This article applies to:
OS: Windows server 2012
Product edition: Druva Cloud Platform (DCP)
Overview
This article provides steps to install and configure ADFS 3.0 with Druva Cloud Platform (DCP). The configuration is performed in the following order:
Install ADFS 3.0
Configure the federation server
Configure ADFS to integrate with DCP
Create a relying party
Create a new claim
Create a custom rule
Configure Single Sign-On
Configure SSO settings
Install ADFS 3.0
To install ADFS 3.0:
Start the Server Manager.
On the Menu bar, click Manage > Add Roles and Features. Add Roles and Features wizard is launched.
On the Before you begin page, click Next.
On the Select installation type page, click Role-based or feature-based installation, and then click Next.
On the Select destination server page, click Select a server from the server pool and then click Next.
On the Select server roles page, select Active Directory Federation Services and then click Next.
On the Select features page, click Next.
On the Active Directory Federation Services (AD FS) page, click Next.
On the Confirm installation settings page, verify the information, and click Install.
On the Installation progress page, you can view the installation progress. Verify the installed component, and click Close.
Configure the federation
To configure the federation server:
On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server. The Active Directory Federation Service Configuration Wizard is launched.
On the Welcome page, select Create the first federation server in a federation server farm and click Next.
On the Connect to Active Directory Domain Services page, specify an account with domain administrator rights for the Active Directory domain that this computer is joined to, and then click Next.
On the Specify Service Properties page, enter the following details, and click Next.
Browse to the location of your SSL certificate and import it.
Enter a Federation Service Name. This value is the same value that you provided when you enrolled an SSL certificate in Active Directory Certificate Services (AD CS).
Enter a Federation Service Display Name.
On the Specify Service Account page, select Use an existing domain user account and click Next.
On the Specify Configuration Database page, select Create a database on this server using Windows Internal Database and then click Next.
On the Review Options page, verify your configuration selections and then click Next.
On the Pre-requisite Checks page, verify that all prerequisite checks were successfully completed, and then click Configure.
On the Results page, review the results and check whether the configuration has completed successfully.
Configure ADFS to integrate with DCP
Create a relying party
After you have set up the Federation Server, the next step is to create a relying party.
To create a relying party:
On the Start menu, click Administrative Tools > ADFS 3.0 Management. The ADFS 3.0 window appears.
Expand the Trust Relationships node.
In the right pane, click Add Relying Party Trust. The Add Relying Party Trust Wizard appears.
Click Start. The Select Data Source page appears.
Click Enter data about the relying party manually and then click Next. The Specify Display Name page appears.
Provide the appropriate information for each field as specified below and click Next. The Choose Profile page appears.
Display Name: Enter a display name for the relying party (For example: Druva inSync).
Notes: Enter a description of the relying party.
Select AD FS profile and click Next. The Configure Certificate page appears.
(Optional) To encrypt the SAML token, browse and select the certificate and then click Next.
However, ADFS establishes a secure SSL connection to Druva Cloud platform, which ensures the token is encrypted.On the Configure URL page:
Select the Enable support for the SAML 2.0 WebSSO 2.0 protocol.
In the Relying party SAML 2.0 SSO service URL box, enter the following URL:
https://login.druva.com/api/commonlogin/samlconsumeClick Next. The Configure Identifiers page appears.
In the Relying party trust identifier box, enter DCP-login and click Next.
The web application passes this realm to the ADFS when users log into the web restore URL.
📝 Note
If you are using inSync Gov Cloud as the relying party, type DCP-loginfederal.
The Configure Multifactor Authentication Now page appears.
Select I do not want to configure MFA settings for this relying party trust at this time and click Next. The Choose Issuance Authorization Rules page appears.
Note: You can configure Multifactor Authentication at a later stage.Click Permit all users to access this relying party and then click Next. The Ready to Add Trust page appears.
Review and if required update the settings that you have configured and then click Next. The Finish page appears.
Ensure that the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes is selected by default.
Click Close.
Create a new claim
To create a new claim:
On the Edit Claim Rules window, click Add Rule under the Issuance Transform Rules tab. The Select Rule Template page appears.
In the Claim rule template list, select Send LDAP Attributes as Claims and then click Next. The Edit Rule – LDAP EMAIL window appears.
Provide the appropriate information for each field as specified below:
Field name | Action |
Claim rule name | Enter a name for the claim rule. |
Attribute store | Select Active Directory from the list. |
Mapping LDAP attributes to outgoing claims |
|
LDAP Attribute | Map it to Outgoing claim type |
E-mail Addresses | Map it to Name ID |
E-mail Addresses | Map it to E-mail Address |
User Principal Name | Map it to Name |
Click Finish.
Create a custom rule
To create a custom rule:
On the Edit Claim Rules window, click Add Rule under Issuance Transform Rules tab. The Select Rule Template page appears.
In the Claim rule template list, select Send Claims Using a Custom Rule and then click Next. The Edit Rule – LDAP EMAIL window appears.
Provide the appropriate information for each field as specified below:
Field | Action |
Claim rule name | Enter a name for the custom rule. |
Custom rule | Enter:
|
Click OK.
Configure Single Sign-On
Only a Druva Cloud administrator can set up Single Sign-on. Configure Single Sign-on based on the applicable scenarios:
New Druva customers that is; Phoenix customers on-boarded after July 02, 2018, and inSync customers on-boarded after July 14, 2018, must refer to the instructions given in this article.
Existing Phoenix and inSync customers who already have configured Single Sign-on, must continue to use the existing Single Sign-on settings of Phoenix and the Single Sign-on settings of inSync as applicable.
Obtain an ID provider certificate
Before you configure the single sign-on settings with inSync Cloud, ensure that you have an ID provider certificate.
If you do not have an ID provider certificate, follow these steps to get one:
On the Start menu, click Administrative Tools > ADFS 3.0 Management. The ADFS 3.0 Management window appears.
Expand to the Service folder and click Certificates. The Certificates view appears in the right pane.
Under the Token-signing area, right-click on the certificate. A list with additional options appears.
In the list, click View Certificate. The Certificate window appears.
Open the Details tab and then click Copy to file. The Certificate Export Wizard appears.
On the Certificate Export Wizard, click Next. The Export File Format page appears.
Select Base-64 encoded X.509 (.CER) and then click Next.
On the File to Export page, enter the file name as Cert.cer, and then click Next.
Click Finish.
Open and edit the cert.cer file in a Notepad. The certificate opens in the following format:
“-----BEGIN CERTIFICATE-----
………. …..
-----END CERTIFICATE-----"
Copy the content of the cert.cer certificate and provide it when you configure the single sign-on settings by using the inSync Management Console.
Configure the single sign-on settings
To configure the single sign-on settings
Login to Druva Cloud Platform and click the Druva Icon in the top left corner.
Select Druva cloud settings.
Under Access Settings, Click Edit for Single Sign-on.
Enter appropriate attribute values based on the descriptions provided below for each field.
SAML Attribute | Description and value |
ID Provider Login URL | Enter:
|
ID Provider Certificate | Provide the content of the cert.cer certificate. |
AuthRequests Signed | Select this checkbox to get signed SAML Authentication Requests. By default, SAML Authentication Requests are not signed. |
Encrypt Assertions | Select to enable encryption for SAML assertions. Encryption is disabled by default. |
Click Save.
Enable SSO for inSync End Users
You can enable SSO for inSync end users from the Profiles section on the inSync Management Console. For more information, see Enable SSO for inSync users.