Skip to main content


 

 

druva_logo.pngDruva
|
Documentation

How can we help you?

Trending articles:

 

Druva Documentation

How to configure SSO for Druva Cloud Platform using Azure AD as IdP

  1. Last updated
  2. Save as PDF
Heads up!

We've transitioned to a new documentation portal to serve you better. Access the latest content by clicking here.

This article applies to:

  • Product edition: Druva Cloud Platform (DCP)

Overview

This article describes the steps to configure SSO for Druva Cloud Platform ( DCP ) using the IDP Azure AD.

Configuration steps:

  1. Configure the Druva app on Azure portal
  2. Configure Azure AD Single Sign-On
  3. Configure DCP to use Azure AD login
  4. Assign Users/Groups in Azure AD to use DCP app
  5. Enable SSO for administrators
  6. Enable SSO for Users

 

 

  • Only a Druva Cloud administrator can set up Single Sign-on. 
  • Configure Single Sign-on based on the applicable scenarios:
    • New inSync customers (on-boarded after July 14, 2018) must configure Single Sign-on using the Druva Cloud Platform Console. For more information, see Set up Single sign-on.
    • Existing inSync customers who have not configured Single Sign-on until July 14th, 2018, must configure Single Sign-on using the Druva Cloud Platform Console. For more information, see Set up Single sign-on

 

Configure the Druva app on Azure portal

To configure the app:

  1. Login to the Azure portal (URL: portal.azure.com) with the Azure Administrator account credentials.
  2. Navigate to Azure Active Directory > Enterprise Applications > All applications.

    AzureADApp1.png                             AzureADApp2.png
  3. On the Enterprise applications page, click New application.

    AzureADApp3.png
  4. Search for the application name Druva in the search bar as shown below.

    AzureADApp4.png
  5. Select Druva application from the search output list and click Add.

    AzureADApp5.png

    AzureADApp6.png

    Note: The name of the application can be modified as required. For example, Druva or Druva Cloud Platform.

  6. After adding the application, navigate to Enterprise Application, and select the Druva application from the list.
  7. Go to Manage > Properties.  To identify the application distinctly, upload an image here and click Save when done.

    AzureADApp7.png

Configure Azure AD Single Sign-On

To configure Azure AD SSO:

  1. On the Druva application integration page of the Azure portal, click Single sign-on.
  2. On the Single sign-on window, set Mode as SAML based Sign-on to enable the single sign-on.

    AzureADApp8.png
  3. Under the Basic SAML Configuration section, you can see two parameters - auto-filed Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL).
  4. Click Edit and make sure that you have selected the following parameters as default and save the changes.

    Identifier (Entity ID):
  • For Public Cloud: 

DCP-login

  • For Gov Cloud: 

DCP-loginfederal

Reply URL (Assertion Consumer Service URL):

  • For Public Cloud: 

https://login.druva.com/api/commonlogin/samlconsume

  • For Gov Cloud:

https://loginfederal.druva.com/api/commonlogin/samlconsume

AzureADApp9.png

  1. Click Save.
  2. Under User Attributes & Claims, click Edit.

    AzureADApp10.png
  3. You can choose to delete all the attributes added by default as Druva Cloud Platform does not use these attributes for authentication.

    AzureADApp11.png

    Note: You cannot delete Claim name : http://schemas.xmlsoap.org/ws/2005/0...nameidentifier as this is the mandatory claim for the name identifier.

  4. Do the following steps to generate the SSO token: 
    1. Click the Druva logo Druva_Icon.png to access the Global Navigation Panel > Druva Cloud Settings > Access Settings. The Access Settings window appears. 

      NewGBarAPI.png
    2. In the Single Sign-On section, click Generate SSO Token. The Single Sign-On Token window appears.

      Note: Copy this token to a notepad, as we will need this further.

      AzureADApp12.png
  5. Click Add New Claim and enter the attributes described in the table below. Preserve the order and case of the attribute name when you enter the names.
    Attribute name Value
    emailAddress user.mail

    druva_auth_token

    SSO Token generated from DCP Admin Console, without quotation marks.
    For example: X-XXXXX-XXXX-S-A-M-P-L-E+TXOXKXEXNX=

    Azure automatically adds quotation marks around the auth token.
    AzureADApp13.png

    Click Save. The User Attributes & Claims page appears as follows: 

    AzureADApp14.png

  6. On the SAML Signing Certificate section, click Certificate (Base64) and save the certificate file (Druva.cer) locally.

  7. Under Set up Druva section, copy the Login URL to a notepad/textEditor/Wordpad for future use.

    Sample of ‘Login URL’ : https://login.microsoftonline.com/xx...xxxxxxxx/saml2

Set_up_Druva_SAML.png

Configure DCP to use Azure AD login

Only a Druva Cloud administrator can set up Single Sign-on.

To configure SSO on Druva:

  1. Open a new browser window and log in to DCP Management Console.
  2. ( https://console.druva.com/admin ) as an Administrator.
  3. Click the Druva logo Druva_Icon.png to access the Global Navigation Panel > Druva Cloud Settings > Access Settings. The Access Settings window appears. 

    NewGBarAPI.png
  4. On the Single Sign-On section, click Edit.
    AzureADApp15.png
     
  5. Copy the Login URL obtained from Step 11 ( https://login.microsoftonline.com/xx...xxxxxxxx/saml2 ) to the ID Provider Login URL field.
  6. Open the Certificate (Base64) downloaded earlier (Druva.cer) in notepad (obtained from point no 9) and copy all the content in ID Provider Certificate field.

    AzureADApp16.png
  7. Click Save.

 Assign Users/Groups in Azure AD to use DCP app

  1. On the Azure portal, navigate to Enterprise applications > All applications, select Druva applicaiton created during initial configuration from the applications list.
  2. Click Users and groups > Add user.

    AzureADApp17.png
  3. Select Users and groups on the Add Assignment window.

    AzureADApp18.png
  4. On the Users and groups window, select the Users or Group that you want to assign the Druva App in the Users list.
  5. Ensure that the User or Admin account selected has a corresponding account created in the Druva Cloud Platform.
  6. Click Select on Users and groups window.
  7. Click Assign on Add Assignment window.

Enable SSO for administrators

  1. Click the Druva logo Druva_Icon.png to access the Global Navigation Panel > Druva Cloud Settings > Access Settings. The Access Settings window appears. 

    NewGBarAPI.png
  2. On the Single Sign-On section, click Edit.

    AzureADApp15.png
  3. Select Administrators log into Druva Cloud through SSO provider.

    SSOAzureAsIdP22.png
    Druva recommends enabling Failsafe for Administrators so that they have to access the DCP console in case of any failures in IdP. It also enables the administrators to use both SSO and DCP password to access the DCP console.
  4. Click Save. This enables the access to Druva Cloud Platform using SSO.

Enable SSO for users

This section applies for inSync users. If you intend to use SSO for Druva Phoenix, please skip this section.

To enable SSO for users, enable SSO for an existing user profile. Alternatively, create a new profile and enable SSO for this profile. Subsequently, assign the users to this profile to enable access using SSO.

Step-1: Create a new profile or update an existing profile:

Step-2: Assign users to the profile:

To assign uses to the profile with SSO enabled, follow the steps described in Update the profile assigned to users.

(IDP Initiated SSO Only) Configure the Linked App for Single Sign-On for inSync Users in Azure Portal.

If you want your users, as well as Admins, to access Druva from Azure Apps using Single Sign-On, then you will need to use 2 separate Apps - one for Admins and the other for Users.

 

Admin-app will have the exact same settings as explained previously.

 

User App will need to be linked with the Admin App using the “Linked App” option.

 

1.     Login to the Azure portal (URL: portal.azure.com) with the Azure Administrator account credentials.

2.     Navigate to Azure Active Directory > Enterprise Applications.

3.     On the Enterprise applications page, click New application.

 

 

4.     Search for the application name Druva in the search bar as shown below.

5. Select Druva application, name it as Druva-Users for example, to differentiate it from the previous app that we had created and add it.

6. Now go back to the Enterprise Applications – All Applications tab -> search for the previous Druva app that we had created for the Admins.

7. Click on that App’s properties and copy the “User Access URL”. Make a note of it.

8. This URL will look like this:

https://myapps.microsoft.com/signin/Druva/0aebbea5-caca-451a-a712-e82f77b0bc6d?tenantId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

9. In this URL, delete the string tenantId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

10.Replace it with the string RelayState=webrestore

11.Now the URL will look like: 

https://myapps.microsoft.com/signin/Druva/0aebbea5-caca-451a-a712-e82f77b0bc6d?RelayState=webrestore

12.Go back to the new app that we had created for the Druva-Users.

13.On the left hand side, click on the “Single Sign-On” and select “Linked”

 

 

 

14.Copy the URL that we had created in the step # 11, and paste it the Single Sign On URL field:

15.Save the configurations

16.On the Azure portal, navigate to Enterprise applications > All applications, select Druva-Users application created during initial configuration from the applications list.

17.Click Users and groups.

18.Click Add User.

19.Select Users and groups on the Add Assignment window.

20.On the Users and groups window, select the Users or Group that you want to assign the Druva App in the Users list.

 

Enable SSO for users in inSync Admin Console:

This section applies for inSync users. If you intend to use SSO for Druva Phoenix, please skip this section.

To enable SSO for users, enable SSO for an existing user profile. Alternatively, create a new profile and enable SSO for this profile. Subsequently, assign the users to this profile to enable access using SSO.

Step-1: Create a new profile or update an existing profile:

Step-2: Assign users to the profile:

To assign uses to the profile with SSO enabled, follow the steps described in Update the profile assigned to users.