Skip to main content
All CollectionsKnowledge BaseDruva Cloud PlatformHow To - Druva Cloud Platform
Configure SCIM and Single-Sign On between Druva GovCloud and OKTA
Configure SCIM and Single-Sign On between Druva GovCloud and OKTA
Updated over 3 months ago

Overview

The Druva 2.0 app in Okta Applications, is specifically configured for Druva Public Cloud customers. It doesn’t work with the Druva GovCloud customers.

This article provides information to create a custom application.

Procedure for SCIM setup

  1. Login to your OKTA Admin Console. Click Applications > Add Application > Create New App. The Create a New Application Integration wizard appears.

    Add App 1.png

  2. On the Create a New Application Integration wizard, select the fields defined as follows:

    createappWizard.png

Field

Attribute

Platform

Web

Sign on method

SAML 2.0


Enter the following fields for the SAML Settings

SAML settings.png

SAML Attribute

Customers who joined Druva prior to 14th July 2018.

Customers who joined Druva post 14th July 2018.

Single Sign-On URL

https://govcloud.druva.com/wrsaml/consume

https://loginfederal.druva.com/api/commonlogin/samlconsume

Audience URI (SP Entity ID)

druva-govcloud

DCP-loginfederal

Field

Attribute

Name ID format

This can be left unknown or select EmailAddress

Application username

Okta username


📝 Note

If you have a custom Entity ID, you can find it in the Single Sign-On settings from the Druva Cloud Platform Console.


To identify the Entity ID, log on to Druva Cloud Platform Console.

  1. Login to the Druva Cloud Platform Console and click the Druva logo to access the Global Navigation Panel > Druva Cloud Settings > Access Settings. The Access Settings window appears.

    Entity ID.png
  2. To generate the Single Sign-On token, click on the more options button and select Generate SSO Token.

  3. Select Copy to copy the SSO token. If required, make a note of the token.

    GenSSOToken.png
  4. Navigate to the OKTA Application and under the Attribute Statements (Optional) section, enter the following attributes as applicable:

    auth_name.png

Criteria

Name

Customers who joined Druva before 14th July 2018.

insync_auth_token

Customers who joined Druva after 14th July 2018.

druva_auth_token

In the Value field, enter the SSO token that you copied in Step 2.

  1. Click Next to complete the OKTA Application configuration.

  2. Select the OKTA Application and select the General tab > Edit.

  3. Select SCIM as the Provisioning method.

    provisioning.png
  4. Navigate to the inSync Management Console by clicking the Druva logo to access the Global Navigation Panel > inSync.

  5. Click Manage. Under the Deployments section select Users. The User Deployment page appears.

    deployments.png
  6. Select the Settings tab. The Auth Token for SCIM page appears.

    authTOKEN.png
  7. Click Generate Token.

  8. Select Copy to copy the Auth token. If required, make a note of the token.

  9. Navigate to the OKTA Application and select the Provisioning tab > Integration > Edit.

    provisioningTAB.png
  10. Enter the details as provided in the following table:

Field

Attribute

SCIM connector base URL

https://govcloudapis.druva.com/insync/scim

Unique identifier field for users

userName

Supported Provisioning actions

Import New Users and Profile Updates, Push New Users, Push Profile Updates

Authentication Mode

HTTP Header

HTTP HEADER - Authorization

Enter the Auth token that you copied in Step 8.

  1. Click Test Connector Configuration. The test configuration window displays the provisioning features.

  2. Upon successfully testing the connector configuration, click Save. The page will refresh automatically and the Settings window appears.

    ToAPP.png
  3. Select the To App from the settings menu and click Edit to enable the following:

    Create Users

    Update User Attributes

    Deactivate Users

  4. Navigate to the inSync Management Console and select Manage > Users.

  5. On the Mappings tab, click New Mapping. The Create Mapping window appears.

  6. Enter the values as follows:

Field

Attribute

Mapping Name

Enter a name for the mapping

Users

If you want to provision the users from OKTA based on a specific attribute in their OKTA Profiles, then select “Filter by SCIM Attribute”.

If you want to provision any user from OKTA, to whom the OKTA application is assigned, then select Allow any user.

FieldAttributeMapping NameEnter a name for the mappingUsers

If you want to provision the users from OKTA based on a specific attribute in their OKTA Profiles, then select “Filter by SCIM Attribute”.

If you want to provision any user from OKTA, to whom the OKTA application is assigned, then select Allow any user.

  1. Click Next.

  2. Select the inSync profile and storage to which these users are to be mapped.

    mappingconfig.png
  3. Click Finish.

  4. Navigate to the OKTA Application and select the Assignments tab.

    assignments.png
  5. As applicable, select Assign to People or Assign to Groups from the drop-down menu.

Configure Custom Attributes to provision users from OKTA

  1. Login to your OKTA Admin Console. Click Applications. Search for the SCIM app in the list of applications and open it.

  2. Click the Provisioning tab.

  3. In the left-hand side panel, select To App tab.

  4. Scroll down to the Attribute Mapping section and select Go to Profile Editor. The Profile Editor page appears.

    Go TO profile Editor.png
  5. Under the Attributes section, click Add Attribute.

  6. As applicable, select the attribute as desired. The following image displays the example of mapping of countryside attribute.

    profileeditor.png

Field

Attribute

Display Name

countryCode

Variable Name

countryCode

Data Type

string

External Name

countryCode

External Namespace

Either try - urn:

ietf:params:scim:schemas:core:2.0:User

  1. Save the settings.

  2. Click Mappings.

    attributetype.png
  3. Click on the Okta to Druva 2.0 (Or your App Name) tab.

  4. On the left-hand side, select the correct attribute from the drop-down and map it to the custom attribute that you created.

    mappingtab.png
  5. Click Save Mappings.

  6. Navigate to the inSync Management Console and select Manage > Users.

  7. On the Mappings tab, click New Mapping. The Create Mapping window appears.

  8. You must use the exact syntax of the custom attribute that you created in OKTA, under the Attribute Name field.

  9. Provide the value of this attribute under the Value(s) field. This is the value of the attribute that will be verified by the SCIM App in OKTA with the OKTA users’ attributes. If the values match, then those users will get provisioned to inSync Cloud’s profile that is defined in the Mapping described as follows:

  10. Click Finish.

    createMapping.png
    mappingconfig.png

Set up Single Sing-On

  1. Select the OKTA application that you have created and select the Single Sign-On tab.

  2. Click View Setup Instructions under SAML 2.0 section. You will be directed to SAML instructions for your OKTA instance in a new window.

  3. Copy the values for Identity Provider Single Sign-On URL and X.509 Certificate in notepad for future use in this configuration and close the page.

  4. Click Assignments tab on the SSO application and assign the users or groups as required.

Configure Druva Cloud Platform to use Okta as IdP

  1. Login to the Druva Cloud Platform Console and click the Druva logo to access the Global Navigation Panel > Druva Cloud Settings > Access Settings. The Access Settings window appears.

  2. On the Single Sign-On section click Edit.

  3. Enter the values and follows:

    DCPSSO.png

Field

Attribute

ID Provider Login URL

Enter the Identify Provider Single Sign-On URL that you copied in Step 3

ID Provider Certificate

ID Provider CertificateEnter the Identify Provider Certificate that you copied in Step 3

  1. Enable the following:
    Single Sign-On for Administrators
    Failsafe for Administrator

  2. Click Save.

  3. On the next attempt to access Druva Cloud Platform using the email ID, Druva Cloud Platform will redirect you to the IdP page for authentication using SSO.


❗ Important

Druva recommends enabling Failsafe for Administrators initially. This enables the administrator to use both SSO and Druva Cloud Platform password to access the Druva Cloud Platform Console. This ensures the administrator always has access to the Druva Cloud Platform Console even if SSO is impacted due to any change in the IdP.



Did this answer your question?