Overview
This article describes the steps to configure SSO for Druva Cloud Platform using the IDP Azure AD.
Configuration steps:
❗ Important
Only a Druva Cloud administrator can set up Single Sign-on.
Configure Single Sign-on based on the applicable scenarios:
New inSync customers (on-boarded after July 14, 2018) must configure Single Sign-on using the Druva Cloud Platform Console. For more information, see Set up Single sign-on.
Existing inSync customers who have not configured Single Sign-on until July 14th, 2018, must configure Single Sign-on using the Druva Cloud Platform Console. For more information, see Set up Single sign-on.
Configure the Druva app on Azure portal
To configure the app:
Login to the Azure portal (URL: portal.azure.com) with the Azure Administrator account credentials.
Navigate to All Services > Search for “Enterprise Applications”
Click on Enterprise Applications > All applications.
On the Enterprise applications page, click New application.
Search for the application Druva in the search bar as shown below -
Select the Druva application from the search output list, if required, rename the name of the application and then click on Create.
📝 Note
The name of the application can be modified as required. For example, Druva or Druva Cloud Platform.
The new enterprise application will be created -
After adding the application, navigate to Enterprise Application, select the “Druva Demo SSO App” from the list.
Go to Manage > Properties. To identify the application distinctly, upload an image here and click Save when done.
Configure Azure AD Single Sign-On
To configure Azure AD SSO:
On the Druva application integration page of the Azure portal, click Single sign-on.
On the Single sign-on window, select the Single Sign-on method as SAML based Sign-on to enable the single sign-on.
3. Under the Basic SAML Configuration section, you can see two parameters - auto-filed Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL).
4. Click Edit and make sure that you have selected the following parameters as default and save the changes.
Identifier (Entity ID):
For Public Cloud: DCP-login
For Dell Apex: DCP-login
For Gov Cloud: DCP-loginfederal
For Gov Cloud (FIPS): DCP-govlogin
Reply URL (Assertion Consumer Service URL):
For Public Cloud:
https://login.druva.com/api/commonlogin/samlconsume
For Dell Apex:
https://dell-login.druva.com/api/commonlogin/samlconsume
For Gov Cloud:
https://loginfederal.druva.com/api/commonlogin/samlconsume
For Gov Cloud (FIPS):
https://govlogin.druva.com/api/commonlogin/samlconsume
5. Click Save.
6. Under User Attributes & Claims, click Edit.
7. You can choose to delete all the attributes added by default as Druva Cloud Platform does not use these attributes for authentication.
📝 Note
You cannot delete Claim name : http://schemas.xmlsoap.org/ws/2005/0...nameidentifier as this is the mandatory claim for the name identifier.
8. Do the following steps to generate the SSO token:
a. Login into the Druva admin console as a Druva cloud administrator
b. Click on the hamburger menu on the top left and click on Druva Cloud Settings -
c. In the Single Sign-On section, click Generate SSO Token. The Single Sign-On Token window appears.
📝 Note
Copy this token to a notepad, as we will need this further.
9. On the Azure Portal - on the SSO application page - Click Add New Claim and enter the attributes described in the table below. Preserve the order and case of the attribute name when you enter the names.
a. emailAddress:user.mail
b. druva_auth_token:
SSO Token generated from DCP Admin Console, without quotation marks.
For example: X-XXXXX-XXXX-S-A-M-P-L-E+TXOXKXEXNX=
Azure automatically adds quotation marks around the auth token.
Click Save. The User Attributes & Claims page appears as follows:
10. On the SAML Signing Certificate section, click Certificate (Base64) and save the certificate file (Druva.cer) locally.
11. Under Set up Druva section, copy the Login URL to a notepad/textEditor/Wordpad for future use.
Sample of ‘Login URL’ :https://login.microsoftonline.com/xx...xxxxxxxx/saml2
Configure DCP to use Azure AD login
❗ Important
Only a Druva Cloud administrator can set up Single Sign-on.
To configure SSO on Druva:
Login into the Druva admin console as a Druva cloud administrator
Click on the hamburger menu on the top left and click on Druva Cloud Settings
On the Single Sign-On section, click Edit.
Copy the Login URL obtained fromStep 7 (
https://login.microsoftonline.com/xx...xxxxxxxx/saml2
) to the ID Provider Login URL field.Open the Certificate (Base64) downloaded earlier (Druva.cer) in notepad (obtained from Step 6) and copy the entire content in the ID Provider Certificate field.
Click Save.
Assign Users/Groups in Azure AD to use DCP app
On the Azure portal, navigate to Enterprise applications > All applications, select the Druva application created during initial configuration from the applications list.
Click Users and groups > Add user / group.
Select Users and groups on the Add Assignment window.
On the Users and groups window, select the Users or Group that you want to assign the Druva App in the Users list.
Ensure that the User or Admin account selected has a corresponding account created in the Druva Cloud Platform.
Click Select on Users and groups window.
Click Assign on the Add Assignment window.
Enable SSO for administrators
Login into the Druva admin console as a Druva cloud administrator
Click on the hamburger menu on the top left and click on Druva Cloud Settings
On the Single Sign-On section, click Edit.
Select Administrators log into Druva Cloud through SSO provider.
Druva recommends enabling Failsafe for Administrators so that they have to access the DCP console in case of any failures in IdP. It also enables the administrators to use both SSO and DCP password to access the DCP console.
Click Save. This enables access to the Druva Cloud Platform using SSO.
Enable SSO for users
This section applies for inSync users. If you intend to use SSO for Druva Phoenix, please skip this section.
To enable SSO for users, enable SSO for an existing user profile. Alternatively, create a new profile and enable SSO for this profile. Subsequently, assign the users to this profile to enable access using SSO.
Step 1 - Create a new profile or update an existing profile:
To create a new profile and enable SSO, see Create a profile.
To enable SSO in an existing profile, see Update a profile.
Step 2 - Assign users to the profile:
To assign uses to the profile with SSO enabled, follow the steps described in Update the profile assigned to users.