Skip to main content
Druva Documentation

How to configure SSO for Druva inSync Cloud using Azure AD as IdP

  

 

  • Only a Druva Cloud administrator can set up Single Sign-on. 
  • Configure Single Sign-on based on the applicable scenarios:
    • New inSync customers (on-boarded after July 14, 2018) must configure Single Sign-on using the Druva Cloud Platform Console. For more information, see Set up Single sign-on.
    • Existing inSync customers who have not configured Single Sign-on until July 14th, 2018, must configure Single Sign-on using the Druva Cloud Platform Console. For more information, see Set up Single sign-on

Overview

This article describes the steps to configure SSO for Druva inSync Cloud using the IDP Azure AD.
The SSO is configured in the following order:

  1. Configure Druva app for inSync Cloud on Azure Portal
  2. Configure Azure AD Single Sign-On
  3. Configure Druva to use Azure AD login
  4. Assign Users/Groups in Azure AD to use Druva app
  5. Enable SSO for administrators
  6. Enable SSO for Users

Configure a custom App for Druva inSync on Azure Portal

  1. Log on to the Azure portal (URL: portal.azure.com) 
  2. Log on using Azure Administrator account. 
  3. Navigate to Azure Active Directory > Enterprise Applications.

    SSOAzureAsIdP01.png
     
  4. On the Enterprise applications page, click New application.
  5. Search for application name as Druva in the search bar and select the application.

    SSOAzureAsIdP03.png

    SSOAddApp.png

    The Name of the application can be modified as per the requirement. Example - Druva or Druva inSync.
     
  6. Click Add
  7. Go to Manage > Properties and configure the settings as shown in the image below. 

    SSOAzureAsIdPinSync01.png
  8. Upload a Druva inSync Logo to identify the application easily.
  9. Click Save .

Configure Azure AD single sign-on

To configure Azure AD single sign-on with Druva, perform the following steps:

  1.  On the Druva inSync application integration page of the Azure portal, click Single sign-on.


    SSOAzureAsIdP07.png
     
  2. On the Single sign-on window, select Mode as SAML-based Sign-on to enable single sign-on.
  3. Under Basic SAML Configuration section, a few parameters, such as identifier (Entity ID), Reply URL (Assertion Customer Service URL) are already fille.
  4. Click Edit and make sure you have selected the following parameters as default and save the changes.
     
    1. Identifier (Entitiy ID): druva-cloud
    2. Reply URL (Assertion Consumer service of : https://cloud.druva.com/wrsaml/consume

      SSOSAMLBasedSignON.png
  5. Edit User Attributes & Claims.

    EditUserAttribsAndClaims.png


    You can delete all the attributes added by default as inSync does not use these attributes for authentication.

    DeleteAllUserAttribsClaims.png

    You cannot delete Claim “http://schemas.xmlsoap.org/ws/2005/0...nameidentifier” as this is mandatory claim for the name identifier.
     
  6. Click Add new claim and add the attributes in the order and case specified in the table below
     
    Attribute name Value
    emailAddress user.mail
    insync_auth_token Enter the token generated from the inSync Management Console, without quotation marks. Azure automatically adds the quotation marks.
    For information on generating SSO token, see Generate SSO token

    ManageUserClaim.png

    Finally, the User Attributes & Claims section appears as below:

    UserAttribsAndClaims.png

    Follow these steps to add the above attributes:
    1. Click Add attribute to open the Add Attribute window.

    2. Enter the attribute name as shown for that row.

    3. Enter the respective attribute value from the Value column. The token generated value is explained later in the tutorial.

    4. Click OK.
      For information on generating SSO token, see Generate SSO token or How to generate an SSO token from Druva Cloud Platform.

      SAMLTokenAttributes.png

  7. On the SAML Signing Certificate section, click Certificate(Base64) and save the certificate file on your system.

    SAMLSigningCert.png
     

  8. Under Set up Druva section, copy the Login URL and save it in a notepad/Wordpad/Texteditor.

    SetUpDruvaSSO.png

     

Configure Druva inSync Cloud to use Azure AD login

Only a Druva Cloud administrator can set up Single Sign-on. 

Procedure

  1. On a different web browser window, log on to inSync Management Console (https://console.druva.com/admin) as a Druva Cloud administrator.
  2. Click on the Druva logo on top left corner and click on Druva Cloud Settings.

    DruvaCloudSettings.png
  3.  On the Single Sign-On section, click Edit.

    SSOAzureAsIdP15.png
  4.  Copy the ‘Login URL’ obtained from point no. 8 earlier (https://login.microsoftonline.com/xx...xxxxxxxx/saml2) and paste it in field:ID Provider Login URL
  5. Open the Certificate (Base64) downloaded earlier in notepad (obtained from step no.7 ) and copy the entire content in ID Provider Certificate section.

    IDProviderConfig.png
  6. Click Save.

Assigning Users/Groups in Azure AD to use Druva inSync app

  1. On the Azure portal, navigate to Azure Active Directory > Enterprise applications > All applications, select Druva application created during initial configuration from the applications list.  
  2. Click Users and groups
  3. Open the directory view and navigate to Enterprise applications > All applications.

    SSOAzureAsIdP17.png
  4. Click Add User.

    SSOAzureAsIdP18.png
  5. Select Users and groups on the Add Assignment window.

    SSOAzureAsIdP19.png
  6. On the Users and groups window, select the Users or Group that you want to assign the Druva App, in the Users list. 
  7. Ensure that the User or Admin account selected has a corresponding account created in inSync. 
  8. Click Select on Users and groups window.
  9. Click Assign on Add Assignment window.    

Enable SSO for administrators

  1. On the DCP console, go to Druva Cloud Settings.

    SSOAzureAsIdP20.png
  2. On the Single Sign-On section, click Edit.

    SSOAzureAsIdP21.png
  3. Select Administrators log into Druva Cloud through SSO provider.

    SSOAzureAsIdP22.png
    Druva recommends to enable Failsafe for Administrators so that they have to access the DCP console in case of any failures in IdP. It also enables the administrators to use both SSO and DCP password to access the DCP console.
  4. Click Save. This enables the access to Druva Cloud Platform using SSO.

Enable SSO for users

This section applies for inSync users. If you intend to use SSO for Druva Phoenix, please skip this section.

To enable SSO for users, enable SSO for an existing user profile. Alternatively, create a new profile and enable SSO for this profile. Subsequently, assign the users to this profile to enable access using SSO.

Step-1: Create a new profile or update an existing profile:

Step-2: Assign users to the profile:

To assign uses to the profile with SSO enabled, follow the steps described in Update the profile assigned to users.