This article applies to:
Product edition: Druva Cloud Platform (DCP)
Overview
This article describes the steps to configure SSO for Druva Cloud Platform using PingFederate as IdP. The configuration involves the following main tasks:
❗ Important
Only a Druva Cloud administrator can set up Single Sign-on.
Configure Single Sign-on based on the applicable scenarios:
New Druva customers that is; Phoenix customers on-boarded after 02 July 2018 and inSync customers on-boarded after 14 July 2018 must refer to the instructions given in this article.
Existing Phoenix and inSync customers who already have configured Single Sign-on, must continue to use the existing Single Sign-on settings of Phoenix and the Single Sign-on settings of inSync as applicable.
Generate SSO Token from DCP Console
Log in to the DCP Console and on its menu bar click the account icon > Settings.
Click Generate SSO Token.
Click Copy. The token gets copied to the clipboard.
Copy the token in a text file and keep the file available for future use.
Configure the PingOne app
Prerequisites:
Administrator credentials of PingOne
SSO authentication token generated from the DCP Console.
Procedure:
Log in to PingOne console with the administrator credentials ( https://admin.pingone.com )
From the dashboard, open the Applications page and click Add Application > New SAML Application.
Enter the Application Name, Application Description, and Category as appropriate.
Click Next and enter the values as specified below:
Assertion Consumer Service (ACS): https://login.druva.com/api/commonlogin/samlconsume
Entity ID: DCP-loginLeave default values in the remaining fields and click Continue to next step.
Click Add new attribute and enter the values as shown in the illustration below:
SAML_SUBJECT:SAML_SUBJECT
druva_auth_token:Enter the SSO authentication token value and also select As Literal. If you do not wish to use As Literal, enclose the authentication token in double quotation ("") marks, such as "X-XXXXX-XXXX-S-A-M-P-L-E+TXOXKXEXNX="
emailAddress:SAML_SUBJECT
userPrincipalName:SAML_SUBJECT
Click Save and Publish.
On the Review Setup page:
Copy IdP ID value from Initiate Single Sign-On (SSO) URL as shown in the in the image below.
Download the Signing Certificate.
Keep the above details available for future use.
Configure DCP to use PingOne
Log in to the DCP Console and on its menu bar click the account icon > Settings.
Click Edit against Single Sign-On and update each field as directed in the table below:
ID Provider Certificate:Open the Signing Certificate that was downloaded in the earlier procedure in a notepad and copy its content to this field. Take care to keep certificate formatting intact in the text editor.
Single Sign-On for Administrators:Select.
Failsafe for Administrators:
Select.
💡 Tip
Druva recommends enabling this fields initially. Failsafe for Administrators enables the administrator to use both SSO and DCP password to access the DCP Console. This ensures access to the DCP Console even if SSO is impacted due to any change in the IdP.
Click Save.
On all subsequent attempts to log in to DCP Console, provide the administrator's email ID and DCP directs to the IdP page to authenticate using SSO.
NOTE:
When configuring Druva with PingOne for single sign-on (SSO) using SAML (Security Assertion Markup Language), the User Principal Name (UPN) and email address attributes are critical because they uniquely identify users across systems. Setting these attributes as SAML_SUBJECT in PingOne ensures that the correct user identity is passed from PingOne to Druva during the authentication process. Here’s why this is necessary:
Unique User Identification:
The SAML_SUBJECT is a key element in the SAML assertion, representing the unique identity of the user being authenticated.
In most organizations, the UPN or email address is used as the primary identifier for users. By mapping these attributes to SAML_SUBJECT, you ensure that the unique identity of the user is consistently passed to Druva for authentication.Consistency Across Systems:
Druva requires a unique identifier to match the incoming SAML assertion with an existing user account.
The UPN or email address is typically unique and standardized across the organization, making it the ideal candidate for the SAML_SUBJECT.
This consistency ensures that the right user is authenticated and granted access without conflicts or mismatches.SAML Assertion Validation:
During the SSO process, PingOne generates a SAML assertion that includes the SAML_SUBJECT along with other attributes.
Druva validates this SAML assertion, specifically checking the SAML_SUBJECT to identify the user. If the UPN or email address is correctly set as SAML_SUBJECT, Druva can successfully authenticate the user and provide access to the appropriate resources.Simplified Configuration and Management:
Setting the UPN or email address as SAML_SUBJECT in PingOne simplifies the integration process with Druva.
It aligns with common best practices and reduces the chances of misconfiguration, ensuring a smoother SSO experience for end-users.