Skip to main content
Druva Documentation

How to install and configure Active Directory Federation Services for Druva inSync Cloud SAML integration

  • Only a Druva Cloud administrator can set up Single Sign-on. 
  • Configure Single Sign-on based on the applicable scenarios:
    • New inSync customers (on-boarded after July 14, 2018) must configure Single Sign-on using the Druva Cloud Platform Console. For more information, see Set up Single sign-on.
    • Existing inSync customers who have not configured Single Sign-on until July 14th, 2018, must configure Single Sign-on using the Druva Cloud Platform Console. For more information, see Set up Single sign-on

 Overview

This document describes the procedures to install and configure Active Directory Federation Services (ADFS) 2.0 for Druva inSync cloud SAML integration. The document has the following sections:

The following components are involved in this installation and configuration.

  • Druva inSync Cloud.
  • ADFS 2.0 as IDP used for user authentication

The user authentication procedure involves the following steps:

  1. The user opens the Druva inSync Cloud web restore URL.
  2. The user provides the email ID along with SAML option selected on the web browser and requests access to the web restore site.
  3. ADFS returns an SAML assertion to the user’s web browser.
  4. The user provides AD account name and password, which is a onetime activity.
  5. Druva inSync Cloud automatically receives the assertion from the browser and authenticates the user.

Install ADFS 2.0

Active Directory Federation Services (ADFS) 2.0 software must be installed on the system designated for the federation server role or the federation server proxy role. Use ADFS 2.0 Setup Wizard or perform a quiet installation with adfssetup.exe/quiet parameter on the command line to install the software.

Pre-requisites to install ADFS 2.0

Irrespective of the method used to install ADFS 2.0, its installer process checks for the following applications and hot-fixes on the system and installs them if required.

  • Windows Hotfix (KB968389) - Installed only on Windows Server 2008 computers
  • Windows Hotfix (KB970430) - Installed only on Windows Server 2008 computers
  • Windows Hotfix (KB973917) - Installed only on Windows Server 2008 computers
  • Windows Hotfix (KB975955) - Installed only on Windows Server 2008 computers
  • Windows Hotfix (KB981002) - Installed only on Windows Server 2008 R2 computers
  • Windows Hotfix (KB981201) - Installed only on Windows Server 2008 computers
  • Windows Hotfix (KB981202) - Installed only on Windows Server 2008 computers
  • Windows Hotfix (KB981205) - Installed only on Windows Server 2008 computers
  • Microsoft .NET Framework 3.5 Service Pack 1 (SP1) - Installed only on Windows Server 2008 R2 computers
  • Internet Information Services (IIS) 7
  • Windows Identity Foundation (WIF)
  • Windows PowerShell

Administrator access or equivalent credentials are mandatory to be able to install ADFS 2.0 on the host system. 

Install ADFS 2.0 using the setup wizard

 
To install ADFS 2.0 using the setup wizard:
  1. Download AdfsSetup.exe on the system from Microsoft Download Center.
  2. Double-click AdfsSetup.exe to begin the installation.
  3. Click Next on the welcome page of the wizard.
  4. Review the End-User License Agreement, select I accept the terms in the License Agreement, and click Next to proceed with the installation.
  5. Select one of the following roles for the server and click Next:
    • Federation server
    • Federation server proxy
      The subsequent configuration of the server depends on the role selected above.
  6. Click Next on the Install Prerequisite Sofware page to initiate the ADFS 2.0 installation.

ADFS 2.0 installation can take up to 20 minutes and the install duration depends on the prerequisites available on the system.

Install ADFS 2.0 from the command line

To install ADFS 2.0 from the command line:

  1. Download AdfsSetup.exe on the system from Active Directory Federation Services 2.0 RTW.
  2. Open the command prompt and change the directory to the folder containing AdfsSetup.exe.
  3. Run the following command to install ADFS 2.0 and automatically configure it for the federation server role.
    adfssetup.exe /quiet

Integrate ADFS 2.0 with Druva inSync Cloud

Once ADFS 2.0 is installed, Druva inSyn Cloud and ADFS 2.0 can be integrated. The integration requires the establishment of trust between ADFS 2.0 and Druva inSync Cloud with the following configurations: 

  • ADFS must be configured with a relying party rule, where the relying party is Druva inSync Cloud.  
  • Druva inSync Cloud must be configured to trust ADFS 2.0, from which it will receive claims.
  • A web application and site that will consume the claims received from ADFS 2.0  must be set up  

 The above configurations are achieved in the following order:

  1. Create a new federation service
  2. Create a relying party
  3. Create a new rule
  4. Configure a certificate for ADFS
  5. Configuring Single Sign-on Settings on Druva inSync Cloud

Create a new federation service

If a federation service is already hosted on the system, skip this procedure.

The following steps describe the procedure to host a new federation service.

  1. On the system installed with ADFS 2.0 server, click Start > Administrative Tools > Select ADFS 2.0 Management. This opens the management console for ADFS 2.0. 
  2. Under Overview on the right pane, select  ADFS 2.0 Federation Server Configuration wizard.
  3. Select Create New Federation Service and click Next.

    afds1.png
  4. Set Deployment Type as Stand-alone Federation Server.
  5. Select and upload the newly created certificate for ADFS 2.0.
  6. Click Next to view the summary page and click Finish.  

Create a relying party

To create Druva inSync Cloud as a relying party of ADFC 2.0:

  1. Open the ADFS 2.0 management console and expand Trust relationship
  2. Click Add Relying Party Trust link in the right pane to launch the Add Relying Party Trust wizard and click Start.

    afds2.png
  3. Select Enter data about the relying party manually on the Select Data Source page and click Next.

    afds3.png
  4. Specify Display name of the relying party (preferably Druva inSync) and optionally, enter description under Notes if required.

    afds4.png
  5. Select ADFS 2.0 profile on the Choose Profile page and click Next.

    afds5.png
  6. Select a certificate to encrypt the SAML token itself. This is rarely performed as ADFS requires to connect to Druva inSync over SSL so that the channel on which the token is sent is already encrypted.

    afds6.png
  7. Select Enable support for the SAML 2.0 WebSSO 2.0 protocol and enter the Relying party SAML 2.0 SSO service URL as https://cloud.druva.com/wrsaml/consume
  8. Under Relying party trust identifier, enter a realm that the web application passes to ADFS when users log on to the web restore URL. The realm for Druva inSync is druva-cloud.

    afds8.png
  9. Select Permit all users to access this relying party.

    afds9.png
  10. Complete any other pending configurations on the Ready to Add Trust page.

    afds10.png

This completes the configuration of relying party trust.

Next task is to create a claim rule that guides ADFS about which claims to send to Druva inSync Cloud.

Create a new rule

The claim rules allow Druva inSync to authenticate with ADFS using Active Directory.
To set claim rules:

  1. Click Add Rule and set Claim rule template as Send LDAP Attributes as Claims.

    afds11.png
  2. On the attribute store list, select Active Directory and set the respective Outgoing claim type as below:
     
    LDAP Attribute Outgoing claim type
    E-mail Addresses Name ID
    E-mail Addresses E-mail Address
    User-Principal-Name Name
  3. Click Finish to complete the configuration.
  4. Click Add Rule to create a custom rule and select Send Claims Using a custom rule.


    afds13.png
  5. Generate an SSO Token as described below to create the rule:
    1. Go to Manage > Settings > Single Sign On > Generate SSO Token.
    2. Copy the token to a file for future use. 
    3. Under Claim rule, enter the rule type as follows: 

      "=>issue(Type="insync_auth_token",Value ="{value of SSO Token generated from inSync Console"}); " 

      afds14.png

       
    4. Click OK. Creating relying party trust in ADFS is complete.

Configure a certificate for ADFS

ADFS requires a certificate to sign the tokens that it sends out. The certificate can be a trusted party certificate or a self-signed certificate. This configuration is optional.

Configure Single Sign-on for inSync Cloud

To configure Single Sign-on for inSync Cloud: 

  1. Login to inSync Management Console.
  2. Go to Manage > Settings > Single Sign-on. and enter the field values as specified below.
    SAML Attribute Description and value
     ID Provider Metadata URL  Can be left blank
     ID Provider Login URL  https://{fqdn-name of the ADFS server}/adfs/ls
     ID Provider Logout URL  Can be left blank
     ID Provider Certificate  This Certificate can be obtained from the ADFS server. Please follow the below procedure to obtain the ID provider Certificate.
  3. To get the ID provider certificate from the ADFS 2.0 console:
    1. Select Certificates and select the certificate under Token-signing.

      afds15.png
       
    2. On the Certificate properties page, click Details and click Copy to file. This launches the Certificate Export Wizard.

      afds16.png
       
    3. On the Export File Format page, Select DER Encoded binary X.509 (.CER).


      afds17.png
       
    4. Enter filename as Cert.cer and save. The file saved in .cer format must be converted to .pem format using OpenSSL tool.
    5. Download and install the latest version of OpenSSL for Windows from http://www.slproweb.com/products/Win32OpenSSL.html.

      Note: The Visual C++ 2008 Redistributables required by OpenSSL are also available from http://www.slproweb.com/products/Win32OpenSSL.html
       
    6. Save the Cert.cer file under C:\OpenSSL-Win32\bin.
    7. Open the command prompt and run the following command from C:\OpenSSL-Win32\<bin>

      openssl x509 -inform der -in cert.cer -out cert.pem
       
    8. Edit the Cert.pem file using notepad. The file shows a certificate in the following format

      “-----BEGIN CERTIFICATE-----
      ………. …..
      -----END CERTIFICATE-----"
    9. Copy the certificate content to the Single Sign-on Settings page under ID Provider Certificate.

The configuration of Single Sign-on is complete on Druva inSync Cloud using ADFS.