Skip to main content

How can we help you?

Druva Documentation

How to configure SSO for Druva inSync On-Premise using Google as IdP?

Product edition: inSync On-Premise v5.8.1 and above

 

Overview

This article describes how to configure SSO for Druva inSync On-Premise v5.8.1 and later using Google as IdP

Configure Druva to work with Google IdP

  1. Log in to Google IdP Admin Console (https://admin.google.com/AdminHome).
  2. Go to Apps page and Select SAML apps
  3. Create a new app by clicking the + icon.
  4. On the new pop-up window, click Setup my own custom app.

    EnableSSOForSAML.png
     
  5. Copy the SSO URL and download the IdP metadata xml file. Keep this URL handy to use in the steps ahead.
  6. Log on to inSync Management Console and click  SettingsMenu1.png > Settings > Single Sign On.
  7. Click Edit and copy the SSO URL under ID Provider Login URL
  8. Under ID Provider Metadata XML, copy the content of the file that you downloaded in Step 5. (You can open it in notepad).
  9. Click Save.
  10. Under ACS URL field, enter the IP/FQDN of the inSync Master Server as specified under Server IP/FQDN section. This IP/FQDN must be available from the client systems.
  11. Return to the Google Admin Page and resume the custom app creation process. 
  12. On Basic information page, give the name as Druva inSync or any custom name. 
  13. On the next screen, enter the following values:
    ACS URL: https://[ip/fqdb]/wrsaml/consume (This will be the inSync Master Server IP/FQDN which is reachable from the client machines)
    Entity ID: druva-cloud
    Note: If you are using both Cloud and On-premises, you would need to change the entity-id. Please contact Druva Support for assistance.
  14. Leave Start URL and Signed responses blank.
  15. Under Name ID, select Basic Information > Primary Email.
  16. Set Name ID Format as Email.
  17. Under Attribute Mapping, click Add New Mapping  and enter the values for Email, Basic information, and Primary Email. 

    ProvideMappings.png

     
  18. Save the changes and do not publish the app. 
  19. Select the three buttons for newly created app and select On for Everyone.

The custom app is now configured successfully. You need to update the schema for app to work as expected.

Extend Schema and authorization values for Google IdP

Google IdP does not allow you to enter a custom field value for their SAML apps. To authenticate the SAML response, there are third party applications that require additional value in addition to SAML response. 
Druva inSync requires Single Sign-On (SSO) token to validate the SAML response. If the IdP is Google, there is no direct way to add the SAML token. Based on Google, you need to extend the schema for the IdP. In addition to this, the token value must be mapped for every user.

To extend schema:

  1. Open the following URL -  https://developers.google.com/admin-sdk/directory/v1/reference/schemas/insert#try-it.
    The link opens the Schemas: insert page.
  2. Enter customerId value as my_customer on the Schemas: insert page. 
  3. In the Request body, enter the following:

    {
        "fields": [
          {
            "fieldName": "inSyncAuth",
            "fieldType": "STRING",
            "multiValued": false,
            "readAccessType": "ALL_DOMAIN_USERS",
      }
    ],
    "schemaName": "Druva"
    }

    RequestParameters.png

  4. Click Execute. The output should be 200 OK. This means the execution was successful. 
    A new field name Druva will appear under Basic Information Authorization.

Map the token to user

  1. Open the Google Admin home page (https://admin.google.com/AdminHome).
  2. Click Users and then click the user name to which you want to map the token.
  3. Click Account and under Manage User Attributes, click Edit. The schema name Druva and a field to enter the SSO Token under inSyncAuth  is displayed as shown in the image below.

    UpdateUser.png
     
  4. Log on to inSync Management Console and click  SettingsMenu1.png > Settings > Single Sign On.
  5. Click Generate SSO Token.
  6. Copy the SSO token and enter it in the field below inSyncAuth as shown in above screenshot.
  7. Click Update User.
    To update token for multiple users, please contact Druva Technical Support.

Update attribute mapping 

 As the Schema is now extended and the authorization field is also configured, you need to update the Attribute Mapping. 

  1. Log on to Google Admin home https://admin.google.com, with your administrative credentials. 
  2. Select Apps > SAML Apps
  3. Select the custom application created for Druva. 
  4. Once the app opens, select Attribute Mapping, followed by Add New Mapping.
  5. Under Application Attribute, enter the value as – insync_auth_token
  6. Under category, select Druva. This is the value populated after extending the schema.
  7. Under Select User Field, select inSyncAuth. This value is populated after updating the Authorization page. Attribute mapping field looks like the image below after you save the changes.

    AttributeMapping.png

    The App is now ready for use. 
    Note: In some cases, the app might take up to 24 hours to activate.