Configuring Single Sign-On Authentication
Veeam Service Provider Console supports single sign-on (SSO) authentication based on the SAML 2.0 protocol. Organizations that use a single sign-on service in their infrastructure can extend single sign-on capabilities to Veeam Service Provider Console. Once a user of the organization is logged in to the single sign-on service, the user can access Veeam Service Provider Console without the need to provide credentials.
SAML authentication scenario in Veeam Service Provider Console comprises the following parties:
- User that logs in to the Veeam Service Provider Console portal.
- Service provider (SP) — an application accessed by the user (Veeam Service Provider Console portal).
- Identity provider (IdP) — an external service (hosted on premises or in the public cloud) that facilitates SSO. The IdP keeps user identity data in a user store. Upon requests from the SP, the IdP issues SAML authentication assertions, that is, identifies the user and provides the SP with necessary information about the user.
You can enable SSO authentication for the following user roles:
- Portal Administrator
- Portal Operator
- Read-only User
- Company Owner
- Company Administrator
- Location Administrator
- Location User
- Company Invoice Auditor
- Service Provider Global Administrator
For other reseller users and users of companies managed by these resellers, SSO authentication is configured on the reseller side.
How It Works
In Veeam Service Provider Console, SSO authentication is performed in the following way:
- The user selects an identity provider on the authorization page.
- Veeam Service Provider Console redirects a SAML authentication request to the identity provider.
- The identity provider redirects the user to the URL of the single sign-on webpage.
- The user specifies the credentials of their account on the single sign-on webpage.
- The identity provider issues a SAML assertion and redirects it to Veeam Service Provider Console in the SAML response. The SAML assertion contains an organization name and a user email address.
- Veeam Service Provider Console assigns or creates a user identity according to an applicable mapping rule.
- The user gains access to the website.
SSO authorization cannot be completed if multi-factor authentication is enabled for the user.
You can configure SSO authentication for the Administrator Portal users and users of managed companies. To do that, you must perform the following operations: