Configuring SAML Authentication Settings
Organizations who use single sign-on (SSO) in their IT infrastructure can allow users to access the Veeam Backup Enterprise Manager website and vSphere Self-Service Backup Portal with their SSO credentials. To do this, the Enterprise Manager administrator must configure SAML authentication settings.
If SAML authentication is enabled, users can log in to vSphere Self-Service Backup Portal under SSO accounts only.
To configure SAML authentication settings:
- Log in to Veeam Backup Enterprise Manager using an administrative account.
- To open the Configuration view, click Configuration in the top right corner.
- Open the Settings section of the Configuration view.
- Click the SAML Authentication tab.
- Select the Enable SAML 2.0 option.
- In the Identity Provider Configuration section, specify IdP settings. For more information, see Specifying Identity Provider Settings.
- [Optional] If you want to use a certificate to encrypt and sign SP SAML requests, specify certificate settings. For more information, see Selecting SP Certificate.
- [Optional] Click the Advanced Settings link and specify advanced SAML authentication settings. For more information, see Specifying Advanced SAML Authentication Settings.
- In the Enterprise Manager Configuration section, export or manually copy metadata of the SP (the Veeam Backup Enterprise Manager website or vSphere Self-Service Backup Portal) for which you configure SSO. Use the metadata to register the SP in the IdP. For more information, see Obtaining Service Provider Settings.
- Click Save.
After you configure SAML authentication settings, you can register user accounts that will be able to log in to the Veeam Backup Enterprise Manager website or vSphere Self-Service Backup Portal using SSO. For more information, see Managing Accounts and Roles and Managing Tenant Accounts.
To set up SAML authentication, you must obtain IdP SAML authentication settings from the IdP and specify them in Enterprise Manager. You can specify IdP settings in one of the following ways:
- Import IdP settings from a SAML metadata file obtained from the IdP.
- Specify IdP settings manually.
To import IdP settings from the SAML metadata file, in the Identity Provider Configuration section of the SAML Authentication view, click the Import from File link and browse to the metadata file. The metadata file structure must conform to the SAML 2.0 Metadata Schema.
Alternatively, you can specify IdP settings manually:
- In the Identity Provider Configuration section, in the Entity ID field, specify a unique ID of the IdP.
- In the Login URL field, specify the URL of the single sign-on login page provided by the IdP.
- From the Binding list, select a SAML binding used by the IdP to send SAML responses: HttpRedirect or HttpPost.
- In the IdP certificate field, specify a certificate that will be used to validate the signature of the signed authentication assertions and decrypt assertions sent by the IdP.
Veeam Backup Enterprise Manager does not support IdP certificate rollover.
If you want to sign and encrypt authentication requests sent from Veeam Backup Enterprise Manager to the IdP, you must select a certificate with a private key that will be used for encryption and signing. To select a certificate:
- In the Enterprise Manager Configuration section of the SAML Authentication view, click the Select link next to the Certificate field.
- In the Select Service Provider Certificate window, Veeam Backup Enterprise Manager will display certificates located in the certificate store on the Enterprise Manager server. Choose the necessary certificate from the list and click Select.
If you use a certificate to sign end encrypt SAML authentication requests, you must pass the public key certificate to the IdP. The IdP will use this certificate to encrypt requests and validate the request signature. For more information, see Obtaining Service Provider Settings.
Consider the following:
To specify advanced settings for SAML authentication:
- To include in the SP SAML metadata a security certificate required to decrypt SP authentication requests and validate the signature of the signed requests, in the Service Provider Settings section of the SAML Advanced Settings window, select the Include encryption certificate in metadata and Include signing certificate in metadata check boxes.
- From the Minimum accepted incoming signing algorithm and Outbound sign algorithm lists, select what type of signed requests and responses Enterprise Manager will be able to send and receive. By default, the SHA256 option is selected. With this option selected, Enterprise Manager will send and receive requests and responses signed using the SHA256 or stronger algorithm.
- By default, to provide for single sign-on authentication for groups of users, Veeam Backup Enterprise Manager accepts information about groups from the IdP in statements of the Group type. If it is required to use for this purpose statements of a different type, in the Group claim type field, specify the necessary type.
- If you want to sign authentication requests sent from Enterprise Manager to the IdP with a digital certificate, in the Identity Provider Settings section, select the Sign AuthnRequests to IdP check box.
- From the Authentication context comparison list, select a comparison method for authentication context: Exact, Minimum, Maximum or Better.
- From the Authentication context class list, select one of the classes to specify an authentication method used by the Identity Provider. For example, for VMware Platform Services Controller, select PasswordProtectedTransport. By default, the Password option is selected.
- Click Apply.
To set up SAML authentication, on the IdP side, you must register each service provider for which you configure SSO. To do this, you need to pass SP settings to the IdP.
You can obtain SP settings in one of the following ways:
- Export SP settings to an XML file. The file conforms to the SAML 2.0 Metadata Schema. To export SP settings, in the Enterprise Manager Configuration section of the SAML Authentication tab, click a Download link next to the necessary SP: the Veeam Backup Enterprise Manager website, vSphere Self-Service Backup Portal or both.
If you plan to use a certificate to sign and encrypt SAML authentication requests, and need to pass the public key certificate to the IdP, you must include the certificate in the metadata file. For more information, see Specifying Advanced SAML Authentication Settings.
- Copy SP settings manually. To do this, click the Copy Link links next to the SP Entity ID / Issuer and Assertion consumer URL fields. If you have selected a certificate that will be used to sign end encrypt SAML authentication requests, you must also pass the public key certificate to the IdP. To copy the certificate, click the Download link next to the Certificate field.