Overview
The Druva 2.0 app in Okta Applications, is specifically configured for Druva Public Cloud customers. It doesn’t work with the Druva GovCloud customers.
This article provides information to create a custom application.
Procedure for SCIM setup
Login to your OKTA Admin Console. Click Applications > Add Application > Create New App. The Create a New Application Integration wizard appears.
On the Create a New Application Integration wizard, select the fields defined as follows:
Field | Attribute |
Platform | Web |
Sign on method | SAML 2.0 |
Enter the following fields for the SAML Settings
SAML Attribute | Customers who joined Druva prior to 14th July 2018. | Customers who joined Druva post 14th July 2018. |
Single Sign-On URL |
|
|
Audience URI (SP Entity ID) | druva-govcloud | DCP-loginfederal |
Field | Attribute |
Name ID format | This can be left unknown or select EmailAddress |
Application username | Okta username |
📝 Note
If you have a custom Entity ID, you can find it in the Single Sign-On settings from the Druva Cloud Platform Console.
To identify the Entity ID, log on to Druva Cloud Platform Console.
Login to the Druva Cloud Platform Console and click the Druva logo to access the Global Navigation Panel > Druva Cloud Settings > Access Settings. The Access Settings window appears.
To generate the Single Sign-On token, click on the more options button and select Generate SSO Token.
Select Copy to copy the SSO token. If required, make a note of the token.
Navigate to the OKTA Application and under the Attribute Statements (Optional) section, enter the following attributes as applicable:
Criteria | Name |
Customers who joined Druva before 14th July 2018. | insync_auth_token |
Customers who joined Druva after 14th July 2018. | druva_auth_token |
In the Value field, enter the SSO token that you copied in Step 2.
Click Next to complete the OKTA Application configuration.
Select the OKTA Application and select the General tab > Edit.
Select SCIM as the Provisioning method.
Navigate to the inSync Management Console by clicking the Druva logo to access the Global Navigation Panel > inSync.
Click Manage. Under the Deployments section select Users. The User Deployment page appears.
Select the Settings tab. The Auth Token for SCIM page appears.
Click Generate Token.
Select Copy to copy the Auth token. If required, make a note of the token.
Navigate to the OKTA Application and select the Provisioning tab > Integration > Edit.
Enter the details as provided in the following table:
Field | Attribute |
SCIM connector base URL |
|
Unique identifier field for users | userName |
Supported Provisioning actions | Import New Users and Profile Updates, Push New Users, Push Profile Updates |
Authentication Mode | HTTP Header |
HTTP HEADER - Authorization | Enter the Auth token that you copied in Step 8. |
Click Test Connector Configuration. The test configuration window displays the provisioning features.
Upon successfully testing the connector configuration, click Save. The page will refresh automatically and the Settings window appears.
Select the To App from the settings menu and click Edit to enable the following:
Create Users
Update User Attributes
Deactivate Users
Navigate to the inSync Management Console and select Manage > Users.
On the Mappings tab, click New Mapping. The Create Mapping window appears.
Enter the values as follows:
Field | Attribute |
Mapping Name | Enter a name for the mapping |
Users | If you want to provision the users from OKTA based on a specific attribute in their OKTA Profiles, then select “Filter by SCIM Attribute”. If you want to provision any user from OKTA, to whom the OKTA application is assigned, then select Allow any user. |
FieldAttributeMapping NameEnter a name for the mappingUsers
If you want to provision the users from OKTA based on a specific attribute in their OKTA Profiles, then select “Filter by SCIM Attribute”.
If you want to provision any user from OKTA, to whom the OKTA application is assigned, then select Allow any user.
Click Next.
Select the inSync profile and storage to which these users are to be mapped.
Click Finish.
Navigate to the OKTA Application and select the Assignments tab.
As applicable, select Assign to People or Assign to Groups from the drop-down menu.
Configure Custom Attributes to provision users from OKTA
Login to your OKTA Admin Console. Click Applications. Search for the SCIM app in the list of applications and open it.
Click the Provisioning tab.
In the left-hand side panel, select To App tab.
Scroll down to the Attribute Mapping section and select Go to Profile Editor. The Profile Editor page appears.
Under the Attributes section, click Add Attribute.
As applicable, select the attribute as desired. The following image displays the example of mapping of countryside attribute.
Field | Attribute |
Display Name | countryCode |
Variable Name | countryCode |
Data Type | string |
External Name | countryCode |
External Namespace |
|
Either try - urn: | ietf:params:scim:schemas:core:2.0:User |
Save the settings.
Click Mappings.
Click on the Okta to Druva 2.0 (Or your App Name) tab.
On the left-hand side, select the correct attribute from the drop-down and map it to the custom attribute that you created.
Click Save Mappings.
Navigate to the inSync Management Console and select Manage > Users.
On the Mappings tab, click New Mapping. The Create Mapping window appears.
You must use the exact syntax of the custom attribute that you created in OKTA, under the Attribute Name field.
Provide the value of this attribute under the Value(s) field. This is the value of the attribute that will be verified by the SCIM App in OKTA with the OKTA users’ attributes. If the values match, then those users will get provisioned to inSync Cloud’s profile that is defined in the Mapping described as follows:
Click Finish.
Set up Single Sing-On
Select the OKTA application that you have created and select the Single Sign-On tab.
Click View Setup Instructions under SAML 2.0 section. You will be directed to SAML instructions for your OKTA instance in a new window.
Copy the values for Identity Provider Single Sign-On URL and X.509 Certificate in notepad for future use in this configuration and close the page.
Click Assignments tab on the SSO application and assign the users or groups as required.
Configure Druva Cloud Platform to use Okta as IdP
Login to the Druva Cloud Platform Console and click the Druva logo to access the Global Navigation Panel > Druva Cloud Settings > Access Settings. The Access Settings window appears.
On the Single Sign-On section click Edit.
Enter the values and follows:
Field | Attribute |
ID Provider Login URL | Enter the Identify Provider Single Sign-On URL that you copied in Step 3 |
ID Provider Certificate | ID Provider CertificateEnter the Identify Provider Certificate that you copied in Step 3 |
Enable the following:
Single Sign-On for Administrators
Failsafe for AdministratorClick Save.
On the next attempt to access Druva Cloud Platform using the email ID, Druva Cloud Platform will redirect you to the IdP page for authentication using SSO.
❗ Important
Druva recommends enabling Failsafe for Administrators initially. This enables the administrator to use both SSO and Druva Cloud Platform password to access the Druva Cloud Platform Console. This ensures the administrator always has access to the Druva Cloud Platform Console even if SSO is impacted due to any change in the IdP.