β Important
Only a Druva Cloud administrator can set up Single Sign-on.
Configure Single Sign-on based on the applicable scenarios:
New P hoenix customers on-boarded after July 2, 2018, must refer to the instructions given in the article: Set up Single sign-on.
Existing Phoenix customers who have already configured Single Sign-on must continue to use the existing settings as described in this article.
Overview
You must install the Active Directory Federation Services (ADFS) 3.0 software on a computer that you are preparing for the federation server role or the federation server proxy role. For more information on how you can install the ADFS software and its prerequisites, see the Microsoft documentation.
Configure ADFS to integrate with Phoenix
After you have installed ADFS 3.0, perform the following actions:
Create a new federation service
π Note
βSkip this step, if you already have an ADFS 3.0 Federation Server configured on the computer.
To create a new federation service
On the Start menu, clickAdministrative Tools >ADFSManagement. TheADFSManagementwindow appears.
On the right pane, under Actions, click on theADFSFederation Server Configuration Wizardlink. TheADFSFederation Server Configuration Wizardappears.
On the Welcome page of the wizard, click Create a new Federation Service, and then click Next. The Select Stand-Alone or Farm Deployment page appears.
Click Stand-alone Federation Server, and then click Next. The Specify the Federation Service Name page appears.
In the SSL certificate box, browse and select theADFSserver certificate, and then click Next.
View summary, click Finish.
Create a relying party
After you have set up the Federation Server, the next step is to create a relying party.
To create a relying party
On the Start menu, clickAdministrative Tools >ADFSManagement. The ADFS windowappears.
Expand the Trust Relationships node.
Right-click on the Relying Party Trusts folder. A list with additional options appears.
Click Add Relying Party Trustβ¦. The Add Relying Party Trust Wizard appears.β
Click Start. The Select Data Source page appears.β
Click Enter data about the relying party manually, and then click Next. The Specify Display Name page appears.β
Provide the appropriate information for each field.
Display Name:
Type a display name for the relying party.
For example, Druva_Phoenix.
Notes:Type a description for the relying party.
Click Next. The Choose Profile page appears.β
Click ADFS profile and then click Next. The Configure Certificate page appears.
If you want to encrypt the SAML token, browse and select the certificate, and then click Next. The Configure URL page appears.
Provide the appropriate information for each field.
Enable support for the SAML 2.0 WebSSO protocol:
Select this check box.
Relying party SAML 2.0 SSO service URL: Type:
βhttps://login.druva.com/api/commonlogin/samlconsume
Click Next. The Configure Identifiers page appears.
In the Relying party trust identifier box, type druva-phoenix.
The web application passes this realm to the ADFS when users log into the web restore URL.Click Next. The Choose Issuance Authorization Rules page appears.
Click Permit all users to access this relying party and then click Next. The Ready to Add Trust page appears.
Review and if required update the settings that you have configured, and then click Next. The Finish page appears.
Ensure that the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checkbox is by default selected.
Click Close.
(Optional step) You can upload the encryption certificate.For detailed procedure, see Encryption and Signature.
Create a new rule
After you create a relying party trust, you can create the claim rule that allows you to authenticate at ADFS by using the Active Directory. By default, the Edit Claim Rules window appears after you create a relying party trust.
Before you begin
Before you create a new claim rule, ensure that you generate an SSO token from the Phoenix Console. For more information on how you can create an SSO token, see Generate SSO token.
Create a new claim
To create a new claim
On the Edit Claim Rules window, under the Issuance Transform Rules tab, click Add Rule. The Select Rule Template page appears.β
In the Claim rule template list, select Send LDAP Attributes as Claims, and then click Next. The Edit Rule β LDAP EMAIL window appears.
Provide the appropriate information for each field.
Claim rule name:Type a name for the claim rule.
Attribute store:In the list, select Active Directory
MAPPING OF LDAP ATTRIBUTES TO OUTGOING CLAIM TYPES
LDAP Attribute:Map it to Outgoing claim type.
E-mail Addresses:Map it to Name ID.
E-mail Addresses:Map it to E-mail Address.
User-Principal-Name:Map it to Name.
Click Finish.
Create a custom rule
To create a new custom rule
On the Edit Claim Rules window, under Issuance Transform Rules tab, click Add Rule. The Select Rule Template page appears.β
In the Claim rule template list, select Send LDAP Attributes as Claims Rule, and then click Next. The Edit Rule β LDAP EMAIL window appears.
Provide the appropriate information for each field.
Claim rule name:Type a name for the custom rule.
Custom rule:
Type,
=> issue(Type = "phoenix_auth_token", Value = "value of SSO Token generated from Phoenix Console");
Click OK.
Configure certificate for ADFS
You can configure a trusted party certificate or use the self-signed certificate. ADFS uses this certificate to sign the tokens it sends out.
Before you begin
Before you configure the single sign-on settings with Phoenix, ensure that you have an ID provider certificate. If you do not have an ID provider certificate, follow these steps:
On the Start menu, click Administrative Tools > ADFS Management. The ADFS window appears.β
Expand to the Service folder.
Click Certificates. The Certificates view appears in the right pane.
Under the Token-signing area, right-click the certificate. A list with additional options appears.
In the list, click View Certificate. The Certificate window appears.
Click the Details tab and then click Copy to file. The Certificate Export Wizard appears.
On the Certificate Export Wizard, click Next. The Export File Format page appears.
Select Base-64 encoded X.509 (.CER), and then click Next.
On the File to Export page, browse to the location where you want to save the downloaded certificate.
Click Next.
View the information and click Finish.
Open the certificate file in a Notepad. The certificate opens in the following format:
β-----BEGIN CERTIFICATE-----
β
β¦β¦β¦. β¦..
β
-----END CERTIFICATE-----"
βCopy the content of the certificate and provide it when you configure the single sign-on settings by using the Phoenix Console.
Configure the single sign-on settings
To configure the single sign-on settings
Log on to Druva Management Console.
On the menu bar, click Druva Cloud Settings.
Click the Single Sign-On tab and under Single Sign-On Configuration, click Edit. The Single Sign-On Configuration window is displayed.
Provide the appropriate information for each field.
SAML Attribute | Description and value |
ID Provider Login URL | Type,
https://{fqdn-name of the ADFS server}/adfs/ls |
ID Provider Certificate | Provide the content of the certificate. For more information see, Configure certificate for ADFS. |
AuthRequests Signed | Select this option if you want the authentication request signed. For more information, see Encryption and Signature |
Want Assertion Encrypted | Select this option if you want the assertion encrypted. For more information, see Encryption and Signature |
Click Save.