This article applies to:
OS: Windows Server 2016
Product edition: Druva Cloud Platform (DCP)
❗ Important
Only a Druva Cloud administrator can set up Single Sign-on.
Configure Single Sign-on based on the applicable scenarios:
New Druva customers that is; Phoenix customers on-boarded after July 02, 2018, and inSync customers on-boarded after July 14, 2018, must refer to the instructions given in this article.
Existing Phoenix and inSync customers who already have configured Single Sign-on, must continue to use the existing Single Sign-on settings of Phoenix and the Single Sign-on settings of inSync as applicable.
Overview
This article provides the steps to install and configure Active Directory Federation Services (ADFS) on Windows Server 2016 with Druva Cloud Platform (DCP).
Before configuring ADFS
Register your Windows Server 2016 server as a member of the existing domain.
Log in to ADFS server as a domain administrator.
Obtain a valid certificate of the ADFS server.
Install and configure ADFS on Windows Server 2016 with DCP
Installation and configuration steps:
Install the ADFS role
To install the ADFS role:
Open Server Manager>Manage>Add roles and features. The Add Roles and Features wizard is launched.
On the Before you begin page, click Next.
On the Select installation type page, select Role-based or Feature-based installation, and then click Next.
On the Select destination server page, click Select a server from the serverpool and click Next.
On the Select server roles page, select Active Directory Federation Services and click Next.
On the confirmation page, click Install. The wizard displays the installation progress.
Verify the installed component and click Close.
Configure the federation server
To configure the federation server:
On the Server Manager Dashboard, click the Notifications flag and then click Configure the federation service on the server. The Active Directory Federation Service Configuration Wizard is launched.
On the Welcome page, select Create the first federation server in a federation serverfarm and click Next.
On the Connect to Active Directory Domain Services page, specify an account with domain administrator rights for the Active Directory domain that this system is connected to and then click Next.
On the Specify Service Properties page, enter the following details before clicking Next:
Browse to the location of the SSL certificate and import it.
Enter a Federation Service Name. This is the same value provided when you enrolled an SSL certificate in Active Directory Certificate Services (AD CS).
Enter a Federation Service Display Name.
On the Specify Service Account page, select Use an existing domain user account and click Next.
On the Specify Configuration Database page, select Create a database on this server using Windows InternalDatabase and click Next.
On the Pre-requisite Checks page, verify that all prerequisite checks were successfully completed and click Configure.
Review the results and check whether the configuration has completed successfully on the Results page.
Configure ADFS to integrate with DCP
After installing the ADFS role on Windows Server 2016, configure ADFS to integrate with DCP as follows:
Create a relying party
To create a relying party:
On the Start menu, click Administrative Tools > AD FS Management. The ADFS Management console is launched.
Click Relying Party Trusts. The wizard to add a relying party is launched.
On the Add Relying Party Trusts Wizard, select Claims Aware and then click Start.
Under Select Data Source, select Enter data about the relying party manually.
In Specify Display Name field, enter Druva Cloud Platform.
In the Configure URL section, select Enable Support for SAML 2.0 WebSSO Protocol and enter Relying party service URL as
https://login.druva.com/api/commonlogin/samlconsume
On the Configure Identifiers page, enter Relying Party Trust Identifier as DCP-login.
Under Choose Access Control Policy, select Permit everyone and click Next. This allows all users to access the relying party, these policies can later be modified as required.
On the Finish page, select Configure claims issuance policy for this application and click Close. The Claim Issuance policy page is launched.
💡 Tip
If the Claim Issuance Policy page does not open, open AD FS Management Snap and right-click Relying party trust > select Edit Claim Issuance Policy.
Create a new claim
Right-click Druva Cloud under Relying Party Trusts list and select Edit Claim Issuance Policy from the menu.
On the Issuance Transform Rules tab, click Add Rule.
Under Select Rule Template, set Send LDAP attributes as Claims as the rule template and click Next.
In the Edit Rule section, set the claim rule name as Active Directory.
Enter the appropriate values in each field based on the descriptions provided below.
Claim rule name:Enter a name for the claim rule.
Attribute store:Select Active Directory from the list.
MAPPING OF LDAP ATTRIBUTES TO OUTGOING CLAIM TYPES
LDAP Attribute:Enter the outgoing claim type.
E-mail Addresses:Enter the Name ID.
E-mail Addresses:Enter the e-mail address.
User-Principal-Name:Enter the user name.
Click OK.
Create a custom rule
On the Edit Claim Issuance Policy window, under Issuance Transform Rules tab, click Add Rule. The Select Rule Template page is displayed.
From the Claim rule template list, select Send Claims Using a Custom Rule and click Next. The Edit Rule – LDAP EMAIL window is displayed.
Enter appropriate values based on the actions suggested below for each field.
Claim rule name:Enter the name of the customer rule.
Custom rule:=> issue(Type = "druva_auth_token", Value = "value of SSO Token generated from Druva Cloud Platform");
Click Finish.
Get the IdP certificate
IdP certificate is required before configuring the Single Sign-On with DCP. To get the IdP certificate:
On the Start menu, click Administrative Tools > AD FS Management.
Expand to the Service folder and click Certificates.
Double-click on the Token-signing certificate.
Click Details and click Copy to File.
On the Certificate Export Wizard, select Base-64 encoded X.509 (.CER) and click Next.
On the File to Export page, enter the file name as idpcert.cer, and then click Next.
Copy the contents of the idpcert.cer certificate and provide it while configuring the single sign-on settings on the DCP Console.
Configure the Single Sign-On settings
To configure the single sign-on settings login to Druva admin console.
On the Druva Cloud Platform console, go to Settings.
Open the Single Sign-On tab and click Edit.
Enter appropriate attribute values based on the descriptions provided below for each field.
ID Provider Login URL:https://{fqdn-name of the ADFS server}/adfs/ls (for e.g.
https://sts.druva.ga/adfs/ls
)ID Provider Certificate:Provide the content of the idpcert.cer certificate.
AuthnRequests Signed:Select this check box to get signed SAML Authentication Requests. By default, SAML Authentication Requests are not signed.
Want Assertions Encrypted:Select this check box to enable encryption for the SAML assertions. By default, encryption is disabled.
Click Save.
After this configuration, SSO can be enabled for administrators (inSync and Phoenix) and users.
Enable SSO for Administrators
On the Druva Cloud Platform console, got to Settings.
On the Single Sign-On settings, click Edit. The Single Sign-On Settings page is displayed.
Select Enable single sign-on for administrators.
Ensure Failsafe for administrators is selected by default.
Failsafe for Administrators enables the administrator to use both SSO and DCP password to access the DCP Console. Hence, Druva recommends enabling Failsafe for administrators as they can access the respective management console in case of any failures in IdP (ADFS).
Click Save.
See also
To enable SSO for users (inSync), refer Enable SSO for users.