Skip to main content

How can we help you?

Druva Documentation

Configure SCIM and Single-Sign On between Druva GovCloud and OKTA

Overview

The Druva 2.0 app in Okta Applications, is specifically configured for Druva Public Cloud customers. It doesn’t work with the Druva GovCloud customers.

This article provides information to create a custom application.

Procedure for SCIM setup

  1. Login to your OKTA Admin Console. Click Applications > Add Application > Create New App. The Create a New  Application Integration wizard appears. 

    Add App 1.png
  2. On the Create a New Application Integration wizard, select the fields defined as follows: 

    createappWizard.png
    Field Attribute
    Platform Web
    Sign on method SAML 2.0
  3. Enter the following fields for the SAML Settings

    SAML settings.png
    SAML Attribute Customers who joined Druva prior to 14th July 2018. Customers who joined Druva post 14th July 2018.
    Single Sign-On URL https://govcloud.druva.com/wrsaml/consume https://loginfederal.druva.com/api/commonlogin/samlconsume
    Audience URI (SP Entity ID) druva-govcloud DCP-loginfederal
    Field Attribute
    Name ID format This can be left unknown or select EmailAddress
    Application username Okta username

Note: If you have a custom Entity ID, you can find it in the Single Sign-On settings from the Druva Cloud Platform Console.

  1. To identify the Entity ID, log on to Druva Cloud Platform Console.
  2. Login to the Druva Cloud Platform Console and click the Druva logo logo.png to access the Global Navigation Panel > Druva Cloud Settings Access Settings. The Access Settings window appears.   

    Entity ID.png
  3. To generate the Single Sign-On token, click on the more options button and select Generate SSO Token.
  4. Select Copy to copy the SSO token. If required, make a note of the token. 

    GenSSOToken.png
  5. Navigate to the OKTA Application and under the Attribute Statements (Optional) section, enter the following attributes as applicable:
    auth_name.png
    Criteria Name
    Customers who joined Druva before 14th July 2018. insync_auth_token
    Customers who joined Druva after 14th July 2018. druva_auth_token
  6. In the Value field, enter the SSO token that you copied in Step 7.
  7. Click Next to complete the OKTA Application configuration. 
  8. Select the OKTA Application and select the General tab > Edit.  
  9. Select SCIM as the Provisioning method.

    provisioning.png
  10. Navigate to the inSync Management Console by clicking the Druva logo logo.png to access the Global Navigation Panel > inSync. 
  11. Click Manage. Under the Deployments section select Users. The User Deployment page appears.

    deployments.png
  12. Select the Settings tab. The Auth Token for SCIM page appears. 

    authTOKEN.png
  13. Click Generate Token. 
  14. Select Copy to copy the Auth token. If required, make a note of the token. 
  15. Navigate to the OKTA Application and select the Provisioning tab > Integration > Edit.

    provisioningTAB.png
  16. Enter the details as provided in the following table: 
    Field Attribute
    SCIM connector base URL https://govcloudapis.druva.com/insync/scim
    Unique identifier field for users userName
    Supported Provisioning actions Import New Users and Profile Updates, Push New Users, Push Profile Updates
    Authentication Mode HTTP Header
    HTTP HEADER - Authorization Enter the Auth token that you copied in Step 17
  17. Click Test Connector Configuration. The test configuration window displays the provisioning features.
  18. Upon successfully testing the connector configuration, click Save.  The page will refresh automatically and the Settings window appears.

    ToAPP.png
  19. Select the To App from the settings menu and click Edit to enable the following:

    Create Users

    Update User Attributes

    Deactivate Users

  20. Navigate to the inSync Management Console and select Manage > Users.
  21. On the Mappings tab, click New Mapping. The Create Mapping window appears. 
  22. Enter the values as follows: 
    Field Attribute
    Mapping Name Enter a name for the mapping
    Users

    If you want to provision the users from OKTA based on a specific attribute in their OKTA Profiles, then select “Filter by SCIM Attribute”.

    If you want to provision any user from OKTA, to whom the OKTA application is assigned, then select Allow any user.

  23. Click Next
  24. Select the inSync profile and storage to which these users are to be mapped.

    mappingconfig.png
  25. Click Finish.
  26. Navigate to the OKTA Application and select the Assignments tab. 

    assignments.png
  27. As applicable, select Assign to People or Assign to Groups from the drop-down menu.

Configure Custom Attributes to provision users from OKTA

  1. Login to your OKTA Admin Console. Click Applications. Search for the SCIM app in the list of applications and open it.
  2. Click the Provisioning tab.
  3. In the left-hand side panel, select To App tab.
  4. Scroll down to the Attribute Mapping section and select Go to Profile Editor. The Profile Editor page appears. 

    Go TO profile Editor.png
  5.  Under the Attributes section, click Add Attribute.
  6. As applicable, select the attribute as desired. The following image displays the example of mapping of countryside attribute. 

    profileeditor.png
     
    Field Attribute
    Display Name countryCode
    Variable Name countryCode
    Data Type string
    External Name countryCode
    External Namespace  
    Either try - urn: ietf:params:scim:schemas:core:2.0:User
  7. Save the settings. 
  8. Click Mappings.

    attributetype.png
  9. Click on the Okta to Druva 2.0 (Or your App Name) tab.
  10. On the left-hand side, select the correct attribute from the drop-down and map it to the custom attribute that you created.

    mappingtab.png
  11. Click Save Mappings.
  12. Navigate to the inSync Management Console and select Manage > Users.
  13. On the Mappings tab, click New Mapping. The Create Mapping window appears.
  14. You must use the exact syntax of the custom attribute that you created in OKTA, under the Attribute Name field.
  15. Provide the value of this attribute under the Value(s) field. This is the value of the attribute that will be verified by the SCIM App in OKTA with the OKTA users’ attributes. If the values match, then those users will get provisioned to inSync Cloud’s profile that is defined in the Mapping described as follows:

    createMapping.png

    mappingconfig.png

  16. Click Finish.

Set up Single Sing-On

  1. Select the OKTA application that you have created and select the Single Sign-On tab. 
  2. Click View Setup Instructions under SAML 2.0 section. You will be directed to SAML instructions for your OKTA instance in a new window.
  3. Copy the values for Identity Provider Single Sign-On URL and X.509 Certificate in notepad for future use in this configuration and close the page.
  4. Click Assignments tab on the SSO application and assign the users or groups as required.

Configure Druva Cloud Platform to use Okta as IdP

  1. Login to the Druva Cloud Platform Console and click the Druva logo logo.png to access the Global Navigation Panel > Druva Cloud Settings Access Settings. The Access Settings window appears.   
  2. On the Single Sign-On section click Edit
  3. Enter the values and follows: 

    DCPSSO.png
    Field Attribute
    ID Provider Login URL Enter the Identify Provider Single Sign-On URL that you copied in Step 3
    ID Provider Certificate Enter the Identify Provider Certificate that you copied in Step 3
  4. Enable the following: 

    Single Sign-On for Administrators
    Failsafe for Administrator
  5. Click Save.
  6. On the next attempt to access Druva Cloud Platform using the email ID, Druva Cloud Platform will redirect you to the IdP page for authentication using SSO.

Druva recommends enabling Failsafe for Administrators initially. This enables the administrator to use both SSO and Druva Cloud Platform password to access the Druva Cloud Platform Console. This ensures the administrator always has access to the Druva Cloud Platform Console even if SSO is impacted due to any change in the IdP.

  • Was this article helpful?