- Only a Druva Cloud administrator can set up Single Sign-on.
- Configure Single Sign-on based on the applicable scenarios:
- New inSync customers (on-boarded after July 14, 2018) must configure Single Sign-on using the Druva Cloud Platform Console. For more information, see Set up Single sign-on.
- Existing inSync customers who have not configured Single Sign-on until July 14th, 2018, must configure Single Sign-on using the Druva Cloud Platform Console. For more information, see Set up Single sign-on.
This article describes how to configure SSO for Druva inSync Cloud using Google as IdP.
The configuration is performed in four steps:
- Configure inSync to work with Google IdP
- Update schema and authorization values for Google IdP
- Map token to user
- Update attribute mapping
Configure Druva to work with Google iDP
- Log in to Google iDP Admin Console (https://admin.google.com/AdminHome)
- Go to Apps page and select SAML apps.
- Click + icon to create a new app.
- On the new popup window, select SETUP MY OWN CUSTOM APP.
- Copy the SSO URL and also download the certificate.
- Go to inSync Cloud Admin page > Settings > Single Sign-On.
- Click Edit and paste the SSO URL under ID Provider Login URL.
- Under ID Provider Certificate, paste the content of the certificate that you downloaded before and click Save.
- Go back to the Google Admin page and continue with custom app creation.
- On Basic information page, give the name as Druva inSync or any custom name.
- On the next screen, enter values as specified below:
ACS URL: https://cloud.druva.com/wrsaml/consume
Entity ID: druva-cloud
- Start URL and Signed Responses are not required here.
- Under Name ID, select Basic Information > Primary Email.
- Set Name ID Format as Email.
- Under Attribute Mapping, select Add New Mapping and enter the following values.
- Save the changes. The app should now be published.
- Click the ... button for the newly created app and select On for Everyone.
The custom app is now configured successfully. We would need to update the schema for app to work as expected.
Update schema and authorization values for Google IdP
Google IdP does not allow entering a custom field value for their SAML apps. There are third party applications that require additional value in addition to SAML response to authenticate the SAML response.
Druva inSync requires Single Sign On (SSO) token to validate the SAML response. If the IdP is Google, there is no direct alternative to add the SAML token. Based on Google, we would need to extend schema for the IdP. In addition to this, the token value must be mapped for every user.
- Open the URL: https://developers.google.com/admin-sdk/directory/v1/reference/schemas/insert#try-it.
- This opens the Schemas:insert page.
- Enter customerId as my_customer.
- Enter the following content under Request body.
- Click Execute. The output should be 200 OK. This means the execution was successful.
With the above steps executed, a new field name Druva will appear under Basic Information Authorization.
Map token to user
- Go to Google Admin Home page (https://admin.google.com/AdminHome)
- Click Users and then click the concerned user name.
- Click Account and then click Edit button under Manage User Attributes.
- Schema name Druva with a field to enter SSO token under inSyncAuth is displayed.
- On a separate browser, log on to inSync Management Conole and click > Settings > Single Sign-On.
- Click Generate SSO Token.
- Copy the SSO token and under inSyncAuth.
- Click Update User.
You schema is now updated and the authorization field is also configured.
Update attribute mapping
To perform attribute mapping:
- Log on to https://admin.google.com with your Administrative credentials.
- Go to Apps > SAML Apps and select the custom application created for Druva.
- Once the app opens, select Attribute Mapping and click Add New Mapping.
- Under Application Attribute, enter the value as – insync_auth_token.
- Under category, select Druva. (This value is populated after extending the schema).
- Under Select User Field, choose the value inSyncAuth (The value is populated after updating the Authorization page) and save the changes. The field must appear as below.
The app is now ready for use, although in rare cases the app may take up to 24 hours to get activated.