Skip to main content

 

Druva Documentation

How to install and configure Active Directory Federation Services for Druva inSync Cloud SAML integration

Summary

This document describes step by step installation and configuration of Active Directory Federation Services (ADFS) 2.0 for Druva inSync cloud SAML integration. The document has following sub sections:

Overview

Installing ADFS 2.0

Configuring ADFS to integrate with Druva inSync cloud

Overview

In this section we will list the components involved and how are we going to achieve it. The components involved in this scenario are :

  • Druva inSync Cloud.
  • ADFS 2.0 as IDP used for user authentication

The user authentication here will be as follows :

  1. User opens the Druva inSync cloud web restore URL.
  2. The user provides email ID along with SAML option selected into the web browser and requests login to web restore site.
  3. ADFS returns a SAML assertion to user’s web browser.
  4. User provides AD account name and password. This is a onetime activity.
  5. The browser automatically submits the assertion to Druva inSync Cloud who logs the user in.

Installing ADFS 2.0

Active Directory Federation Services (ADFS) 2.0 software must be installed on any computer that you are preparing for the federation server role or the federation server proxy role. You can install this software by either using the ADFS 2.0 Setup Wizard or by performing a quiet installation using the adfssetup.exe /quiet parameter at a command line.

Installation Pre-requisites

Whichever method you choose to install ADFS 2.0, the installation process will attempt to automatically check for and if necessary, install the following prerequisite applications and hot-fixes:

  • Windows Hotfix (KB968389) - Installed only on Windows Server 2008 computers
  • Windows Hotfix (KB970430) - Installed only on Windows Server 2008 computers
  • Windows Hotfix (KB973917) - Installed only on Windows Server 2008 computers
  • Windows Hotfix (KB975955) - Installed only on Windows Server 2008 computers
  • Windows Hotfix (KB981002) - Installed only on Windows Server 2008 R2 computers
  • Windows Hotfix (KB981201) - Installed only on Windows Server 2008 computers
  • Windows Hotfix (KB981202) - Installed only on Windows Server 2008 computers
  • Windows Hotfix (KB981205) - Installed only on Windows Server 2008 computers
  • Microsoft .NET Framework 3.5 Service Pack 1 (SP1) - Installed only on Windows Server 2008 R2 computers
  • Internet Information Services (IIS) 7
  • Windows Identity Foundation (WIF)
  • Windows PowerShell

Membership in Administrators or equivalent on the local computer is the minimum required to complete this procedure.

To install the ADFS 2.0 software using the setup wizard

1. Download the ADFS 2.0 software by saving the AdfsSetup.exe setup file onto the computer. To download this file, go to Active Directory Federation Services 2.0 RTW (http://go.microsoft.com/fwlink/?LinkId=151338).

2. Locate the AdfsSetup.exe setup file that you downloaded to the computer and then double-click it.

3. On the Welcome to the ADFS 2.0 Setup Wizard page, click Next.

4. On the End-User License Agreement page, read the license terms.

5. If you agree to the terms, select the I accept the terms in the License Agreement check box and then click Next.

6. On the Server Role page, select one of the following options, depending on the role for which you will configure this computer. 
 
  • To install ADFS 2.0 and to begin the process of configuring it for the federation server role, selectFederation server and then click Next.
  • To install ADFS 2.0 and begin the process of configuring it for the federation server proxy role, selectFederation server proxy and then click Next.
7. On the Install Prerequisite Software page, click Next.
 
After you click Next, you see the Installing ADFS 2.0 page.
Note: The installation process can take up to 20 minutes to complete, depending on how many of the prerequisites are already installed on the computer.
8. On the completed ADFS 2.0 Setup Wizard page, verify that the Restart now checkbox is selected and then click Finish to restart the computer.

To install the ADFS 2.0 software using the command-line

1. Download the ADFS 2.0 software by saving the AdfsSetup.exe setup file onto the computer.To download this file, go to Active Directory Federation Services 2.0 RTW (http://go.microsoft.com/fwlink/?LinkId=151338).

2. Locate the AdfsSetup.exe setup file that you downloaded to the computer and then open a command prompt and change directories to the location of the setup file.

3. Depending on the role for which you will configure this computer, choose one of the following options:

  • To install ADFS 2.0 and automatically configure it for the federation server role, type adfssetup.exe /quiet and then press ENTER.

Configuring ADFS to integrate with Druva inSync cloud

Once ADFS 2.0 is installed we can now work on to create trust between two parties (Druva inSync cloud and ADFS). To achieve this we will have to configure ADFS with a relying party rule. In our case the relying party is Druva inSync cloud.

From the Druva inSync cloud perspective, we will have to configure it to trust the ADFS 2.0 that is sending us claims and then we have to set up a web application and site that’s going to consume those claims.

Create a new federation service

We will start with hosting a new federation service. For those who already have the service hosted can skip this part.

 1. On the ADFS 2.0 server click on start > Administrative Tools > Select ADFS 2.0 Management. This will open the management console for ADFS 2.0

 2. In the right panel under the overview section click to select ADFS 2.0 Federation server configuration wizard.

 3. Select “Create New Federation Service" and click on Next (see image below).

afds1.png

4. Under select deployment Type select “Stand-alone Federation Server”.

5. Select the certificate which you have created for ADFS 2.0 server and upload it. Click on next to see the summary.
 
6.Click on finish to create the Federation server.

Creating Relying Party

Once we have the Federation server setup we will further create a relying party (which will be Druva inSync cloud).

1. In the ADFS 2.0 management console expand the Trust relationship node.

2. Click on the Add Relying Party Trust link in the right pane to start the Add Relying Party Trust wizard (see image below).

afds2.png

3. Click the Start button to continue. Select the option to enter data about the relying party manually and then click the Next button. (see image below).

afds3.png

4. Enter a Display name and optionally a description for the relying party and then click the Next button. (see the image below).

afds4.png

5. Select the option to use the ADFS 2.0 profile and then click the Next button. (see image below).

afds5.png

6. You can select a certificate to encrypt the SAML token itself. This isn’t done frequently because ADFS will require our connection to Druva inSync be made over SSL, so the channel on which the token is sent is encrypted already. Click the Next button. (see below image).

afds6.png

7. Select the check box “Enable support for the SAML 2.0 WebSSO 2.0 protocol” and provide Relying party SAML 2.0 SSO service URL as https://cloud.druva.com/wrsaml/consume. (see image below) After entering the URL click on next.

8. For the relying party trust identifier you need to enter a realm that your web application will pass to ADFS when users log into the web restore URL. The realm is associated with a web application and is how ADFS can map the login request that’s come in to the relying party trusts it has. Here for us the realm is “druva-cloud”. Enter the realm and click the Next button. (see image below).

afds8.png

9. Permit all the users to access the relying party (see below image).

afds9.png

10. If you are needed to make any other configuration changes at this time to the relying party trust you could do it here. Click the Next button to continue. (see image below)

afds10.png

11. We’re done configuring the relying party trust but we still need to create a claim rule to tell ADFS what claims to send back to Druva inSync cloud. We leave the box checked to Open the Edit Claim Rules dialog and click the Close button.

Create new rule

Next we will have to create claim rules which allow us to authenticate at ADFS using Active Directory.

1. Now we will create a new rule, click the Add Rule button. (See image below). Select “Send LDAP Attributes as Claims”.

afds11.png

 

2. We will now start by typing the claim rule which can be any name to identify with. Next, in the attribute store drop down select Active Directory. Then Select LDAP attributes and MAP them with outgoing claim type. Here they look as below:

LDAP Attribute Outgoing claim type
 E-mail Addresses  Name ID
 E-mail Addresses  E-mail Address
 User-Principal-Name  Name

See the image below for more details.

3. After you’ve finished configuring the above rule as described here, click the Finish button to complete the rule.

4. We will now create a custom rule, click Add Rule button. (See image below). Select “Send Claims Using a custom Rule”.afds13.png

5. Before we move ahead we need to generate a SSO Token for creating the rule. To generate a SSO token please Navigate to Manage-> Settings -> Single Sign On -> Generate SSO Token. Copy the token file.

6. Start by typing a name for the Claim rule. Under Customer rule type "=>issue(Type="insync_auth_token",Value ="{value of SSO Token generated from inSync Console"}); "  (refer to image below).

afds14.png

7. Click the OK button to complete the process of creating your relying party trust in ADFS. 

Configure Certificate for ADFS

ADFS uses a certificate to sign the tokens it sends out. You may configure a trusted party certificate or use the self signed cert. This section is optional.

Configuring Single Sign on Settings on Druva inSync inCloud.

1. We need to configure a few settings on the Druva Cloud instance. To do those please open https://cloud.druva.com and login with admin credentials.

2. Navigate to Manage-> Settings->Single Sign-on.

3. Please enter the values as below.

SAML Attribute Description and value
 ID Provider Metadata URL  Can be left blank
 ID Provider Login URL  https://{fqdn-name of the ADFS server}/adfs/ls
 ID Provider Logout URL  Can be left blank
 ID Provider Certificate  This Certificate can be obtained from the ADFS server. Please follow the below procedure to obtain the ID provider Certificate.

4. To get the ID provider Certificate follow the below step.

  • On the ASFS 2.0 console Click on Certificates. Under Certificates Click On the certificate under token-signing(Refer to below image).

afds15.png

  • On the Certificate properties window, click on Detail. On Details page Click Copy to file. This will launch the Welcome to Certificate import wizard.

afds16.png

 

  • Click Next on the wizard. This will launch the Certificate Export Wizard. Select “DER Encoded binary X.509 (.cer)” and Click Next.

afds17.png

 

  • Give filename as Cert.cer and save it. The file is in .cer format. We need to convert it into .pem format. For that we can use OpenSSL tool.

Note: OpenSSL requires Visual C++ 2008 Redistributables which can be downloaded from the same website.

  • Save the cert.cer file under C:\OpenSSL-Win32\bin
  • Open command prompt, navigate to C:\OpenSSL-Win32\bin>, and run the following command.

openssl x509 -inform der -in cert.cer -out cert.pem

Edit the cert.pem file using notepad. The file will show a certificate in the format

“-----BEGIN CERTIFICATE-----

………. …..

-----END CERTIFICATE-----"

  • Copy the certificate and paste it on the Single Sign on Settings page under “ID Provider Certificate

Single Sign on is now configured on Druva inSync Cloud using ADFS.