How-To Integrate N2WS Backup & Recovery 3.x/4.x with Azure Active Directory

How-To Integrate N2WS Backup & Recovery 3.x/4.x with Azure Active Directory


This How-To guide provide details about the configuration required in order to integrate N2WS Backup & Recovery 3.x/4.x with Azure Active Directory SSO,
It shows an example on how to create and configure Enterprise application in Azure and what configurations are required in N2WS Backup & Recovery.

  1. Please check the following link if ldp integration is supported for your version pricing & feature
  1. For additional information about IdP integration, read our user guide:  Link: Documentation

The configuration has the following steps you must configure to get this working correctly: 
  1. Create enterprise app in azure AD
  2. Configure claims in Azure AD
  3. Configure ldp in N2WS Backup & Recovery
  4. Create a group in N2WS Backup & Recovery
  5. Upload certificate to N2WS Backup & Recovery

Please see below configuration and troubleshooting sections.


For this guide i have created a test Azure AD account and have created one user & group in it.

1. First we will start with configuration at Azure AD side, 
    First you need users & group, once you have a user/group next steps is to create "Enterprise application" (you should see link to create at the bottom)

2. Next select “Non-gallery application” and insert a name

3. Now click on "Assign a user"

4. Add your user


5. Now that we have assigned a user, go back to overview and then click on Set up a single sign on” -> SAML

6. You will reach the setup page which has multiple sections, Fill up the parameters as follow:

  Section 1: Basic SAML Configuration
  Set the following configurations: 
Identifier (Entity ID)
Reply URL (Assertion Consumer Service URL)
Logout Url
For Example:

  Section 2: User Attributes & Claims
  Add the following claims:
Claim name
Example source attribute
Group ID

For Example:

Note about groups: The claim  "cpm_user_groups" should contain the name of the groups the user belongs to.
CPM will then receive this information from Azure, it will check the content of cpm_user_groups and will compare it to the groups configured in CPM.

In Azure AD if you configure cpm_user_groups = user.groups, this will mean that Azure will populate the claim with the group ID's and not the group name!
so in this configuration/scenario, you need to create group in CPM where the name = the group ID in azure
For example:
For this group and configuration in Azure AD

There will be this group in CPM

Note: An IdP user logging onto N2WS can belong to only ONE N2WS group
Note: claims are case sensitive, for example 'cpm_user_groups' must be with lower case

  Section 3: SAML Signing Certificate
  Check that "Signing Algorithm" = SHA-256 and download the Certificate(Base64) 
  We will upload the certificate later to N2WS Backup & Recovery

  Section 4: 
  We will use this information for the N2WS Backup & Recovery configuration later.

7. Now switch to N2WS Backup & Recovery console, login with Admin user
8. Click on cog icon  -> Open "Identity provider" area.

9. Go to Settings tab and set the following    
This should point to the public IP or DNS
Entity ID
Copy from Azure SSO setup - section 4
Sign in URL
Copy from Azure SSO setup - section 4
Sign Out URL
Copy from Azure SSO setup - section 4
X509 cert
Upload the certificate from Azure AD
Notes: use IdP’s login url for both sign in & sign out, and if you used DNS in Azure setting you need to be consistent and select DNS here
For Example:

9. Switch to Groups and create the Groups for the users.
The name of the group should match the name that will be passed in cpm_user_groups claim

For Example:
For this group in Azure (which the user is member of):

I Will create this group in CPM

When you create the group, you select the user type for users in that groups and the limitations/permissions
  For example the below group will have users that are delegate of Admin Account

1. issue - application identifier was not found

Possible resolutions: 
      Make sure the "CPM IP or DNS" in N2WS config is set to public ip and match the URL in Azure AD configuration

2. issue - redirected to logout
possible resolutions: 
      Claim name is case sensitive - make sure it is cpm_user_groups and not Cpm_user_groups for example.

3. You can find additional SAML login issues here: identity provider user log in issues

Thanks for reading this guide,
N2WS Support Team.