How-To integrate N2WS Backup & Recovery 2.7.0a with Azure Active Directory

How-To integrate N2WS Backup & Recovery 2.7.0a with Azure Active Directory

Background:

This How-To guide provide details about the configuration required in order to integrate N2WS Backup & Recovery 2.7.0a with Azure Active Directory SSO,
It shows an example on how to create and configure Enterprise application in Azure and what configurations are required in N2WS Backup & Recovery.

  1. Please check the following link if ldp integration is supported for your version pricing & feature
  1. For additional information about IdP integration, read our user guide: User Guide - Chapter 19 : cpm idp integration (It is recommended to read this also)
  1. If you are using Okta instead of Azure AD, you can use this How-To guide how to integrate okta SSO

The configuration has the following steps you must configure to get this working correctly: 
  1. Create enterprise app in azure AD
  2. Configure claims in Azure AD
  3. Configure ldp in N2WS Backup & Recovery
  4. Create a group in N2WS Backup & Recovery
  5. Upload certificate to N2WS Backup & Recovery

Please see below configuration and troubleshooting sections.

Configuration

For this guide i have create a test Azure AD account and have created one user & group in it.

1. First we will start with configuration at Azure AD side, 
    First you need users & group, once you have a user/group next steps is to create "Enterprise application" (you should see link to create at the bottom)
      

2. Next select “Non-gallery application” and insert a name
      

3. Now click on "Assign a user"
      

4. Add your user
      

      

5. Now that we have assigned a user, go back to overview and then click on Set up a single sign on” -> SAML
      

6. You will reach the setup page which has multiple sections, Fill up the parameters as follow:

section 1: Basic SAML Configuration
Attribute
Value
Identifier (Entity ID)
https://<CPM_Address>/remote_auth/metadata
Reply URL (Assertion Consumer Service URL)
https://<CPM_Address>/remote_auth/complete_login/
Logout Url
https://<CPM_Address>/remote_auth/complete_logout/

Section 2: User Attributes & Claims
Claim name
Example source attribute
cpm_user_groups
Group ID
nameidertifier
user.userprincipalname

      ***Note: An IdP user logging onto N2WS can belong to only one N2WS group

Section 3: SAML Signing Certificate
Check that "Signing Algorithm" = SHA-256 and download the Certificate(Base64) 
We will upload the certificate later to N2WS Backup & Recovery

Section 4: Set up N2WS Cloud Protection Manager
we will use this information for the N2WS Backup & Recovery configuration later.

7. Now switch to N2WS Backup & Recovery console, login with Admin user
8. Click on "General Settings" and scroll to the bottom -> Open "Identity provider" area.
      

Parameter
value
CPM IP or DNS
This should point to the public IP or DNS
Entity ID
Copy from Azure SSO setup - section 4
Sign in URL
Copy from Azure SSO setup - section 4
Sign Out URL
Copy from Azure SSO setup - section 4
X509 cert
Upload the certificate from Azure AD
      ***use IdP’s login url for both sign in & sign out.

9. You need also to add a group by clicking on "+ Add New Group"
The name of the group should match the group ID in Azure AD, for example:
     
     

when you create the group, you select the user type for users in that groups and the limitations/permissions, for example:
      

Troubleshooting

1. issue - application identifier was not found
      

Possible resolutions:
      Make sure the "CPM IP or DNS" in N2WS config is set to public ip and match the URL in Azure AD configuration

2. issue - redirected to logout
      
possible resolutions:
      Claim name is case sensitive - make sure it is cpm_user_groups and not Cpm_user_groups for example.


3. You can find additional SAML login issues here: identity provider user log in issues


Thanks for reading this guide,
N2WS Support Team.