How-To integrate N2WS Backup & Recovery 3.0 with Azure Active Directory
Background:
This How-To guide provide details about the configuration required in order to integrate N2WS Backup & Recovery 3.0.x/3.1.x with Azure Active Directory SSO,
It shows an example on how to create and configure Enterprise application in Azure and what configurations are required in N2WS Backup & Recovery.
- Please check the following link if ldp integration is supported for your version pricing & feature
- For additional information about IdP integration, read our user guide: Link: Documentation
The configuration has the following steps you must configure to get this working correctly:
- Create enterprise app in azure AD
- Configure claims in Azure AD
- Configure ldp in N2WS Backup & Recovery
- Create a group in N2WS Backup & Recovery
- Upload certificate to N2WS Backup & Recovery
Please see below configuration and troubleshooting sections.
Configuration
For this guide i have created a test Azure AD account and have created one user & group in it.
1. First we will start with configuration at Azure AD side,
First you need users & group, once you have a user/group next steps is to create "Enterprise application" (you should see link to create at the bottom)
2. Next select “Non-gallery application” and insert a name
3. Now click on "Assign a user"
4. Add your user
5. Now that we have assigned a user, go back to overview and then click on “Set up a single sign on” -> SAML
6. You will reach the setup page which has multiple sections, Fill up the parameters as follow:
Section 1: Basic SAML Configuration
Set the following configurations:
| Attribute | Value |
| Identifier (Entity ID) | https://<CPM_Address>/remote_auth/metadata |
| Reply URL (Assertion Consumer Service URL) | https://<CPM_Address>/remote_auth/complete_login/ |
| Logout Url | https://<CPM_Address>/remote_auth/complete_logout/ |
For Example:
Section 2: User Attributes & Claims
Add the following claims:
| Claim name | Example source attribute |
| cpm_user_groups | Group ID |
| nameidertifier | user.userprincipalname |
For Example:
Note about groups: The claim "cpm_user_groups" should contain the name of the groups the user belongs to.
CPM will then receive this information from Azure, it will check the content of cpm_user_groups and will compare it to the groups configured in CPM.
In Azure AD if you configure cpm_user_groups = user.groups, this will mean that Azure will populate the claim with the group ID's and not the group name!
so in this configuration/scenario, you need to create group in CPM where the name = the group ID in azure
For example:
For this group and configuration in Azure AD
There will be this group in CPM
Note: An IdP user logging onto N2WS can belong to only ONE N2WS group
Note: claims are case sensitive, for example 'cpm_user_groups' must be with lower case
Section 3: SAML Signing Certificate
Check that "Signing Algorithm" = SHA-256 and download the Certificate(Base64)
We will upload the certificate later to N2WS Backup & Recovery
Section 4:
We will use this information for the N2WS Backup & Recovery configuration later.
7. Now switch to N2WS Backup & Recovery console, login with Admin user
8. Click on cog icon -> Open "Identity provider" area.
9. Go to Settings tab and set the following
| Parameter | value |
| CPM IP or DNS | This should point to the public IP or DNS |
| Entity ID | Copy from Azure SSO setup - section 4 |
| Sign in URL | Copy from Azure SSO setup - section 4 |
| Sign Out URL | Copy from Azure SSO setup - section 4 |
| X509 cert | Upload the certificate from Azure AD |
Notes: use IdP’s login url for both sign in & sign out, and if you used DNS in Azure setting you need to be consistent and select DNS hereFor Example:
9. Switch to Groups and create the Groups for the users.
The name of the group should match the name that will be passed in cpm_user_groups claim
For Example:
For this group in Azure (which the user is member of):
I Will create this group in CPM
When you create the group, you select the user type for users in that groups and the limitations/permissions
For example the below group will have users that are delegate of Admin Account
Troubleshooting
1. issue - application identifier was not found
Possible resolutions:
Make sure the "CPM IP or DNS" in N2WS config is set to public ip and match the URL in Azure AD configuration
2. issue - redirected to logout
possible resolutions:
Claim name is case sensitive - make sure it is cpm_user_groups and not Cpm_user_groups for example.
3. You can find additional SAML login issues here: identity provider user log in issues
Thanks for reading this guide,
N2WS Support Team.
Related Articles
How-To integrate N2WS Backup & Recovery 2.7.0a with Azure Active Directory
Background: This How-To guide provide details about the configuration required in order to integrate N2WS Backup & Recovery 2.7.0a with Azure Active Directory SSO, It shows an example on how to create and configure Enterprise application in Azure and ...How to Integrate CPM with ADFS to allow Idp logins from windows AD users
Background: This How-To guide will outline how to configure CPM and a windows ADFS server to allow IdP logins. Before you get started you will need to check the prerequisites. This is very important. If they are not met or the Domain and any of the ...Getting started with N2WS version 3.0.x
Background In this guide you can find few materials such as videos, documents and Articles to help you get started with N2WS backup & recovery version 3.0.0. For the full information about the product, please have a look at our N2WS ...How To Integrate Okta SSO IdP with CPM 3.0 and above
Background: This document details the steps needed to configure Okta Single Sign On IdP and N2WS Cloud Protection Manager 3.0+. This KB will walk through configuring a new application in Okta to use with CPM as well as configuring CPM with Okta's ...minimal Azure permissions/roles for n2WS operations
In version 4.0 we added support for the Azure cloud, you can find the required IAM permissions json attached to this KB article. The steps for adding permissions are: 1. Create custom role based on the attached permissions 2. Create app ...