This article applies to:
- Product edition: Druva Cloud Platform (DCP)
This article describes the steps to configure SSO for Druva Cloud Platform ( DCP ) using the IDP Azure AD.
- Configure Druva app for DCP on Azure Portal
- Configure Azure AD Single Sign-On
- Configure DCP to use Azure AD login
- Assign Users/Groups in Azure AD to use DCP app
- Enable SSO for administrators
- Enable SSO for Users
- Only a Druva Cloud administrator can set up Single Sign-on.
- Configure Single Sign-on based on the applicable scenarios:
- New inSync customers (on-boarded after July 14, 2018) must configure Single Sign-on using the Druva Cloud Platform Console. For more information, see Set up Single sign-on.
- Existing inSync customers who have not configured Single Sign-on until July 14th, 2018, must configure Single Sign-on using the Druva Cloud Platform Console. For more information, see Set up Single sign-on.
Configure a custom app for DCP on Azure portal
To configure a custom app:
- Login to the Azure portal (URL: portal.azure.com) with the Azure Administrator account credentials.
- Navigate to Azure Active Directory > Enterprise Applications.
- On the Enterprise applications page, click New application.
- Search for the application name Druva in the search bar as shown below.
- Select Druva application from the search output list and click Add.
Note: The name of the application can be modified as required. For example, Druva or Druva Cloud Platform.
- After adding the application, go to Enterprise Application and select Druva application from the list.
- Go to Manage > Properties. To identify the application distinctly, upload an image here and click Save when done.
Configure Azure AD Single Sign-On
To configure Azure AD SSO:
- On the Druva application integration page of the Azure portal, click Single sign-on.
- On the Single sign-on window, set Mode as SAML-based Sign-on to enable the single sign-on.
- Under the Basic SAML Configuration section, you can see two parameters - auto-filed Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL).
- Click Edit and make sure that you have selected the below parameters as default and save the changes.
Reply URL (Assertion Consumer Service URL): https://login.druva.com/api/commonlogin/samlconsume
- Click Save once done.
- Under User Attributes & Claims, click Edit.
- You can choose to delete all the attributes added by default as Druva Cloud Platform does not use these attributes for authentication.
Note : You cannot delete Claim name : http://schemas.xmlsoap.org/ws/2005/0...nameidentifier as this is the mandatory claim for the name identifier.
- Click Add New Claim and enter the attributes described in the table below. Preserve the order and case of the attribute name when you enter the names.
Attribute name Value emailAddress user.email
SSO Token generated from DCP Admin Console, without quotation marks.
For example: X-XXXXX-XXXX-S-A-M-P-L-E+TXOXKXEXNX=
Azure automatically adds quotation marks around the auth token.
The final User Attributes & Claims appears as shown below:
On the SAML Signing Certificate section, click Certificate (Base64) and save the certificate file (Druva.cer) locally.
Under Set up Druva section, copy the Login URL to a notepad/textEditor/Wordpad for future use.
Sample of ‘Login URL’ : https://login.microsoftonline.com/xx...xxxxxxxx/saml2
Configure DCP to use Azure AD login
Only a Druva Cloud administrator can set up Single Sign-on.
To configure SSO on Druva:
- Open a new browser window and login to DCP Management Console
- ( https://console.druva.com/admin ) as an Administrator.
- Click on the Druva logo on top left corner and then click Druva Cloud Settings.
- On the Single Sign-On tab, click Edit.
- Copy the Login URL obtained from point no. 10 earlier ( https://login.microsoftonline.com/xx...xxxxxxxx/saml2 ) to the ID Provider Login URL field.
- Open the Certificate (Base64) downloaded earlier (Druva.cer) in notepad (obtained from point no 9) and copy all the content in ID Provider Certificate field.
- Click Save.
Assign Users/Groups in Azure AD to use DCP app
- On the Azure portal, navigate to Enterprise applications > All applications, select Druva applicaiton created during initial configuraiton from the applications list.
- Click Users and groups.
- Click Add User.
- Select Users and groups on the Add Assignment window.
- On the Users and groups window, select the Users or Group that you want to assign the Druva App in the Users list.
- Ensure that the User or Admin account selected has a corresponding account created in Druva Cloud Platform.
- Click Select on Users and groups window.
- Click Assign on Add Assignment window.
Enable SSO for administrators
- On the DCP console, go to Druva Cloud Settings.
- On the Single Sign-On section, click Edit.
- Select Administrators log into Druva Cloud through SSO provider.
Druva recommends to enable Failsafe for Administrators so that they have to access the DCP console in case of any failures in IdP. It also enables the administrators to use both SSO and DCP password to access the DCP console.
- Click Save. This enables the access to Druva Cloud Platform using SSO.
Enable SSO for users
This section applies for inSync users. If you intend to use SSO for Druva Phoenix, please skip this section.
To enable SSO for users, enable SSO for an existing user profile. Alternatively, create a new profile and enable SSO for this profile. Subsequently, assign the users to this profile to enable access using SSO.
Step-1: Create a new profile or update an existing profile:
- To create a new profile and enable SSO, see Create a profile.
- To enable SSO in an existing profile, see Update a profile.
Step-2: Assign users to the profile:
To assign uses to the profile with SSO enabled, follow the steps described in Update the profile assigned to users.