML_Identifier value as the entity ID. In Okta, this is the Audience URI field. In this field, provide: 
    Note: This value is case sensitive.
    • DCP-login for Public Cloud
    • DCP-loginfederal for Gov Cloud

      In case your IdP requires a URL to be entered for SAML_Identifier, you can use https://dcp-login for Public Cloud and https://dcp-loginfederal for Gov Cloud.

    You can also configure the IdP with a custom entity ID. To generate a unique entity ID click moreButton.png button and select Regenerate Entity ID

    Generating a new entity ID allows configuring each SAML enabled account with a unique entity ID. This enables you to configure multiple SAML enabled accounts for your organization.

  5. In the Name ID format field, select EmailAddress.
  6. Leave the Default RelayState field blank.  
  7. If the identity provider requires an application URL 
  8. Provide the Name ID Format, SSO token, and other details that your IdP mandates.
    1. In the  SSO token section, enter the name as druva_auth_token.
    2. In the value field, paste the SSO token that you generated in  Generate SSO token section 
    3. If you have enabled AuthnRequests Signed as per step 3 of the previous procedure, provide the following certificate in the applicable field on the IdP:
      MIIItTCCB52gAwIBAgIQBih4oJQ0n6cafZVokN8EqjANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVkIFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE4MDYyNTAwMDAwMFoXDTIwMDYyOTEyMDAwMFowgeIxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYBBAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQFEwc0ODI0NDY3MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMRQwEgYDVQQKEwtEcnV2YSwgSW5jLjEZMBcGA1UECxMQQ2xvdWQgT3BlcmF0aW9uczEYMBYGA1UEAxMPbG9naW4uZHJ1dmEuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvMuMGSjlF+hrWxyWmzSsmJvN54069WJElOnQPiNtxR91hvDw/VIsdgLNzbL0y/BgI3NhnhXiX+dXcZCibZYPR0Ae2VpuJy3cojgXRON8OEqkvRRts48TnLCMHwNyR5bYfKFcJK13gTQmd0u0uf85aCoQhD1PrHbRsnnmpRxBlbq3DVzS47b5jnKCVfox7pB0JkOXOFce6aJw+lvE/EkynBtm5XXLLQAND04Ma4PmHmMLGULQhlwM+mhDBTeMya0bKOjyNhDh9/NLGoRZ59mV7j+DY/kOWVQQnxr1ourUSWHMKY9CT7cm1bRNkzmlIHr5bnJxXCLa/BlAa4yXGZjejKLhhh2Bus5BON215etmOFtoAEHsn6iFT+zROYRILtqCxp7u+6EyFCl9mxZLSmkPnvvo/8+IuHutmmTWDtwvs84OMc6J58dCW6m0Z05sFXpUcoMmbkhphIUl0s4VdmQj2A6T6ZNdt0lktq9DCjpPzUdoN4UZIo4AqWQbKAIO5FYlPqGNPHixr1+Srh+UfB6Jm8mKrv4iK5Q96zMnJzGovVA21TL0+o9LZmaWP7M/C9Sl3m9o+Zl7htpHQRG29SvDKh6wtIcWh9pvNiHtSAb0Kz9UBF0kju2zMr/ddcyN2KNWIdS5WMtUY0ZX8/gcyL1CLOktREYsTLMITULUg5DuQN0CAwEAAaOCA9EwggPNMB8GA1UdIwQYMBaAFD3TUKXWoK3u80pgCmXTIdT4+NYPMB0GA1UdDgQWBBTh74oexfE/kQnuZ+wI9JR/HsjnrzB+BgNVHREEdzB1gg9sb2dpbi5kcnV2YS5jb22CEWNvbnNvbGUuZHJ1dmEuY29tghBkMWF1dGguZHJ1dmEuY29tghNnb3ZkMWF1dGguZHJ1dmEuY29tghJnb3Zsb2dpbi5kcnV2YS5jb22CFGdvdmNvbnNvbGUuZHJ1dmEuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItZXYtc2VydmVyLWcyLmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItZXYtc2VydmVyLWcyLmNybDBLBgNVHSAERDBCMDcGCWCGSAGG/WwCATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAcGBWeBDAEBMIGIBggrBgEFBQcBAQR8MHowJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBSBggrBgEFBQcwAoZGaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkV4dGVuZGVkVmFsaWRhdGlvblNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWQ4lQS5AAAEAwBHMEUCIQCVzAB3rYTY5mB6WycSfB2waMB0UFmMtJPBbERD3xICegIgH4T6geN5qpmb4nwlGdwVEXdsBCHHrX49O+AR9nUdzRAAdQBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAAAWQ4lQTxAAAEAwBGMEQCIGKmd8NcRXbEtqeWN0jSYhPJeiHIYb8ZZ4Kr5dOLX9EDAiBu0MUodgLYq0vLqOUeg2c3yw+nL8Lc8YJh19/2y/ApCgB2ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABZDiVBNEAAAQDAEcwRQIhAOinv4H4oDXQ/2l82LYIwHaUU15OK3YCGua1X7b9a5+CAiBeirJSNeX7SCW2I+d++Dt0PXpd6aGPVHacRqaExbG1LTANBgkqhkiG9w0BAQsFAAOCAQEAqFxt15OkxYcDl/ULTvi1DSP5OHMpNQzueK8xJ4bwAr7bFr4S06EgNNjeWBDz29vScf71fwkgzO75ABQ38o8vcTL4DlFfEE7JyRs5CG74hESQMnYuojWFTePa2vQz6szjBKHuZLdJ4TkiXY41W3v0+POzH9bi8JqlkDFlh6zoGimZ9m6QHuv002curKfatgGQRYmhqQAeZuei+0n7d/4OBXwx3/qd8LHUBV71vXEmMUd19C+VDQjAmekXDVCZF3ED/tzwoFg6um7Q0VoWWO+wbTdlUzhTo8hBXhmu2d2cZMDJpBGueBw999TRuWCco6toZk83922mAVqbEJZZObnSPQ
    4. If you have enabled Encrypt Assertions as per step 3 of the previous procedure, provide the following certificate in the applicable field on the IdP:
      MIIItTCCB52gAwIBAgIQBih4oJQ0n6cafZVokN8EqjANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVkIFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE4MDYyNTAwMDAwMFoXDTIwMDYyOTEyMDAwMFowgeIxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYBBAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQFEwc0ODI0NDY3MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMRQwEgYDVQQKEwtEcnV2YSwgSW5jLjEZMBcGA1UECxMQQ2xvdWQgT3BlcmF0aW9uczEYMBYGA1UEAxMPbG9naW4uZHJ1dmEuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvMuMGSjlF+hrWxyWmzSsmJvN54069WJElOnQPiNtxR91hvDw/VIsdgLNzbL0y/BgI3NhnhXiX+dXcZCibZYPR0Ae2VpuJy3cojgXRON8OEqkvRRts48TnLCMHwNyR5bYfKFcJK13gTQmd0u0uf85aCoQhD1PrHbRsnnmpRxBlbq3DVzS47b5jnKCVfox7pB0JkOXOFce6aJw+lvE/EkynBtm5XXLLQAND04Ma4PmHmMLGULQhlwM+mhDBTeMya0bKOjyNhDh9/NLGoRZ59mV7j+DY/kOWVQQnxr1ourUSWHMKY9CT7cm1bRNkzmlIHr5bnJxXCLa/BlAa4yXGZjejKLhhh2Bus5BON215etmOFtoAEHsn6iFT+zROYRILtqCxp7u+6EyFCl9mxZLSmkPnvvo/8+IuHutmmTWDtwvs84OMc6J58dCW6m0Z05sFXpUcoMmbkhphIUl0s4VdmQj2A6T6ZNdt0lktq9DCjpPzUdoN4UZIo4AqWQbKAIO5FYlPqGNPHixr1+Srh+UfB6Jm8mKrv4iK5Q96zMnJzGovVA21TL0+o9LZmaWP7M/C9Sl3m9o+Zl7htpHQRG29SvDKh6wtIcWh9pvNiHtSAb0Kz9UBF0kju2zMr/ddcyN2KNWIdS5WMtUY0ZX8/gcyL1CLOktREYsTLMITULUg5DuQN0CAwEAAaOCA9EwggPNMB8GA1UdIwQYMBaAFD3TUKXWoK3u80pgCmXTIdT4+NYPMB0GA1UdDgQWBBTh74oexfE/kQnuZ+wI9JR/HsjnrzB+BgNVHREEdzB1gg9sb2dpbi5kcnV2YS5jb22CEWNvbnNvbGUuZHJ1dmEuY29tghBkMWF1dGguZHJ1dmEuY29tghNnb3ZkMWF1dGguZHJ1dmEuY29tghJnb3Zsb2dpbi5kcnV2YS5jb22CFGdvdmNvbnNvbGUuZHJ1dmEuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItZXYtc2VydmVyLWcyLmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItZXYtc2VydmVyLWcyLmNybDBLBgNVHSAERDBCMDcGCWCGSAGG/WwCATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAcGBWeBDAEBMIGIBggrBgEFBQcBAQR8MHowJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBSBggrBgEFBQcwAoZGaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkV4dGVuZGVkVmFsaWRhdGlvblNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWQ4lQS5AAAEAwBHMEUCIQCVzAB3rYTY5mB6WycSfB2waMB0UFmMtJPBbERD3xICegIgH4T6geN5qpmb4nwlGdwVEXdsBCHHrX49O+AR9nUdzRAAdQBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAAAWQ4lQTxAAAEAwBGMEQCIGKmd8NcRXbEtqeWN0jSYhPJeiHIYb8ZZ4Kr5dOLX9EDAiBu0MUodgLYq0vLqOUeg2c3yw+nL8Lc8YJh19/2y/ApCgB2ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABZDiVBNEAAAQDAEcwRQIhAOinv4H4oDXQ/2l82LYIwHaUU15OK3YCGua1X7b9a5+CAiBeirJSNeX7SCW2I+d++Dt0PXpd6aGPVHacRqaExbG1LTANBgkqhkiG9w0BAQsFAAOCAQEAqFxt15OkxYcDl/ULTvi1DSP5OHMpNQzueK8xJ4bwAr7bFr4S06EgNNjeWBDz29vScf71fwkgzO75ABQ38o8vcTL4DlFfEE7JyRs5CG74hESQMnYuojWFTePa2vQz6szjBKHuZLdJ4TkiXY41W3v0+POzH9bi8JqlkDFlh6zoGimZ9m6QHuv002curKfatgGQRYmhqQAeZuei+0n7d/4OBXwx3/qd8LHUBV71vXEmMUd19C+VDQjAmekXDVCZF3ED/tzwoFg6um7Q0VoWWO+wbTdlUzhTo8hBXhmu2d2cZMDJpBGueBw999TRuWCco6toZk83922mAVqbEJZZObnSPQ
  9. Save your changes.

The Single Sign-on is set up after all the steps are completed successfully, and administrators can log in to the Druva Cloud Platform Console by using SSO in your organization. 

Enable Single Sign-on and Failsafe for Administrators

If you are a Druva Cloud administrator, you can enable SSO for other administrator accounts including yours. After you enable SSO, Druva disables passwords for all other administrators, except the administrator who enabled SSO and the legal administrators. The administrator who enabled SSO, by default, becomes the fail-safe administrator.

What should you know about enabling SSO and failsafe:

  • To enable SSO and failsafe, you must be a Druva Cloud administrator. 
  • SSO is available optionally; you can enable SSO even if you did not use SSO before. Similarly, you can stop using SSO access at any time. 
  • To enable failsafe, you must first enable SSO.
  • Enabling SSO ensures that the password policy for Druva is aligned with your organization's policy.
  • Enabling Failsafe ensures that Druva Cloud administers can log into the Druva account even if SSO is not functional. 
  • You can explicitly disable SSO access using the Druva password (provided that you enabled SSO for all administrator accounts). For more information, see Disable SSO.
  • You can disable the failsafe option. For more information Disable failsafe for administrator.

To enable Single sign-on for administrators:

  1. Click the Druva logo logo.png to access the Global Navigation Panel > Druva Cloud Settings. The Settings window appears.
  2. In the Single Sign-On section, click Edit. The Edit Single Sign-On Settings window appears.
  3. Select Enable Single Sign-on for Administrators checkbox.
  4. Click Save.

Enable SSO for inSync End Users

You can enable SSO for inSync end users from the profiles section on the inSync Management Console. For more information, see Enable SSO for inSync users

Disable Single Sign-on for Administrators

After you disable SSO, Druva enables passwords for all other administrators. To disable Single sign-on for administrators:

  1. Click the Druva logo logo.png to access the Global Navigation Panel > Druva Cloud Settings. The Settings window appears.
  2. In the Single Sign-On section, click Edit. The Edit Single Sign-On Settings window appears.
  3. De-select Single Sign-on for Administrators checkbox.
  4. Click Save.

Change the Failsafe Administrator

If you are a Druva Cloud administrator, you can change the failsafe administrator or the Druva Cloud administrator who enabled SSO and become the failsafe administrator yourself.

You might require to perform this activity in case you are changing the role of the Druva Cloud administrator who enabled SSO or failsafe administrator to some other role.

Note: Failesafe for administrators is mandatory if you have configured your IdP with a custom entity ID and cannot be disabled.

Ensure you are able to log on to Druva Cloud Platform Console using SSO.

  1. Click the Druva logo logo.png to access the Global Navigation Panel > Druva Cloud Settings. The Settings window appears.
  2. Disable the Administrators log into Druva Cloud through SSO provider setting. 
  3. Enable the Administrators log into Druva Cloud through SSO provider setting.

Key Points

After you set up SSO, as a result:

  • Failsafe admins (Druva Cloud administrators) receive an email with a password when Single sign-on is enabled. 
  • The password is reset for all administrators when Single sign-on is disabled. 
  • Password policy is enabled for Druva Cloud administrators when Single sign-on is enabled. After a Druva Cloud administrators logs in using Single sign-on, the Druva Cloud Platform Console prompts the administrator to reset the password. 
  • Administrators are not notified if the Failsafe for Administrators setting is disabled.