Skip to main content
All CollectionsKnowledge BaseDruva Cloud PlatformHow To - Druva Cloud Platform
How to configure ADFS 3.0 to integrate with Druva Cloud Platform
How to configure ADFS 3.0 to integrate with Druva Cloud Platform
Updated over 3 months ago

This article applies to:

  • OS: Windows server 2012

  • Product edition: Druva Cloud Platform (DCP)

Overview

This article provides steps to install and configure ADFS 3.0 with Druva Cloud Platform (DCP). The configuration is performed in the following order:

  1. Install ADFS 3.0

  2. Configure the federation server

  3. Configure ADFS to integrate with DCP

    1. Create a relying party

    2. Create a new claim

    3. Create a custom rule

    4. Configure Single Sign-On

    5. Configure SSO settings

Install ADFS 3.0

To install ADFS 3.0:

  1. Start the Server Manager.

  2. On the Menu bar, click Manage > Add Roles and Features. Add Roles and Features wizard is launched.

  3. On the Before you begin page, click Next.

  4. On the Select installation type page, click Role-based or feature-based installation, and then click Next.

  5. On the Select destination server page, click Select a server from the server pool and then click Next.

  6. On the Select server roles page, select Active Directory Federation Services and then click Next.

    AddADFServices.png
  7. On the Select features page, click Next.

  8. On the Active Directory Federation Services (AD FS) page, click Next.

    ADFSPg.png
  9. On the Confirm installation settings page, verify the information, and click Install.

    ADFSInstProgress.png
  10. On the Installation progress page, you can view the installation progress. Verify the installed component, and click Close.

Configure the federation

To configure the federation server:

  1. On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server. The Active Directory Federation Service Configuration Wizard is launched.

    ADFSConfWizLaunch.png
  2. On the Welcome page, select Create the first federation server in a federation server farm and click Next.

    ADFSConfWelecomPg.png
  3. On the Connect to Active Directory Domain Services page, specify an account with domain administrator rights for the Active Directory domain that this computer is joined to, and then click Next.

    ConnectADFServices.png
  4. On the Specify Service Properties page, enter the following details, and click Next.

    1. Browse to the location of your SSL certificate and import it.

    2. Enter a Federation Service Name. This value is the same value that you provided when you enrolled an SSL certificate in Active Directory Certificate Services (AD CS).

    3. Enter a Federation Service Display Name.

      SpecifyServiceProperties.png
  5. On the Specify Service Account page, select Use an existing domain user account and click Next.

  6. On the Specify Configuration Database page, select Create a database on this server using Windows Internal Database and then click Next.

    SpecifyConfigDB.png
  7. On the Review Options page, verify your configuration selections and then click Next.

    ReviewOptions.png
  8. On the Pre-requisite Checks page, verify that all prerequisite checks were successfully completed, and then click Configure.

  9. On the Results page, review the results and check whether the configuration has completed successfully.

Configure ADFS to integrate with DCP

Create a relying party

After you have set up the Federation Server, the next step is to create a relying party.

To create a relying party:

  1. On the Start menu, click Administrative Tools > ADFS 3.0 Management. The ADFS 3.0 window appears.

  2. Expand the Trust Relationships node.

  3. In the right pane, click Add Relying Party Trust. The Add Relying Party Trust Wizard appears.

    AddRelyingPartyWiz1.png
  4. Click Start. The Select Data Source page appears.

  5. Click Enter data about the relying party manually and then click Next. The Specify Display Name page appears.

    AddRelyingPartyWiz2.png
  6. Provide the appropriate information for each field as specified below and click Next. The Choose Profile page appears.

    • Display Name: Enter a display name for the relying party (For example: Druva inSync).

    • Notes: Enter a description of the relying party.

      AddRelyingPartyWiz3.png
  7. Select AD FS profile and click Next. The Configure Certificate page appears.

    AddRelyingPartyWiz4.png
  8. (Optional) To encrypt the SAML token, browse and select the certificate and then click Next.
    However, ADFS establishes a secure SSL connection to Druva Cloud platform, which ensures the token is encrypted.

    AddRelyingPartyWiz5.png
  9. On the Configure URL page:

    • Select the Enable support for the SAML 2.0 WebSSO 2.0 protocol.

    • In the Relying party SAML 2.0 SSO service URL box, enter the following URL:
      https://login.druva.com/api/commonlogin/samlconsume

    • Click Next. The Configure Identifiers page appears.

      AddRelyingPartyWiz6.png
  10. In the Relying party trust identifier box, enter DCP-login and click Next.
    The web application passes this realm to the ADFS when users log into the web restore URL.


    📝 Note
    If you are using inSync Gov Cloud as the relying party, type DCP-loginfederal.



    The Configure Multifactor Authentication Now page appears.

    AddRelyingPartyWiz7.png
  11. Select I do not want to configure MFA settings for this relying party trust at this time and click Next. The Choose Issuance Authorization Rules page appears.
    Note: You can configure Multifactor Authentication at a later stage.

    AddRelyingPartyWiz8.png
  12. Click Permit all users to access this relying party and then click Next. The Ready to Add Trust page appears.

    AddRelyingPartyWiz9.png
  13. Review and if required update the settings that you have configured and then click Next. The Finish page appears.

    AddRelyingPartyWiz10.png
  14. Ensure that the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes is selected by default.

  15. Click Close.

Create a new claim

To create a new claim:

  1. On the Edit Claim Rules window, click Add Rule under the Issuance Transform Rules tab. The Select Rule Template page appears.

    ADFS_3.0_21.png
  2. In the Claim rule template list, select Send LDAP Attributes as Claims and then click Next. The Edit Rule – LDAP EMAIL window appears.

Provide the appropriate information for each field as specified below:

Field name

Action

Claim rule name

Enter a name for the claim rule.

Attribute store

Select Active Directory from the list.

Mapping LDAP attributes to outgoing claims

LDAP Attribute

Map it to Outgoing claim type

E-mail Addresses

Map it to Name ID

E-mail Addresses

Map it to E-mail Address

User Principal Name

Map it to Name

ADFS_3.0_22.png
  1. Click Finish.

Create a custom rule

To create a custom rule:

  1. On the Edit Claim Rules window, click Add Rule under Issuance Transform Rules tab. The Select Rule Template page appears.

  2. In the Claim rule template list, select Send Claims Using a Custom Rule and then click Next. The Edit Rule – LDAP EMAIL window appears.

    ADFS_3.0_23.png

Provide the appropriate information for each field as specified below:

Field

Action

Claim rule name

Enter a name for the custom rule.

Custom rule

Enter:

=> issue(Type = "druva_auth_token", Value = "value of SSO Token generated from Druva Cloud Platform");

ADFS_3.0_24.png

Click OK.

Configure Single Sign-On

Only a Druva Cloud administrator can set up Single Sign-on. Configure Single Sign-on based on the applicable scenarios:

  • New Druva customers that is; Phoenix customers on-boarded after July 02, 2018, and inSync customers on-boarded after July 14, 2018, must refer to the instructions given in this article.

  • Existing Phoenix and inSync customers who already have configured Single Sign-on, must continue to use the existing Single Sign-on settings of Phoenix and the Single Sign-on settings of inSync as applicable.

Obtain an ID provider certificate

Before you configure the single sign-on settings with inSync Cloud, ensure that you have an ID provider certificate.

If you do not have an ID provider certificate, follow these steps to get one:

  1. On the Start menu, click Administrative Tools > ADFS 3.0 Management. The ADFS 3.0 Management window appears.

  2. Expand to the Service folder and click Certificates. The Certificates view appears in the right pane.

    ADFS_3.0_25.png
  3. Under the Token-signing area, right-click on the certificate. A list with additional options appears.

  4. In the list, click View Certificate. The Certificate window appears.

  5. Open the Details tab and then click Copy to file. The Certificate Export Wizard appears.

    ADFS_3.0_26.png
  6. On the Certificate Export Wizard, click Next. The Export File Format page appears.

  7. Select Base-64 encoded X.509 (.CER) and then click Next.

    ADFS_3.0_27.png
  8. On the File to Export page, enter the file name as Cert.cer, and then click Next.

  9. Click Finish.

  10. Open and edit the cert.cer file in a Notepad. The certificate opens in the following format:

    “-----BEGIN CERTIFICATE-----

    ………. …..

    -----END CERTIFICATE-----"

  11. Copy the content of the cert.cer certificate and provide it when you configure the single sign-on settings by using the inSync Management Console.

Configure the single sign-on settings

To configure the single sign-on settings

  1. Login to Druva Cloud Platform and click the Druva Icon in the top left corner.

  2. Select Druva cloud settings.

  3. Under Access Settings, Click Edit for Single Sign-on.

    DruvaCloudSettings.png


    AccessSettings2.png
    EditSSOSettings3.png
  4. Enter appropriate attribute values based on the descriptions provided below for each field.

SAML Attribute

Description and value

ID Provider Login URL

Enter:

https://{fqdn-name of the ADFS server}/adfs/ls

ID Provider Certificate

Provide the content of the cert.cer certificate.

AuthRequests Signed

Select this checkbox to get signed SAML Authentication

Requests.

By default, SAML Authentication Requests are not signed.

Encrypt Assertions

Select to enable encryption for SAML assertions.

Encryption is disabled by default.

Click Save.

Enable SSO for inSync End Users

You can enable SSO for inSync end users from the Profiles section on the inSync Management Console. For more information, see Enable SSO for inSync users.

Did this answer your question?