How-To Integrate N2WS Backup & Recovery 3.x/4.x with Azure Active Directory

How-To Integrate N2WS Backup & Recovery 3.x/4.x with Azure Active Directory

Background:

This How-To guide provide details about the configuration required in order to integrate N2WS Backup & Recovery 3.x/4.x with Azure Active Directory SSO,
It shows an example on how to create and configure Enterprise application in Azure and what configurations are required in N2WS Backup & Recovery.

  1. Please check the following link if ldp integration is supported for your version pricing & feature
  1. For additional information about IdP integration, read our user guide:  Link: Documentation

The configuration has the following steps you must configure to get this working correctly: 
  1. Create enterprise app in azure AD
  2. Configure claims in Azure AD
  3. Configure ldp in N2WS Backup & Recovery
  4. Create a group in N2WS Backup & Recovery
  5. Upload certificate to N2WS Backup & Recovery

Please see below configuration and troubleshooting sections.

Configuration

For this guide i have created a test Azure AD account and have created one user & group in it.

1. First we will start with configuration at Azure AD side, 
    First you need users & group, once you have a user/group next steps is to create "Enterprise application" (you should see link to create at the bottom)
      

2. Next select “Non-gallery application” and insert a name
      

3. Now click on "Assign a user"
      

4. Add your user
      

      

5. Now that we have assigned a user, go back to overview and then click on Set up a single sign on” -> SAML
      

6. You will reach the setup page which has multiple sections, Fill up the parameters as follow:

  Section 1: Basic SAML Configuration
  Set the following configurations: 
Attribute
Value
Identifier (Entity ID)
https://<CPM_Address>/remote_auth/metadata
Reply URL (Assertion Consumer Service URL)
https://<CPM_Address>/remote_auth/complete_login/
Logout Url
https://<CPM_Address>/remote_auth/complete_logout/
For Example:


  Section 2: User Attributes & Claims
  Add the following claims:
Claim name
Example source attribute
cpm_user_groups
Group ID
nameidentifier
user.userprincipalname

For Example:

Note about groups: The claim  "cpm_user_groups" should contain the name of the groups the user belongs to.
CPM will then receive this information from Azure, it will check the content of cpm_user_groups and will compare it to the groups configured in CPM.

In Azure AD if you configure cpm_user_groups = user.groups, this will mean that Azure will populate the claim with the group ID's and not the group name!
so in this configuration/scenario, you need to create group in CPM where the name = the group ID in azure
For example:
For this group and configuration in Azure AD
 


There will be this group in CPM

Note: An IdP user logging onto N2WS can belong to only ONE N2WS group
Note: claims are case sensitive, for example 'cpm_user_groups' must be with lower case


  Section 3: SAML Signing Certificate
  Check that "Signing Algorithm" = SHA-256 and download the Certificate(Base64) 
  We will upload the certificate later to N2WS Backup & Recovery

  Section 4: 
  We will use this information for the N2WS Backup & Recovery configuration later.

7. Now switch to N2WS Backup & Recovery console, login with Admin user
8. Click on cog icon  -> Open "Identity provider" area.
  

9. Go to Settings tab and set the following    
Parameter
value
CPM IP or DNS
This should point to the public IP or DNS
Entity ID
Copy from Azure SSO setup - section 4
Sign in URL
Copy from Azure SSO setup - section 4
Sign Out URL
Copy from Azure SSO setup - section 4
X509 cert
Upload the certificate from Azure AD
 
Notes: use IdP’s login url for both sign in & sign out, and if you used DNS in Azure setting you need to be consistent and select DNS here
For Example:


9. Switch to Groups and create the Groups for the users.
The name of the group should match the name that will be passed in cpm_user_groups claim

For Example:
For this group in Azure (which the user is member of):


I Will create this group in CPM

 
When you create the group, you select the user type for users in that groups and the limitations/permissions
  For example the below group will have users that are delegate of Admin Account




  Troubleshooting
1. issue - application identifier was not found
      

Possible resolutions: 
      Make sure the "CPM IP or DNS" in N2WS config is set to public ip and match the URL in Azure AD configuration

2. issue - redirected to logout
      
possible resolutions: 
      Claim name is case sensitive - make sure it is cpm_user_groups and not Cpm_user_groups for example.


3. You can find additional SAML login issues here: identity provider user log in issues


Thanks for reading this guide,
N2WS Support Team.