Skip to main content

How can we help you?

Druva Documentation

How to Configure ADFS 3.0 with Phoenix

fv

  • Only a Druva Cloud administrator can set up Single Sign-on. 
  • Configure Single Sign-on based on the applicable scenarios:
    •  New Phoenix customers on-boarded after July 2, 2018, must refer to the instructions given in the article: Set up Single sign-on.
    • Existing Phoenix customers who have already configured Single Sign-on must continue to use the existing settings as described in this article. 

 

  Overview

You must install the Active Directory Federation Services (ADFS) 3.0 software on a computer that you are preparing for the federation server role or the federation server proxy role. For more information on how you can install the ADFS software and its prerequisites, see the Microsoft documentation.

Configure ADFS to integrate with Phoenix

After you have installed ADFS 3.0, perform the following actions:

  1. Create trust between Phoenix and ADFS by configuring ADFS with a relying party rule, which is Phoenix.
  2. Configure Rules that allows you to authenticate at ADFS by using the Active Directory.
  3. Configure certificate for ADFS.
  4. Configure Single sign-on for Phoenix user.

Create a new federation service

Note: Skip this step, if you already have an ADFS 3.0 Federation Server configured on the computer.

To create a new federation service

  1. On the Start menu, click Administrative Tools > ADFS Management. The ADFS Management window appears.
  2. On the right pane, under Actions, click on the ADFS Federation Server Configuration Wizard link. The ADFS Federation Server Configuration Wizard appears.
  3. On the Welcome page of the wizard, click Create a new Federation Service, and then click Next. The Select Stand-Alone or Farm Deployment page appears.
  4. Click Stand-alone Federation Server, and then click Next. The Specify the Federation Service Name page appears.
  5. In the SSL certificate box, browse and select the ADFS server certificate, and then click Next.
  6. View summary, click Finish.

Create a relying party

After you have set up the Federation Server, the next step is to create a relying party.

To create a relying party

  1. On the Start menu, click Administrative Tools > ADFS Management. The ADFSwindow appears.
  2. Expand the Trust Relationships node.
  3. Right-click on the Relying Party Trusts folder. A list with additional options appears.
  4. Click Add Relying Party Trust…. The Add Relying Party Trust Wizard appears.
    1.png
  5. Click Start. The Select Data Source page appears.
    2.png
  6. Click Enter data about the relying party manually, and then click Next. The Specify Display Name page appears.
    3.png
  7. Provide the appropriate information for each field.
    Field Action
    Display Name

    Type a display name for the relying party.

    For example, Druva_Phoenix.

    Notes Type a description for the relying party.
  8. Click Next. The Choose Profile page appears.
    4.png
  9. Click ADFS profile and then click Next. The Configure Certificate page appears.
    5.png
  10. If you want to encrypt the SAML token, browse and select the certificate, and then click Next. The Configure URL page appears.
    6.png
  11. Provide the appropriate information for each field.
    Field Action
    Enable support for the SAML 2.0 WebSSO protocol

    Select this check box.

    Relying party SAML 2.0 SSO service URL Type: https://phoenix.druva.com/wrsaml/consume
  12. Click Next. The Configure Identifiers page appears.
    7.png
  13. In the Relying party trust identifier box, type druva-phoenix.
    The web application passes this realm to the ADFS when users log into the web restore URL.
  14. Click Next. The Choose Issuance Authorization Rules page appears.
    8.png
  15. Click Permit all users to access this relying party and then click Next. The Ready to Add Trust page appears.
    9.png
  16. Review and if required update the settings that you have configured, and then click Next. The Finish page appears.
  17. Ensure that the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checkbox is by default selected.
  18. Click Close.
  19. (Optional step) You can upload the encryption certificate.For detailed procedure, see Encryption and Signature

Create a new rule

After you create a relying party trust, you can create the claim rule that allows you to authenticate at ADFS by using the Active Directory. By default, the Edit Claim Rules window appears after you create a relying party trust.

Before you begin

Before you create a new claim rule, ensure that you generate an SSO token from the Phoenix Console. For more information on how you can create an SSO token, see Generate SSO token.

Create a new claim

To create a new claim

  1. On the Edit Claim Rules window, under the Issuance Transform Rules tab, click Add Rule. The Select Rule Template page appears.
    10.png
  2. In the Claim rule template list, select Send LDAP Attributes as Claims, and then click Next. The Edit Rule – LDAP EMAIL window appears.
    11.png
  3. Provide the appropriate information for each field.
    Field Action
    Claim rule name    Type a name for the claim rule.
    Attribute store In the list, select Active Directory
    Mapping of LDAP attributes to outgoing claim types
    LDAP Attribute Map it to Outgoing claim type.
    E-mail Addresses Map it to Name ID.
    E-mail Addresses Map it to E-mail Address.
    User-Principal-Name Map it to Name.
  4. Click Finish.

Create a custom rule

To create a new custom rule

  1. On the Edit Claim Rules window, under Issuance Transform Rules tab, click Add Rule. The Select Rule Template page appears.
    12.png
  2. In the Claim rule template list, select Send LDAP Attributes as Claims Rule, and then click Next. The Edit Rule – LDAP EMAIL window appears.
    13.png
  3. Provide the appropriate information for each field.
    Field Action
    Claim rule name  Type a name for the custom rule.
    Custom rule

    Type,

    => issue(Type = "phoenix_auth_token", Value = "value of SSO Token generated from Phoenix Console");

  4. Click OK.

Configure certificate for ADFS

You can configure a trusted party certificate or use the self-signed certificate. ADFS uses this certificate to sign the tokens it sends out. 

Before you begin

Before you configure the single sign-on settings with Phoenix, ensure that you have an ID provider certificate. If you do not have an ID provider certificate, follow these steps:

  1. On the Start menu, click Administrative Tools > ADFS Management. The ADFS  window appears.
    Imp.PNG    
  2. Expand to the Service folder.
  3. Click Certificates. The Certificates view appears in the right pane.
  4. Under the Token-signing area, right-click the certificate. A list with additional options appears.
  5. In the list, click View Certificate. The Certificate window appears.
  6. Click the Details tab and then click Copy to file. The Certificate Export Wizard appears.
    15.png
  7. On the Certificate Export Wizard, click Next. The Export File Format page appears.
    secondlast.png
  8. Select Base-64 encoded X.509 (.CER), and then click Next.
  9. On the File to Export page, browse to the location where you want to save the downloaded certificate.
    last.png
  10. Click Next.
  11. View the information and click Finish
  12. Open the certificate file in a Notepad. The certificate opens in the following format:

        “-----BEGIN CERTIFICATE-----
        
        ………. …..
        
        -----END CERTIFICATE-----"
        

  13. Copy the content of the certificate and provide it when you configure the single sign-on settings by using the Phoenix Console.

Configure the single sign-on settings

To configure the single sign-on settings

  1. Log on to Druva Management Console.
  2. On the menu bar, click  Druva Cloud Settings.
  3. Click the Single Sign-On tab and under Single Sign-On Configuration, click Edit. The Single Sign-On Configuration window is displayed.
  4. Provide the appropriate information for each field.

SAML Attribute 

 Description and value

ID Provider Login URL

 Type,

https://{fqdn-name of the ADFS server}/adfs/ls

ID Provider Certificate Provide the content of the certificate. For more information see, Configure certificate for ADFS.
AuthRequests Signed Select this option if you want the authentication request signed. For more information, see Encryption and Signature
Want Assertion Encrypted Select this option if you want the assertion encrypted. For more information, see Encryption and Signature
  1.   Click Save.