Skip to main content
How to Configure ADFS 3.0 with Phoenix
Updated over a month ago

❗ Important

  • Only a Druva Cloud administrator can set up Single Sign-on.

  • Configure Single Sign-on based on the applicable scenarios:

    • New P hoenix customers on-boarded after July 2, 2018, must refer to the instructions given in the article: Set up Single sign-on.

    • Existing Phoenix customers who have already configured Single Sign-on must continue to use the existing settings as described in this article.


Overview

You must install the Active Directory Federation Services (ADFS) 3.0 software on a computer that you are preparing for the federation server role or the federation server proxy role. For more information on how you can install the ADFS software and its prerequisites, see the Microsoft documentation.

Configure ADFS to integrate with Phoenix

After you have installed ADFS 3.0, perform the following actions:

Create a new federation service


πŸ“ Note
​Skip this step, if you already have an ADFS 3.0 Federation Server configured on the computer.


To create a new federation service

  1. On the Start menu, clickAdministrative Tools >ADFSManagement. TheADFSManagementwindow appears.

  2. On the right pane, under Actions, click on theADFSFederation Server Configuration Wizardlink. TheADFSFederation Server Configuration Wizardappears.

  3. On the Welcome page of the wizard, click Create a new Federation Service, and then click Next. The Select Stand-Alone or Farm Deployment page appears.

  4. Click Stand-alone Federation Server, and then click Next. The Specify the Federation Service Name page appears.

  5. In the SSL certificate box, browse and select theADFSserver certificate, and then click Next.

  6. View summary, click Finish.

Create a relying party

After you have set up the Federation Server, the next step is to create a relying party.

To create a relying party

  1. On the Start menu, clickAdministrative Tools >ADFSManagement. The ADFS windowappears.

  2. Expand the Trust Relationships node.

  3. Right-click on the Relying Party Trusts folder. A list with additional options appears.

  4. Click Add Relying Party Trust…. The Add Relying Party Trust Wizard appears.​

    1.png
  5. Click Start. The Select Data Source page appears.​

    2.png
  6. Click Enter data about the relying party manually, and then click Next. The Specify Display Name page appears.​

    3.png
  7. Provide the appropriate information for each field.

    • Display Name:

      Type a display name for the relying party.

      For example, Druva_Phoenix.

    • Notes:Type a description for the relying party.

  8. Click Next. The Choose Profile page appears.​

    4.png
  9. Click ADFS profile and then click Next. The Configure Certificate page appears.

    5.png
  10. If you want to encrypt the SAML token, browse and select the certificate, and then click Next. The Configure URL page appears.

    6.png
  11. Provide the appropriate information for each field.

    • Enable support for the SAML 2.0 WebSSO protocol:

      Select this check box.

    • Relying party SAML 2.0 SSO service URL: Type:
      ​https://login.druva.com/api/commonlogin/samlconsume

  12. Click Next. The Configure Identifiers page appears.

    7.png
  13. In the Relying party trust identifier box, type druva-phoenix.
    The web application passes this realm to the ADFS when users log into the web restore URL.

  14. Click Next. The Choose Issuance Authorization Rules page appears.

    8.png
  15. Click Permit all users to access this relying party and then click Next. The Ready to Add Trust page appears.

    9.png
  16. Review and if required update the settings that you have configured, and then click Next. The Finish page appears.

  17. Ensure that the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checkbox is by default selected.

  18. Click Close.

  19. (Optional step) You can upload the encryption certificate.For detailed procedure, see Encryption and Signature.

Create a new rule

After you create a relying party trust, you can create the claim rule that allows you to authenticate at ADFS by using the Active Directory. By default, the Edit Claim Rules window appears after you create a relying party trust.

Before you begin

Before you create a new claim rule, ensure that you generate an SSO token from the Phoenix Console. For more information on how you can create an SSO token, see Generate SSO token.

Create a new claim

To create a new claim

  1. On the Edit Claim Rules window, under the Issuance Transform Rules tab, click Add Rule. The Select Rule Template page appears.​

    10.png
  2. In the Claim rule template list, select Send LDAP Attributes as Claims, and then click Next. The Edit Rule – LDAP EMAIL window appears.

    11.png
  3. Provide the appropriate information for each field.

    • Claim rule name:Type a name for the claim rule.

    • Attribute store:In the list, select Active Directory

    • MAPPING OF LDAP ATTRIBUTES TO OUTGOING CLAIM TYPES

    • LDAP Attribute:Map it to Outgoing claim type.

    • E-mail Addresses:Map it to Name ID.

    • E-mail Addresses:Map it to E-mail Address.

    • User-Principal-Name:Map it to Name.

  4. Click Finish.

Create a custom rule

To create a new custom rule

  1. On the Edit Claim Rules window, under Issuance Transform Rules tab, click Add Rule. The Select Rule Template page appears.​

    12.png
  2. In the Claim rule template list, select Send LDAP Attributes as Claims Rule, and then click Next. The Edit Rule – LDAP EMAIL window appears.

    13.png
  3. Provide the appropriate information for each field.

    • Claim rule name:Type a name for the custom rule.

    • Custom rule:

      Type,

      => issue(Type = "phoenix_auth_token", Value = "value of SSO Token generated from Phoenix Console");

  4. Click OK.

Configure certificate for ADFS

You can configure a trusted party certificate or use the self-signed certificate. ADFS uses this certificate to sign the tokens it sends out.

Before you begin

Before you configure the single sign-on settings with Phoenix, ensure that you have an ID provider certificate. If you do not have an ID provider certificate, follow these steps:

  1. On the Start menu, click Administrative Tools > ADFS Management. The ADFS window appears.​

    Imp.PNG
  2. Expand to the Service folder.

  3. Click Certificates. The Certificates view appears in the right pane.

  4. Under the Token-signing area, right-click the certificate. A list with additional options appears.

  5. In the list, click View Certificate. The Certificate window appears.

  6. Click the Details tab and then click Copy to file. The Certificate Export Wizard appears.

    15.png
  7. On the Certificate Export Wizard, click Next. The Export File Format page appears.

    secondlast.png
  8. Select Base-64 encoded X.509 (.CER), and then click Next.

  9. On the File to Export page, browse to the location where you want to save the downloaded certificate.

    last.png
  10. Click Next.

  11. View the information and click Finish.

  12. Open the certificate file in a Notepad. The certificate opens in the following format:

    β€œ-----BEGIN CERTIFICATE-----
    ​
    ………. …..
    ​
    -----END CERTIFICATE-----"
    ​

  13. Copy the content of the certificate and provide it when you configure the single sign-on settings by using the Phoenix Console.

Configure the single sign-on settings

To configure the single sign-on settings

  1. Log on to Druva Management Console.

  2. On the menu bar, click Druva Cloud Settings.

  3. Click the Single Sign-On tab and under Single Sign-On Configuration, click Edit. The Single Sign-On Configuration window is displayed.

  4. Provide the appropriate information for each field.

SAML Attribute

Description and value

ID Provider Login URL

Type,

https://{fqdn-name of the ADFS server}/adfs/ls

ID Provider Certificate

Provide the content of the certificate. For more information see, Configure certificate for ADFS.

AuthRequests Signed

Select this option if you want the authentication request signed. For more information, see Encryption and Signature

Want Assertion Encrypted

Select this option if you want the assertion encrypted. For more information, see Encryption and Signature

  1. Click Save.

Did this answer your question?