Organizations who use a single sign-on service in their IT infrastructure can allow users to access Enterprise Manager without providing a password. To do this, the Enterprise Manager administrator must configure SAML authentication settings.
To configure SAML authentication settings:
- In Veeam Backup Enterprise Manager, open the Settings section of the Configuration view.
- Click the SAML Authentication tab.
- Click the Enable SAML 2.0 check box.
- In the Identity Provider Configuration section, specify IdP settings. For details, see Specifying Identity Provider Settings.
- [Optional] If you want to use a certificate to encrypt and sign SP SAML requests, specify certificate settings. For details, see Selecting SP Certificate.
- [Optional] Click the Advanced Settings link and specify advanced SAML authentication settings. For details, see Specifying Advanced SAML Authentication Settings.
- In the Enterprise Manager Configuration section, specify SP settings. For details, see Specifying Service Provider Settings.
- Click Save.
After you configure SAML authentication settings, you can register user accounts that will be able to log in to Enterprise Manager using a single sign-on service. For details, see Managing Accounts and Roles.
To set up SAML authentication, you must obtain IdP SAML authentication settings from the IdP and specify them in Enterprise Manager. You can specify IdP settings in one of the following ways:
- Import IdP settings from a SAML metadata file obtained from the IdP.
- Specify IdP settings manually.
To import IdP settings from the SAML metadata file, in the Identity Provider Configuration section of the SAML Authentication view, click the Import from File link and browse to the metadata file. The metadata file structure must conform to the SAML 2.0 Metadata Schema.
Alternatively, you can specify IdP settings manually:
- In the Identity Provider Configuration section, in the Entity ID field, specify a unique ID of the IdP.
- In the Login URL field, specify the URL of the single sign-on login page provided by the IdP.
- From the Binding list, select a SAML binding used by the IdP to send SAML responses: HttpRedirect or HttpPost.
- In the IdP certificate field, specify a certificate that will be used to validate the signature of the signed authentication assertions and decrypt assertions sent by the IdP.
Veeam Backup Enterprise Manager does not support IdP certificate rollover.
If you want to sign and encrypt authentication requests sent from Veeam Backup Enterprise Manager to the IdP, you must select a certificate with a private key that will be used for encryption and signing. To select a certificate:
- In the Enterprise Manager Configuration section of the SAML Authentication view, click the Select link next to the Certificate field.
- In the Select Service Provider Certificate window, Veeam Backup Enterprise Manager will display certificates located in the certificate store on the Enterprise Manager server. Choose the necessary certificate from the list and click Select.
If you use a certificate to sign end encrypt SAML authentication requests, you must pass the public key certificate to the IdP. The IdP will use this certificate to encrypt requests and validate the request signature. For more information, see Specifying Service Provider Settings.
Consider the following:
To specify advanced settings for SAML authentication:
- To include in the SP SAML metadata a security certificate required to decrypt SP authentication requests and validate the signature of the signed requests, in the Service Provider Settings section of the SAML Advanced Settings window, select the Include encryption certificate in metadata and Include signing certificate in metadata check boxes.
- From the Minimum accepted incoming signing algorithm and Outbound sign algorithm lists, select what type of signed requests and responses Enterprise Manager will be able to send and receive. By default, the SHA256 option is selected. With this option selected, Enterprise Manager will send and receive requests and responses signed using the SHA256 or stronger algorithm.
- By default, to provide for single sign-on authentication for groups of users, Veeam Backup Enterprise Manager accepts information about groups from the IdP in statements of the Group type. If it is required to use for this purpose statements of a different type, in the Group claim type field, specify the necessary type.
- If you want to sign authentication requests sent from Enterprise Manager to the IdP with a digital certificate, in the Identity Provider Settings section, select the Sign AuthnRequests to IdP check box.
- From the Authentication context comparison list, select a comparison method for authentication context: Exact, Minimum, Maximum or Better.
- From the Authentication context class list, select one of the classes to specify an authentication method used by the Identity Provider. For example, for VMware Platform Services Controller, select PasswordProtectedTransport. By default, the Password option is selected.
- Click Apply.
To set up SAML authentication, you must pass SP SAML authentication settings to the IdP. You can prepare SP settings in one of the following ways:
- Export SP settings to a SAML metadata file. To do this, in the Enterprise Manager Configuration section of the SAML Authentication view, click the Download link. Veeam Backup Enterprise Manager will download the SP metadata as a file of the XML that conforms to the SAML 2.0 Metadata Schema. Note that if you plan to use a certificate to sign end encrypt SAML authentication requests, and need to pass the public key certificate to the IdP, you must include the certificate in the metadata file. For more information, see Specifying Advanced SAML Authentication Settings.
- Copy SP settings manually. To do this, click the Copy Link links next to the SP Entity ID / Issuer and Assertion consumer URL fields. If you have selected a certificate that will be used to sign end encrypt SAML authentication requests, you must also pass the public key certificate to the IdP. To copy the certificate, click the Download link next to the Certificate field.