Skip to main content

 

Druva Documentation

How to configure SSO for Druva inSync Cloud using Google as IdP?

Product edition: inSync Cloud

 

Overview

This article describes how to configure SSO for Druva inSync Cloud using Google as IdP.

The configuration is performed in four steps:

  • Configure inSync to work with Google IdP
  • Update schema and authorization values for Google IdP
  • Map token to user
  • Update attribute mapping

Configure Druva to work with Google iDP 

  1. Log in to Google iDP Admin Console (https://admin.google.com/AdminHome)
  2. Go to Apps page and select SAML apps
  3. Click + icon to create a new app. 
  4. On the new popup window, select SETUP MY OWN CUSTOM APP


     
  5. Copy the SSO URL and also download the certificate.
  6. Go to inSync Cloud Admin page > Settings > Single Sign-On.
  7. Click Edit and paste the SSO URL under ID Provider Login URL.
  8. Under ID Provider Certificate, paste the content of the certificate that you downloaded before and click Save.
  9. Go back to the Google Admin page and continue with custom app creation. 
  10. On Basic information page, give the name as Druva inSync or any custom name. 
  11. On the next screen, enter values as specified below:
    ACS URL: https://cloud.druva.com/wrsaml/consume 
    Entity ID: druva-cloud
  12. Start URL and Signed Responses are not required here.
  13. Under Name ID, select  Basic Information > Primary Email
  14. Set Name ID Format as Email.
  15. Under Attribute Mapping, select Add New Mapping and enter the following values.


     
  16. Save the changes. The app should now be published. 
  17. Click the ... button for the newly created app and select On for Everyone

The custom app is now configured successfully. We would need to update the schema for app to work as expected.

Update schema and authorization values for Google IdP

Google IdP does not allow entering a custom field value for their SAML apps. There are third party applications that require additional value in addition to SAML response to authenticate the SAML response.

Druva inSync requires Single Sign On (SSO) token to validate the SAML response. If the IdP is Google, there is no direct alternative to add the SAML token. Based on Google, we would need to extend schema for the IdP. In addition to this, the token value must be mapped for every user.

Update schema:

  1. Open the URL: https://developers.google.com/admin-sdk/directory/v1/reference/schemas/insert#try-it.
  2. This opens the Schemas:insert page. 
  3. Enter customerId as my_customer
  4. Enter the following content under Request body.

    {
        "fields": [
          {
            "fieldName": "inSyncAuth",
            "fieldType": "STRING",
            "multiValued": false,
            "readAccessType": "ALL_DOMAIN_USERS",
      }
    ],
    "schemaName": "Druva"
    }

     

     
  5. Click Execute. The output should be 200 OK. This means the execution was successful. 

With the above steps executed, a new field name Druva will appear under Basic Information Authorization.

Map token to user

  1. Go to Google Admin Home page (https://admin.google.com/AdminHome)
  2. Click Users and then click the concerned user name.
  3. Click Account and then click Edit button under Manage User Attributes.
  4. Schema name Druva with a field to enter SSO token under inSyncAuth is displayed.

  5. On a separate browser, log on to inSync Management Conole and click  > Settings > Single Sign-On.
  6. Click Generate SSO Token.
  7. Copy the SSO token and under inSyncAuth.
  8. Click Update User.

You schema is now updated and the authorization field is also configured. 

Update attribute mapping

To perform attribute mapping:

  1. Log on to https://admin.google.com with your Administrative credentials.  
  2. Go to Apps > SAML Apps and select the custom application created for Druva.  
  3. Once the app opens, select Attribute Mapping and click Add New Mapping.  
  4.  Under Application Attribute, enter the value as – insync_auth_token
  5. Under category, select Druva. (This value is populated after extending the schema). 
  6. Under Select User Field, choose the value inSyncAuth (The value is populated after updating the Authorization page)  and save the changes. The field must appear as below.

The app is now ready for use, although in rare cases the app may take up to 24 hours to get activated.