Skip to main content

 

Druva Documentation

Manage Single sign-on

Phoenix Editions: File:/tick.png Business File:/cross.png Enterprise File:/tick.png Elite

Overview

SSO is a mechanism that allows users to access multiple resources using a single action of authentication and authorization. By enabling SSO, you can access Phoenix without the need for a separate login. An SSO login validates usernames and passwords against your corporate user database, typically managed by your Identity Provider (IdP). A successful validation ensures that you can log in to Phoenix, without the need for a Phoenix generated password. 

Why implement SSO

You should implement SSO for your Phoenix setup because of the following reasons:

  • Reduced human errors: SSO eliminates the need for remembering multiple passwords, thus reducing to a great extent, the possibility of human errors while accessing Phoenix. 
  • Reduced administration efforts: With single sign-on, you can log in from your corporate network and you will be rarely prompted for a username or password. With fewer passwords to manage, you will receive fewer requests to reset passwords.
  • Central management of user database: Many organizations maintain a database of users. By enabling single sign-on for Phoenix, changes to this database also reflect on the Phoenix setup. This means that if you delete credentials from this database, users to whom these credentials were previously assigned cannot log in to Phoenix using the same credentials.
  • Reduced login time: Typically, a user needs 5 to 20 seconds to log in to an online application. SSO eliminates the efforts required for a manual login thus increasing productivity.
  • Increased security: The password policies enforced across your organization are applicable when you use SSO for Phoenix. The one-time authentication tokens used to validate SSO attempts translate to added security for users having access to sensitive data.

How SSO works

Phoenix supports Single Sign-On by implementing federated authentication using Security Assertion Markup Language (SAML) version 2.0. Federated authentication allows Phoenix to skip validation of passwords. 
To enable SSO, you must first work with an Identity Provider (IdP) to create a corporate database that includes all Phoenix users. If you already have an IdP, you can configure Phoenix to work with this IdP. The IdP maintains a record of all usernames, and their subsequent passwords in an encrypted format.

If you created a corporate database with an IdP for the first time, users or administrators logging on for the first time are redirected to an IdP login details page that prompts for a one-time provision of passwords. The IdP maintains a record of previously stored usernames, and their passwords in an encrypted format. The IdP performs a redirect to the Phoenix login page that you can now access without passwords.

However, if you use an IdP that you configured previously, or this is a subsequent login, Phoenix uses SAML assertions in an HTTP POST profile to communicate with your IdP. For every login attempt, Phoenix sends SAML requests to the IdP Login URL specified under Settings > Single Sign-On. The IdP validates the SAML query, sets assertion in HTTP POST to True, and sends this response to Phoenix. Phoenix receives the assertion, which indicates that the user is validated, and allowed access to Phoenix resources. Phoenix now grants access to the user.

However, if the IdP does not find a match within its database, it sets assertion in HTTP POST to False, thus indicating that the user is not authorized to access Phoenix. Upon receiving this response, Phoenix denies access to the user.

Supported and certified platforms and tools

  • Druva certifies the following platforms to work with Phoenix:
    • Windows Server 2012 R2 (64-bit) is certified to work with ADFS 3.0
    • Windows Server 2008 R2 (64-bit) is certified to work with ADFS 2.0
  • Druva has tested and certified the following tools: 
    • Active Directory Federation Services (ADFS)
    • Okta
  • Phoenix supports all IdP tools that support SAML 2.0.

SSO login workflow

This topic describes the SSO login workflow for administrators. 

Note: The workflow clarifies what you can expect when you use SSO for logging in to Phoenix. 

Step Description
1. 

In a web browser, type https://phoenix.druva.com

 

First login

Note: If you are using SSO for your organization, you will omit this step. Instead, your Phoenix setup will follow the workflow for subsequent logins only. 

1 Enter your e-mail address and leave the Password field blank.
2

Using a SAML request, Phoenix redirects you to the authentication page provided by your organization's IdP.

3 Type your SSO username and password on the login page. 
4 Your organization's IdP receives your credentials. 
5 If your credentials are validated, the IdP responds with a SAML assertion.
6

Phoenix receives the SAML assertion.

7
  • Phoenix validates the SAML response and allows a login.
  • If Phoenix does not validate the SAML response, the following message is displayed.
Subsequent logins
1 Enter your e-mail address and leave the Password field blank.
2 Phoenix sends a SAML request to your organization's IdP for validating your credentials.

Your IdP validates your credentials against the values in its database.

4 Your IdP validates your credentials, and sets the SAML assertion to True. 
5

Phoenix receives the SAML assertion.

6
  • Phoenix validates the SAML response and allows a login.
  • If Phoenix does not validate the SAML response, the following message is displayed.

Configure Identity Provider and Phoenix for SSO 

This table describes the chronology that you should follow while configuring IdP and Phoenix for SSO. 

Note: Only cloud administrators can configure SSO.

Task Number Task Description
1

Obtain IdP details

Before you enable SSO, you must first set up a corporate database with an Identity Provider (IdP). If your organization is using an IdP, you must work with your IdP to get details such as IdP URL and IdP certificate. 

2

Configure Phoenix for Single sign-on  

To enable SSO access, you must configure Phoenix to recognize IdP details that you obtained when you performed Task 1. 

3 Generate SSO token To allow your IdP to recognize requests that Phoenix sends, you must first generate an SSO token, and then update your IdP configuration with this token. The SSO token uniquely identifies Phoenix login requests. For login attempts, Phoenix sends a request to the IdP (typically using HTTP POST). In its response, the IdP attaches this token, thereby indicating the veracity of authentication requests. When Phoenix receives this response, it uses the SSO token ID to validate the authenticity of the IdP response. 
4 Update IdP details

To establish a connection between SAML and Phoenix or vice-versa.

5 Encryption and Signature 

To upload Encryption and Signature certificate on the IdP tool.

Note: This is an optional procedure. 

6 Enable SSO and Failsafe

As a last step, you must configure Phoenix to enable SSO and Failsafe.

Note: You can disable Failsafe at any given point. Once you disable failsafe, you will receive an email that failsafe is disabled. For more information, see Disable failsafe. Druva strongly recommend that you DO NOT disable failsafe access. 

You can Disable SSO at any given point. Once you disable SSO, you will receive an email that SSO is disabled and you will also receive a new password. For more information, see Disable SSO.

Obtain IdP details

To enable SSO in your organization, you must work with your Identity Provider (IdP) to create a corporate database that contains usernames and passwords of Phoenix administrators. If your organization is using an IdP, you can configure Phoenix to recognize this IdP. The IdP maintains a record of credentials and validates a username against its password for each login attempt. 

Note: Phoenix supports SAML 2.0. 

To configure Phoenix for SSO, you must obtain the following information from your IdP. 

  • The entity ID of the IdP: The identity of the issuer in SAML requests sent by Phoenix. Phoenix typically sends requests to the issuer specified by the entity ID.
  • The IdP certificate: The authentication certificate that your IdP provides.

Note: Save the token signing certificate that your IdP shares with you. You must use this certificate at the time of configuring Phoenix. 

Additionally, you must work with your IdP to decide URLs for the following pages:

  • The start page: The page to which a user is directed upon successful completion of single sign-on.

Note: In SAML 2.0, the start page is the page the user attempted to access before they are authenticated.

  • The IdP start page: The page to which Phoenix sends a SAML request to initiate a login.
  • Phoenix Login page: The default Phoenix login page. 
  • Error page:  The page to which a user should be directed to if an SSO error is encountered. This page must be publicly accessible. 

Note: Phoenix does not support Single Sign-on logout.  

Configure Phoenix for SSO

If you are a cloud administrator, you can configure SSO for Phoenix. At the time of configuration, you must provide IdP details that you obtained at the time of working with your IdP

  1. Log on to Phoenix Management Console.
  2. On the menu bar, click Settings.
  3. Click the Single Sign-On tab and under Single Sign-On Configuration, click Edit. The Single Sign-On Configuration window is displayed.
  4. Provide the appropriate information for each field.
    Field Action
    ID Provider Login URL Type the URL to the page to which a user is directed upon successful completion of single sign-on.
    ID Provider Certificate Paste the authentication certificate that your IdP provides. This certificate ensures that the communication between Phoenix and your IdP is secure. 
    AuthnRequests Signed

    Select this option if you want the SAML request to be signed.

    Want Assertions Encrypted

    Select this option if you want the SAML assertions to be encrypted.

  5. Click Save.

Generate SSO token

To allow your IdP to recognize requests that Phoenix sends, you must first generate an SSO token, and then update your IdP configuration with this token. The SSO token uniquely identifies Phoenix login requests. For login attempts, Phoenix sends a request to the IdP (typically using HTTP POST). In its response, the IdP attaches this token, thereby indicating the veracity of authentication requests. When Phoenix receives this response, it uses the SSO token ID to validate the authenticity of the IdP response. 

  1. On the Phoenix Management Console menu bar, click Settings.
  2. Click the Single Sign-On tab and then click Generate SSO Token. The Single Sign-On Authentication Token window appears.
  3. Click Copy. A message appears indicating that the token is copied to clipboard.
  4. Click Ok.
  5. Update your IdP configuration to reflect the SSO token.
    For more information, see Update IdP details.

Update IdP details

To enable SSO for your Phoenix setup, you must have created a corporate database with an IdP that contains the credentials of cloud administrators for whom you want to enable SSO access. To enable communication between Phoenix and your IdP, there must be a mechanism that allows the IdP to recognize requests that Phoenix sends. That is why you must update your IdP configuration to provide Phoenix configuration details. 

Before you begin

Before updating IdP details, ensure that:

  • You have the SAML_Identifier parameter handy. To obtain the value of this parameter, submit a request to Druva Support.
Note: This parameter functions as the entity ID.
  • You have access to the documentation for the Identity Provider that you are using. This article contains instructions that serve as a guide, and not as exact tasks that you must perform.

Procedure:

Note: Unless otherwise noted, use this procedure as a guide. Use the documentation provided by your IdP for exact configuration steps. 

  1. Log on to the IdP administrator console with elevated rights.  
  2. Create a new SAML application. 
  3. Provide the Assertion Consumer Service URL. 

Note: The Assertion Consumer Service is a SAML-compliant URL that is hosted on your IdP. It acts as a receptor for form submissions and page redirects. An example URL might look like this: https://phoenix.druva.com/wrsaml/consume 

  1. Provide the application URL, for example, https://phoenix.druva.com/admin
  2. Provide the Name ID Format, SSO token, and other details that your IdP mandates.
  3. Save your changes. 

Encryption and signature

This article list the procedure to download the certificate and upload it on ADFS or Okta:

Download the certificate 

  1. Log on to "https://phoenix.druva.com".
  2. Click the Lock icon  on the address bar and then click the Details button.
  3. Under the Valid Certificate option, click View certificate. The Certificate window is displayed.
  4. On the Certificate window, click Details tab, and then click the Copy to file button. The Certificate Export Wizard is displayed.
  5. Click Next.
  6. Select Base-64 encoded X.509 (.CER) and click Next.
  7. Browse to the location where you want to save the file, enter a file name and click Save.
  8. Click Next.
  9. Validate the information and click Finish.

Upload certificate to Encryption and Signature tabs on ADFS 

  1. On the Start menu, click Administrative Tools > ADFS Management. The ADFS window is displayed.
  2. On the left pane, under Trust Relationship, click on the Relying Party Trust link. The Relying Party Trust section appears.
  3. Double-click on the application <<Name>> option. The application <<Name>> window is displayed.
  4. Click the Encryption tab and Browse to select the downloaded certificate.
  5. Click Apply.
  6. Click the Signature tab and Add the downloaded certificate.
  7. Click Apply and close the application <<Name>> window.

Upload encryption certificate on Okta

  1. Login to the Okta console using the configured URL.
  2. Click Add Application and select the recently added Phoenix application.
    The application screen is displayed.
  3. Under General tab, scroll to the SAML Settings section and click Edit.

    The Edit SAML integration screen is displayed.
  4. Under the General Setting tab, click Next.
  5. Under the SAML settings tab, click Show Advanced Settings and edit the following fields.
    Field Action
    Assertion Encryption Select Encrypted from the drop-down list.
    Encryption Certificate Browse and upload the downloaded encryption certificate
  6. Click Next.
  7. Under the Help Okta Support understand how you configured this application tab, click Finish.

Managing SSO and Failsafe

Enable SSO and Failsafe

If you are a cloud administrator, you can enable SSO for your account as well as other administrator accounts. After you enable SSO, Phoenix disables passwords for all the organization and group administrators. 

Cloud administer can enable failsafe for their account as Failsafe is a method that allows you to log into Phoenix even if SSO is not functional. 

What you should know about enabling SSO and failsafe

  • To enable SSO and failsafe, you must be a cloud administrator. 
  • SSO is available optionally; you can enable SSO even if you did not use SSO before. Similarly, you can stop using SSO access at any time. 
  • To enable failsafe, you must first enable SSO.
  • Enabling SSO ensures that the password policy for Phoenix is aligned with your organization's policy.
  • Enabling Failsafe ensures that Cloud administers can log into the Phoenix account even if SSO is not functional. 
  • You can explicitly disable SSO access using the Phoenix password (provided that you enabled SSO for all administrator accounts). For more information, see Disable SSO.
  • You can disable failsafe option. For more information Disable failsafe for administrator.

Note: We strongly recommend that you DO NOT disable failsafe access. 

Procedure:

  1. Log on to Phoenix Management Console.
  2. On the menu bar, click Settings.
  3. Click the Single Sign-On tab and under Single sign-on Settings click Edit. The Edit Single Sign-On Settings window appears.

Note: The Edit option under Single sign-on Settings is enabled only after you have Configured Phoenix for SSO

  1. Select the Enable Single sign-on for Admins and  Allow failsafe access to cloud admins (recommended) check box
  2. Click Save.

After enabling SSO and failsafe,

  • The Phoenix password for Organization administrators and Group administrators is disabled.
  • The Phoenix password for all cloud administrators is retained.
  • An email is sent to all administrators informing the change. 

After SSO is enabled and failsafe is disabled.

  • The Change password and Reset password functionality is disabled for all administrators (cloud, organization, and group).

Disable failsafe

If you are a cloud administrator, you can disable failsafe. You must first enable SSO before you disable failsafe.

Note: We strongly recommend that you DO NOT disable failsafe access. 

Caution: Before you disable failsafe, ensure you have configured SSO and at least one cloud administrator has logged in using SSO.

Procedure:

  1. On the Phoenix menu bar, click Settings.
  2. Click the Single Sign-On tab and under Single sign-on Settings click Edit. The Single Sign-On Settings window appears.
  3. Uncheck the Allow failsafe access to cloud admins (recommended)  check box
  4. Click Save.
  5. Click Yes.

After you enable SSO and disable failsafe,

  • The Phoenix password for Organization administrators, Group administrators, and Cloud administrators are deleted.
  • An email is sent to all administrators informing the change.

Disable SSO 

If you are a cloud administrator, you can disable SSO for other administrator account including yours. After you disables SSO, Phoenix enable passwords for all other administrators. 

Procedure:

  1. On the Phoenix menu bar, click Settings.
  2. Click the Single Sign-On tab and under Single sign-on Settings click Edit. The Edit Single Sign-On Settings window appears.

Note: The Edit option under Single sign-on Settings is enabled only after you have Configured Phoenix for SSO

  1. Uncheck the Single sign-on for Admins check box
  2. Click Save.

After you save the settings to disabled SSO and if the failsafe setting were enabled previously,

  • The password for cloud administrators is retained.
  • An email with the new password is sent to Organization and Group administrators. 
  • An email is sent to all administrators informing the change.

After you disabled SSO and if failsafe is disabled previously,

  • An email with the new password and the other changes is sent to all administrators. 

Configuring ADFS and Okta with Phoenix.

To configure ADFS and OKTA with Phoenix, follow the steps listed in the following topics: 

SSO FAQ

  • What parameters are required from Identity Provider (IdP) that should be configured in Phoenix Console?
    Currently, Phoenix supports the following parameters from an IdP:
    • ID Provider Login URL
    • ID Provider Certificate
       
  • What parameters are required from service providers that should be configured with IdP?
    In this case, Phoenix is the service provider and other party is the IdP. The parameters that are required by the IdP are as follows:
    • Claim Rules
    • EndPoint URL
    • phoenix_auth_token
       
  • What are the default claim rules that are required to be configured at IdP?
    LDAP Attribute Outgoing Claim Type
    E-mail addresses Name ID
    E-mail addresses E-mail address
    User-Principal-Name Name
  • Does Phoenix support two factor authentication in case of SSO?
    Yes. Phoenix supports two factor authentication.
    • First authentication is done when the request is redirected from Service Provider to IdP.
    • Second authentication takes place with the use of “phoenix_auth_token” parameter generated from the Phoenix Console. To generate SSO token, see Generate SSO token.

Note: Druva recommends that you generate the SSO token only once. If you generate the SSO token again, the old SSO token (that you shared with your IdP) becomes inactive. You must  then again share the newly generated SSO token with your IdP.

  • Does Phoenix support metadata file and logout URL?
    No. Currently, Phoenix does not support metadata file provided by an IdP and logout URL. Contact Druva Support for more details.
     

  • Can an administrator except Cloud administrator configure SSO for administrators?
    No. Only a Cloud administrator has permissions to configure SSO for administrators.
     
  • Which certificate is required from ADFS that needs to be configured with Phoenix?
    Phoenix requires Token Signing Certificate or ID Provider Certificate from ADFS. It must be configured in Phoenix Console.

    To obtain ID Provider Certificate, 
  1. On the Start menu, click Administrative Tools > ADFS Management. The ADFS  window appears.
  2. Expand to the Service folder.
  3. Click Certificates. The Certificates view appears in the right pane.
  4. Under the Token-signing area, right-click the certificate. A list with additional options appears.
  5. In the list, click View Certificate. The Certificate window appears.
  6. Click the Details tab and then click Copy to file. The Certificate Export Wizard appears.
  7. On the Certificate Export Wizard, click Next. The Export File Format page appears.
  8. Select Base-64 encoded X.509 (.CER), and then click Next.
  9. On the File to Export page, browse to the location where you want to safe the downloaded certificate.
  10. Click Next.
  11. View the information and click Finish. The ID Provider Certificate is exported.