Skip to main content

How can we help you?

Druva Documentation

How to configure SSO for inSync users using ADFS as IdP

This article applies to:

  • OS: Windows Server 2012 R2
  • Product edition: Druva Cloud Platform (DCP)

Overview

This article provides information on Configuring SSO for inSync users using ADFS as IdP.

Configure ADFS to integrate with DCP

 

Install ADFS 3.0 and perform the following actions:

  1. Create trust between inSync Cloud and ADFS by configuring ADFS with a relying party rule, which is inSync Cloud.
  2. Configure inSync Cloud to trust ADFS 3.0. The trust allows ADFS 3.0 to send claims to inSync Cloud.
  3. Set up a web application and site to consume these claims.

Create a relying party

After you have set up the Federation Server, the next step is to create a relying party.

To create a relying party:

  1. On the Start menu, click Administrative Tools > ADFS 3.0 Management. The ADFS 3.0 window appears.
  2. Expand the Trust Relationships node.
  3. In the right pane, click Add Relying Party Trust. The Add Relying Party Trust Wizard appears.

    AddRelyingPartyWiz1.png
  4. Click Start. The Select Data Source page appears.
  5. Click Enter data about the relying party manually, and then click Next. The Specify Display Name page appears.

    AddRelyingPartyWiz2.png
  6. Refer the field description below and enter the appropriate information for each field , and click Next.
    • Display Name: Name of the relying party to be displayed. For example, Druva inSync.
    • Notes: Brief description of the relying party.

      AddRelyingPartyWiz3.png
       
  7.  The Choose Profile page appears.
  8. Select AD FS profile and click Next.  The Configure Certificate page appears.

    AddRelyingPartyWiz4.png
  9. Optionally, to encrypt the SAML token, browse and select the certificate, and then click Next. However, ADFS establishes a secure SSL connection with Druva inSync, which ensures the token is encrypted.

    AddRelyingPartyWiz5.png
  10. On the Configure URL page:
  11. In the Relying party trust identifier box, enter DCP-login. The web application passes this realm to the ADFS when users log into the web restore URL.

    AddRelyingPartyWiz7.png
  12.  Click Next. The Configure Multi-factor Authentication Now page appears.

    AddRelyingPartyWiz8.png
  13. Select I do not want to configure MFA settings for this relying party trust at this time and click Next. The Choose Issuance Authorization Rules page appears.

    AddRelyingPartyWiz9.png
  14. Select Permit all users to access this relying party and then click Next. The Ready to Add Trust page appears.
  15. Review and if required, update the settings that you have configured, and then click Next. The Finish page appears.

    AddRelyingPartyWiz10.png
  16. Ensure that the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes check box is by default selected.
  17. Click Close.

Create a new claim

To create a new claim

  1. On the Edit Claim Rules window, under the Issuance Transform Rules tab, click Add Rule. The Select Rule Template page appears.
  2. In the Claim rule template list, select Send LDAP Attributes as Claims, and then click Next. The Edit Rule – LDAP EMAIL window appears.

    CreateClaim01.png
  3. Enter the appropriate information for each field based on the description below:

    Claim rule name: Enter the name of he claim rule.
    Attribute store: Select Active Directory from the list.

    CreateClaim02.png
    Under Mapping of LDAP attributes to outgoing claim types:

    LDAP Attribute: Specify the outgoing claim type.
    E-mail Addresses: Enter the name ID.
    E-mail Addresses: Enter the email address.
    User-Principal-Name: Name
     
  4. Click Finish.

Create a custom rule

To create a custom rule

  1. On the Edit Claim Rules window, under Issuance Transform Rules tab, click Add Rule. The Select Rule Template page appears.
  2. In the Claim rule template list, select Send Claims Using a Custom Rule, and then click Next. The Edit Rule – LDAP EMAIL window appears.

    CreateCustomRule01.png
  3. Enter the appropriate information as specified below:

    Claim rule name: Enter a name for the custom rule.
    Custom rule:  => issue (Enter = "druva_auth_token", Value = "value of SSO Token generated from  inSync Console");

    CreateCustomRule02.png
  4. Click OK.

Configure Single Sign-On

Only a Druva Cloud administrator can set up Single Sign-on:

Configure Single Sign-on based on the applicable scenarios:

 

 

  • Only a Druva Cloud administrator can set up Single Sign-on. 
  • Configure Single Sign-on based on the applicable scenarios:
    • New Druva customers that is; Phoenix customers on-boarded after 02 July 2018 and inSync customers on-boarded after 14 July 2018 must refer to the instructions given in this article. 
    • Existing Phoenix and inSync customers who already have configured Single Sign-on, must continue to use the existing Single Sign-on settings of Phoenix and the Single Sign-on settings of inSync as applicable.

 

Before you begin  

Before you configure the single sign-on settings with inSync Cloud, ensure that you have an ID provider certificate. If you do not have an ID provider certificate, follow these steps:

  1. On the Start menu, click Administrative Tools > ADFS 3.0 Management. The ADFS 3.0 Management window appears.
  2. Expand the Service folder.
  3. Click Certificates. The Certificates view appears in the right pane.

    CertificatesView.png
  4. Under the Token-signing area, right-click the certificate. A list with additional options appears.
  5. From tue list, click View Certificate. The Certificate window appears.
  6. Click the Details tab and then click Copy to file. The Certificate Export Wizard appears.

    DetailsTab.png
  7. On the Certificate Export Wizard, click Next. The Export File Format page appears.
  8. Select DER encoded binary X.509 (.CER), and then click Next.

    CertExportWiz.png
  9. On the File to Export page, type the file name as Cert.cer, and then click Next.
  10. Click Finish.
  11. Open and edit the cert.cer file in a Notepad. The certificate opens in the following format:

     “-----BEGIN CERTIFICATE-----


        ………. …..


       -----END CERTIFICATE-----"
  12. Copy the content of the cert.cer certificate and provide it when you configure the single sign-on using the inSync Management Console.

Configure the single sign-on settings

To configure the single sign-on settings

  1. On the inSync Management Console menu bar, click GearIconNew.png > Settings.
  2. Click the Single Sign-on tab and then click Edit.

  3. Provide the following appropriate information.

  4. Enter appropriate information based on the descriptions provided below. Below are the SAML attributes and the description of the same:
     

    SAML Attribute Description/Value
    ID Provider loigin URL https://{fqdn-name of the ADFS server}/adfs/ls (for e.g.    https://sts.druva.ga/adfs/ls
    ID Provider Certificate Provide the content of the idpert.cer certificate.
    AuthnRequests Signed  SAML Authentication Requests are not signed by default. Select this checkbox to get signed SAML Authentication Requests.
    Want Assertions Encrypted Encryption is disabled by default. Select the checkbox to enable encryption for SAML assertions.
  5. Click Save.

Enable SAML in Druva inSync Cloud

Enable Single Sign-On for the desired users from the inSync Management Console. This can be done at the profile level. Hence, it is necessary to assign the users with a profile enabled with the SSO instead of inSync Password or Active Directory. 

  1. Login to the inSync Management Console.
  2. Go to Manage > Profiles  and select the profile where SSO needs to be enabled.
  3. Go to User Privacy & Access under General tab and Click Edit.

    GeneralTab.png
  4. Under Log-in using select Single Sign On.
  5. Click Save.