5/28/2017 HowtoinstallandconfigureActiveDirectoryFederationServicesforDruvainSyncCloudSAMLintegrationDruvaDocumentation

Documentation Forums Knowledge Support Login

Chat Now Submit Case

How can we help you?

Home Knowledge
Expand/collapse global Base inSync
hierarchy How To Expand/co

How to install and con gure Active Directory Federation Services for Druva inSync Cloud
SAML integration
Last updated: 22:29, 27 Apr 2017

Share
Table of contents

Summary
This document describes step by step installation and con guration of Active Directory Federation Services (ADFS) 2.0 for Druva inSync cloud SAML integration. The
document has following sub sections:

Overview

Installing ADFS 2.0

Con guring ADFS to integrate with Druva inSync cloud

Overview
In this section we will list the components involved and how are we going to achieve it. The components involved in this scenario are :

Druva inSync Cloud.

ADFS 2.0 as IDP used for user authentication

The user authentication here will be as follows :

1. User opens the Druva inSync cloud web restore URL.

2. The user provides email ID along with SAML option selected into the web browser and requests login to web restore site.
3. ADFS returns a SAML assertion to users web browser.
4. User provides AD account name and password. This is a onetime activity.
5. The browser automatically submits the assertion to Druva inSync Cloud who logs the user in.

Installing ADFS 2.0

Active Directory Federation Services (ADFS) 2.0 software must be installed on any computer that you are preparing for the federation server role or the federation
server proxy role. You can install this software by either using the ADFS 2.0 Setup Wizard or by performing a quiet installation using the adfssetup.exe /quiet parameter
at a command line.

Installation Pre-requisites
Whichever method you choose to install ADFS 2.0, the installation process will attempt to automatically check for and if necessary, install the following prerequisite
applications and hot- xes:

Windows Hot x(KB968389) - Installed only on Windows Server 2008 computers

Windows Hot x (KB970430) - Installed only on Windows Server 2008 computers
Windows Hot x (KB973917) - Installed only on Windows Server 2008 computers
Windows Hot x (KB975955) - Installed only on Windows Server 2008 computers

Windows Hot x (KB981002) - Installed only on Windows Server 2008 R2 computers

Windows Hot x (KB981201) - Installed only on Windows Server 2008 computers
Windows Hot x (KB981202) - Installed only on Windows Server 2008 computers
Windows Hot x (KB981205) - Installed only on Windows Server 2008 computers
Microsoft
How can we help you?
.NET Framework 3.5 Service Pack 1 (SP1) - Installed only on Windows Server 2008 R2 computers Sign
in
Internet Information Services (IIS) 7
https://docs.druva.com/Knowledge_Base/inSync/How_To/How_to_install_and_configure_Active_Directory_Federation_Services_for_Druva_inSync_Clou 1/10
5/28/2017 HowtoinstallandconfigureActiveDirectoryFederationServicesforDruvainSyncCloudSAMLintegrationDruvaDocumentation
Internet Information Services (IIS) 7
Windows Identity Foundation (WIF)
Windows PowerShell

Membership in Administrators or equivalent on the local computer is the minimum required to complete this procedure.

To install the ADFS 2.0 software using the setup wizard

1.Download the ADFS 2.0 software by saving theAdfsSetup.exesetup le onto the computer. To download this le, go to Active Directory Federation Services 2.0 RTW
(http://go.microsoft.com/fwlink/?LinkId=151338).

2.Locate theAdfsSetup.exesetup le that you downloaded to the computer and then double-click it.

3.On theWelcome to the ADFS 2.0 Setup Wizardpage, clickNext.

4.On theEnd-User License Agreementpage, read the license terms.

5.If you agree to the terms, select theI accept the terms in the License Agreementcheck box and then clickNext.

6.On theServer Rolepage, select one of the following options, depending on the role for which you will con gure this computer.

To install ADFS 2.0 and to begin the process of con guring it for the federation server role, selectFederation serverand then clickNext.
To install ADFS 2.0 and begin the process of con guring it for the federation server proxy role, selectFederation server proxyand then clickNext.

7.On theInstall Prerequisite Softwarepage, clickNext.

After you clickNext, you see theInstalling ADFS 2.0page.

Note:The installation process can take up to 20 minutes to complete, depending on how many of the prerequisites are already
installed on the computer.

8.On the completed ADFS 2.0 Setup Wizard page, verify that the Restart now checkbox is selected and then click Finish to restart the computer.

To install the ADFS 2.0 software using the command-line

1.Download the ADFS 2.0 software by saving theAdfsSetup.exesetup le onto the computer.To download this le, go to Active Directory Federation Services 2.0 RTW
(http://go.microsoft.com/fwlink/?LinkId=151338).

2.Locate theAdfsSetup.exesetup le that you downloaded to the computer and then open a command prompt and change directories to the location of the setup le.

3.Depending on the role for which you will con gure this computer, choose one of the following options:

To install ADFS 2.0 and automatically con gure it for the federation server role, typeadfssetup.exe /quietand then pressENTER.

Con guring ADFS to integrate with Druva inSync cloud

Once ADFS 2.0 is installed we can now work on to create trust between two parties (Druva inSync cloud and ADFS). To achieve this we will have to con gure ADFS with a
relying party rule. In our case the relying party is Druva inSync cloud.

From the Druva inSync cloud perspective, we will have to con gure it to trust the ADFS 2.0 that is sending us claims and then we have to set up a web application and site
thats going to consume those claims.

Create a new federation service

We will start with hosting a new federation service. For those who already have the service hosted can skip this part.

1.On the ADFS 2.0 server click on start > Administrative Tools > Select ADFS 2.0 Management. This will open the management console for ADFS 2.0

2.In the right panel under the overview section click to select ADFS 2.0 Federation server con guration wizard.

3.Select Create New Federation Service" and click on Next (see image below).

How can we help you? Sign

in
https://docs.druva.com/Knowledge_Base/inSync/How_To/How_to_install_and_configure_Active_Directory_Federation_Services_for_Druva_inSync_Clou 2/10
5/28/2017 HowtoinstallandconfigureActiveDirectoryFederationServicesforDruvainSyncCloudSAMLintegrationDruvaDocumentation

4.Under select deployment Type select Stand-alone Federation Server.

5.Select the certi cate which you have created for ADFS 2.0 server and upload it. Click on next to see the summary.

6.Click on nish to create the Federation server.

Creating Relying Party

Once we have the Federation server setup we will further create a relying party (which will be Druva inSync cloud).

1.In the ADFS 2.0 management console expand the Trust relationship node.

2.Click on the Add Relying Party Trust link in the right pane to start the Add Relying Party Trust wizard (see image below).

3.Click the Start button to continue. Select the option to enter data about the relying party manually and then click the Next button. (see image below).

4.Enter a Display name and optionally a description for the relying party and then click the Next button. (see the image below).

How can we help you? Sign

in
https://docs.druva.com/Knowledge_Base/inSync/How_To/How_to_install_and_configure_Active_Directory_Federation_Services_for_Druva_inSync_Clou 3/10
5/28/2017 HowtoinstallandconfigureActiveDirectoryFederationServicesforDruvainSyncCloudSAMLintegrationDruvaDocumentation

5.Select the option to use the ADFS 2.0 pro le and then click the Next button. (see image below).

6.You can select a certi cate to encrypt the SAML token itself. This isnt done frequently because ADFS will require our connection to Druva inSync be made over SSL, so
the channel on which the token is sent is encrypted already. Click the Next button. (see below image).

7.Select the check box Enable support for the SAML 2.0 WebSSO 2.0 protocol and provide Relying party SAML 2.0 SSO service URL
ashttps://cloud.druva.com/wrsaml/consume. (see image below) After entering the URL click on next.

8.For the relying party trust identi er you need to enter a realm that your web application will pass to ADFS when users log into the web restore URL. The realm is
associated with a web application and is how ADFS can map the login request thats come in to the relying party trusts it has. Here for us the realm is druva-cloud. Enter
the realm and click the Next button. (see image below).

How can we help you? Sign

in
https://docs.druva.com/Knowledge_Base/inSync/How_To/How_to_install_and_configure_Active_Directory_Federation_Services_for_Druva_inSync_Clou 4/10
5/28/2017 HowtoinstallandconfigureActiveDirectoryFederationServicesforDruvainSyncCloudSAMLintegrationDruvaDocumentation

9.Permit all the users to access the relying party (see below image).

10.If you are needed to make any other con guration changes at this time to the relying party trust you could do it here. Click the Next button to continue. (see image
below)

11.Were done con guring the relying party trust but we still need to create a claim rule to tell ADFS what claims to send back to Druva inSync cloud. We leave the box
checked to Open the Edit Claim Rules dialog and click the Close button.

Create new rule

Next we will have to create claim rules which allow us to authenticate at ADFS using Active Directory.

1.Now we will create a new rule, click the Add Rule button. (See image below). Select Send LDAP Attributes as Claims.

How can we help you? Sign

in
https://docs.druva.com/Knowledge_Base/inSync/How_To/How_to_install_and_configure_Active_Directory_Federation_Services_for_Druva_inSync_Clou 5/10
5/28/2017 HowtoinstallandconfigureActiveDirectoryFederationServicesforDruvainSyncCloudSAMLintegrationDruvaDocumentation

2.We will now start by typing the claim rule which can be any name to identify with. Next, in the attribute store drop down selectActive Directory. Then Select LDAP
attributes and MAP them with outgoing claim type. Here they look as below:

LDAP Attribute Outgoing claim type

E-mail Addresses Name ID

E-mail Addresses E-mail Address

User-Principal-Name Name

See the image below for more details.

3.After youve nished con guring the above rule as described here, click the Finish button to complete the rule.

4.We will now create a custom rule, click Add Rule button. (See image below). Select Send Claims Using a custom Rule.

5.Before we move ahead we need to generate a SSO Token for creating the rule. To generate a SSO token please Navigate to Manage-> Settings -> Single Sign On ->
Generate SSO Token.Copy the token le.

6.Start by typing a name for the Claim rule. Under Customer rule type "=>issue(Type="insync_auth_token",Value ="{value of SSO Token generated from inSync
Console"});" (refer to image below).

How can we help you? Sign

in
https://docs.druva.com/Knowledge_Base/inSync/How_To/How_to_install_and_configure_Active_Directory_Federation_Services_for_Druva_inSync_Clou 6/10
5/28/2017 HowtoinstallandconfigureActiveDirectoryFederationServicesforDruvainSyncCloudSAMLintegrationDruvaDocumentation

7.Click the OK button to complete the process of creating your relying party trust in ADFS.

Con gure Certi cate for ADFS

ADFS uses a certi cate to sign the tokens it sends out. You may con gure a trusted party certi cate or use the self signed cert. This section is optional.

Con guring Single Sign on Settings on Druva inSync inCloud.

1. We need to con gure a few settings on the Druva Cloud instance. To do those please openhttps://cloud.druva.comand login with admin credentials.

2. Navigate to Manage-> Settings->Single Sign-on.

3. Please enter the values as below.

SAML Attribute Description and value

ID Provider Metadata URL Can be left blank

ID Provider Login URL https://{fqdn-name of the ADFS

server}/adfs/ls

ID Provider Logout URL Can be left blank

ID Provider Certi cate This Certi cate can be obtained from the
ADFS server. Please follow the below
procedure to obtain the ID provider
Certi cate.

4. To get the ID provider Certi cate follow the below step.

On the ASFS 2.0 console Click on Certi cates. Under Certi catesClick Onthe certi cate under token-signing(Refer to below image).

How can we help you? Sign

in
https://docs.druva.com/Knowledge_Base/inSync/How_To/How_to_install_and_configure_Active_Directory_Federation_Services_for_Druva_inSync_Clou 7/10
5/28/2017 HowtoinstallandconfigureActiveDirectoryFederationServicesforDruvainSyncCloudSAMLintegrationDruvaDocumentation

On the Certi cate properties window,click on Detail. On Details page ClickCopy to le.This will launch the Welcome to Certi cate import wizard.

ClickNexton the wizard. This will launch the Certi cate Export Wizard. Select DER Encoded binary X.509 (.cer) andClick Next.

Give lename as Cert.cer and save it. The le is in .cer format. We need to convert it into .pem format. For that we can use OpenSSL tool.

Download and install latest version of OpenSSL for windows fromhttp://www.slproweb.com/products/Win32OpenSSL.html.

Note:OpenSSL requiresVisual C++ 2008 Redistributableswhich can be downloaded from the same website.

How can we help you? Sign

in
https://docs.druva.com/Knowledge_Base/inSync/How_To/How_to_install_and_configure_Active_Directory_Federation_Services_for_Druva_inSync_Clou 8/10
5/28/2017 HowtoinstallandconfigureActiveDirectoryFederationServicesforDruvainSyncCloudSAMLintegrationDruvaDocumentation

Save the cert.cer le underC:\OpenSSL-Win32\bin

Open command prompt, navigate toC:\OpenSSL-Win32\bin>, and run the following command.

openssl x509 -inform der -in cert.cer -out cert.pem

Edit the cert.pem le using notepad. The le will show a certi cate in the format

-----BEGIN CERTIFICATE-----

. ..

-----END CERTIFICATE-----"

Copy the certi cate and paste it on the Single Sign on Settings page under ID Provider Certi cate

Single Sign on is now con gured on Druva inSync Cloud using ADFS.

Back to top

How to install an SSL ce How to install inSync Se

Was this article helpful?

Yes No

Recommended articles

How to generate and install an Apple Push Noti cation certi cate How to Install SSL Certi cate from a Trusted CA
Provides instructions to to install SSL Certi cate from a Trusted CA.

Reactivating devices using IMD v2 Troubleshooting backup issue on Phoenix Cloud for VMware server

Article type:
How-to

Tags:
reccomendations, recommended

SUPPORT CONTACTS
SUPPORT COMMUNITY SUPPORT RESOURCES MORE LINKS
Toll Free
Forums Professional Services Druva.com
US/Canada: 1-844-30-37882
Knowledge Training Featured Resources (DRUVA)
My Account Cloud Noti cation Druva Blog Australia: 1-800-823-249
Germany: 0800-181-2229

Druva 2017. All rights reserved. Privacy Policy.

India: 000-800-100-4557
Singapore: 800-852-3060
UK: 0-800-014-8415

International
Worldwide: +1-650-238-6200
EMEA: +44-20-7049-0493
APAC: +65-3158-9943
Feedback

Site FEEDBACK

How can we help you? Sign

in
https://docs.druva.com/Knowledge_Base/inSync/How_To/How_to_install_and_configure_Active_Directory_Federation_Services_for_Druva_inSync_Clou 9/10
5/28/2017 HowtoinstallandconfigureActiveDirectoryFederationServicesforDruvainSyncCloudSAMLintegrationDruvaDocumentation

How can we help you? Sign

in
https://docs.druva.com/Knowledge_Base/inSync/How_To/How_to_install_and_configure_Active_Directory_Federation_Services_for_Druva_inSync_Clo 10/10