This article applies to:
OS: Windows Server 2012 R2
Product edition: Druva Cloud Platform (DCP)
Overview
This article provides information on Configuring SSO for inSync users using ADFS as IdP.
Configure ADFS to integrate with DCP
Install ADFS 3.0 and perform the following actions:
Create trust between inSync Cloud and ADFS by configuring ADFS with a relying party rule, which is inSync Cloud.
Configure inSync Cloud to trust ADFS 3.0. The trust allows ADFS 3.0 to send claims to inSync Cloud.
Set up a web application and site to consume these claims.
Create a relying party
After you have set up the Federation Server, the next step is to create a relying party.
To create a relying party:
On the Start menu, click Administrative Tools > ADFS 3.0 Management. The ADFS 3.0 window appears.
Expand the Trust Relationships node.
In the right pane, click Add Relying Party Trust. The Add Relying Party Trust Wizard appears.
Click Start. The Select Data Source page appears.
Click Enter data about the relying party manually, and then click Next. The Specify Display Name page appears.
Refer the field description below and enter the appropriate information for each field , and click Next.
The Choose Profile page appears.
Select AD FS profile and click Next. The Configure Certificate page appears.
Optionally, to encrypt the SAML token, browse and select the certificate, and then click Next. However, ADFS establishes a secure SSL connection with Druva inSync, which ensures the token is encrypted.
On the Configure URL page:
In the Relying party trust identifier box, enter DCP-login. The web application passes this realm to the ADFS when users log into the web restore URL.
Click Next. The Configure Multi-factor Authentication Now page appears.
Select I do not want to configure MFA settings for this relying party trust at this time and click Next. The Choose Issuance Authorization Rules page appears.
Select Permit all users to access this relying party and then click Next. The Ready to Add Trust page appears.
Review and if required, update the settings that you have configured, and then click Next. The Finish page appears.
Ensure that the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes check box is by default selected.
Click Close.
Create a new claim
To create a new claim
On the Edit Claim Rules window, under the Issuance Transform Rules tab, click Add Rule. The Select Rule Template page appears.
In the Claim rule template list, select Send LDAP Attributes as Claims, and then click Next. The Edit Rule – LDAP EMAIL window appears.
Enter the appropriate information for each field based on the description below:
Claim rule name: Enter the name of he claim rule.
Attribute store: Select Active Directory from the list.
Under Mapping of LDAP attributes to outgoing claim types:
LDAP Attribute: Specify the outgoing claim type.
E-mail Addresses: Enter the name ID.
E-mail Addresses: Enter the email address.
User-Principal-Name: Name
Click Finish.
Create a custom rule
To create a custom rule
On the Edit Claim Rules window, under Issuance Transform Rules tab, click Add Rule. The Select Rule Template page appears.
In the Claim rule template list, select Send Claims Using a Custom Rule, and then click Next. The Edit Rule – LDAP EMAIL window appears.
Enter the appropriate information as specified below:
Claim rule name: Enter a name for the custom rule.
Custom rule: => issue (Type = "druva_auth_token", Value = "value of SSO Token generated from inSync Console");
Click OK.
Configure Single Sign-On
Only a Druva Cloud administrator can set up Single Sign-on:
Configure Single Sign-on based on the applicable scenarios:
❗ Important
Only a Druva Cloud administrator can set up Single Sign-on.
Configure Single Sign-on based on the applicable scenarios:
New Druva customers that is; Phoenix customers on-boarded after 02 July 2018 and inSync customers on-boarded after 14 July 2018 must refer to the instructions given in this article.
Existing Phoenix and inSync customers who already have configured Single Sign-on, must continue to use the existing Single Sign-on settings of Phoenix and the Single Sign-on settings of inSync as applicable.
Before you begin
Before you configure the single sign-on settings with inSync Cloud, ensure that you have an ID provider certificate. If you do not have an ID provider certificate, follow these steps:
On the Start menu, click Administrative Tools > ADFS 3.0 Management. The ADFS 3.0 Management window appears.
Expand the Service folder.
Click Certificates. The Certificates view appears in the right pane.
Under the Token-signing area, right-click the certificate. A list with additional options appears.
From tue list, click View Certificate. The Certificate window appears.
Click the Details tab and then click Copy to file. The Certificate Export Wizard appears.
On the Certificate Export Wizard, click Next. The Export File Format page appears.
Select DER encoded binary X.509 (.CER), and then click Next.
On the File to Export page, type the file name as Cert.cer, and then click Next.
Click Finish.
Open and edit the cert.cer file in a Notepad. The certificate opens in the following format:
“-----BEGIN CERTIFICATE----- ………. ….. -----END CERTIFICATE-----"
Copy the content of the cert.cer certificate and provide it when you configure the single sign-on using the inSync Management Console.
Configure the single sign-on settings
To configure the single sign-on settings
On the inSync Management Console menu bar, click Gearnew > S ettings.
Click the Single Sign-on tab and then click Edit.
Provide the following appropriate information.
Enter appropriate information based on the descriptions provided below. Below are the SAML attributes and the description of the same:
ID Provider loigin URL:https://{fqdn-name of the ADFS server}/adfs/ls (for e.g.
https://sts.druva.ga/adfs/ls
)ID Provider Certificate:Provide the content of the idpert.cer certificate.
AuthnRequests Signed: SAML Authentication Requests are not signed by default. Select this checkbox to get signed SAML Authentication Requests.
Want Assertions Encrypted:Encryption is disabled by default. Select the checkbox to enable encryption for SAML assertions.
Click Save.
Enable SAML in Druva inSync Cloud
Enable Single Sign-On for the desired users from the inSync Management Console. This can be done at the profile level. Hence, it is necessary to assign the users with a profile enabled with the SSO instead of inSync Password or Active Directory.