Managing Identity Providers

In this article

    Veeam Service Provider Console allows you to create and manage IdP configurations to set up SSO authentication.

    Required Privileges

    To perform the following tasks, a user must have one of the following roles assigned: Service Provider Global Administrator, Service Provider Administrator.

    Adding Identity Providers

    SAML authentication requires SP to set up trust relationship with IdP. To do that in Veeam Service Provider Console, you must create an IdP configuration:

    1. Log in to Veeam Service Provider Console.

    For details, see Accessing Veeam Service Provider Console.

    1. At the top right corner of the Veeam Service Provider Console window, click Configuration.
    2. In the configuration menu on the left, click Security.
    3. On the SIngle Sign-On tab, click New and select an identity provider service from the drop-down list.

    The identity provider configuration wizard will open.

    Provider Info

    1. At the Provider Info step of the wizard, specify general information on the IdP:
    • In the Display name field, specify the IdP name that will be displayed in the IdP list on the Single Sing-On tab.
    • In the Identity provider URL field, specify URL of the page containing metadata that is required by IdP.
    • [For Okta and Custom identity providers] In the Entity ID field, specify the unique identifier that an IdP will use to identify SP.
    • In the Client ID field, specify the name of the client created for Veeam Service Provider Console on the IdP side.

    Note that the name must be at least 5 and not more than 32 characters long and must not contain special characters.

    • [For Okta and Custom identity providers] Click SP entity ID link to generate entity ID URL based on the Client ID value.

    If you apply changes to Client ID value after link generation, click New link.

    • [For Okta and Custom identity providers] Click Create Assertion consumer link to generate assertion consumer service URL based on the Client ID value.

    If you apply changes to Client ID value after link generation, click New link.

    Provider Info

    1. At the Settings step of the wizard, you can change SP and IdP settings. To do that, clear the Use default configuration check box and specify the following settings:
    • From the Outbound signing algorithm drop-down list, select a certificate signature algorithm for requests sent by Veeam Service Provider Console.
    • From the Comparison method drop-down list, select a comparison method for authentication context.
    • From the Context class drop-down list, select an authentication method used by the IdP.
    1. At the Security Configuration step of the wizard, select one of the following options for a security certificate that will be used by Veeam Service Provider Console to connect to the IdP:
    • Generate a self-signed certificate

    With this option selected, a new self-signed certificate will be generated automatically.

    • Use the selected security certificate

    With this option selected, you can upload a certificate in the PKCS#12 format from your local disk or file share and provide the certificate password.

    1. At the Summary step of the wizard, review the IdP settings and click Finish.

    The XML file containing metadata will be automatically downloaded to your computer.

    1. Select the new identity provider in the list.
    2. From the Configuration drop-down list, select Complete Configuration.

    If you have mapping rules configured, you can also select Test Login. It allows you to perform a trial authorization. If it is successful, the identity provider configuration is completed automatically.

    Complete Configuration

    Editing Identity Provider Display Name

    To edit an identity provider:

    1. Log in to Veeam Service Provider Console.

    For details, see Accessing Veeam Service Provider Console.

    1. At the top right corner of the Veeam Service Provider Console window, click Configuration.
    2. In the configuration menu on the left, click Security.
    3. Open the Single Sign-On tab.
    4. Select the identity provider in the list.
    5. At the top of the list, click Edit.

    The Edit Identity Provider wizard will open.

    1. In the Display name field, specify a new IdP display name.
    2. Click Finish.

    Editing Identity Provider

    Disabling Identity Providers

    Although you can add multiple identity providers, only one of them can be enabled at the same time. If you add a second identity provider, you cannot complete its configuration until another identity provider is enabled. To disable an identity provider:

    1. Log in to Veeam Service Provider Console.

    For details, see Accessing Veeam Service Provider Console.

    1. At the top right corner of the Veeam Service Provider Console window, click Configuration.
    2. In the configuration menu on the left, click Security.
    3. Open the Single Sign-On tab.
    4. Select the identity provider in the list.
    5. At the top of the list, click Disable.

    Disabling Identity Provider

    Updating Identity Provider Configuration

    You can update IdP configuration saved in Veeam Service Provider Console. This can be useful if changes were applied to a profile on IdP server and IdP configuration in Veeam Service Provider Console must be synchronized with these changes.

    To update IdP configuration:

    1. Log in to Veeam Service Provider Console.

    For details, see Accessing Veeam Service Provider Console.

    1. At the top right corner of the Veeam Service Provider Console window, click Configuration.
    2. In the configuration menu on the left, click Security.
    3. Open the Single Sign-On tab.
    4. Select the identity provider in the list.
    5. From the Configuration drop-down list, select Resync Configuration.

    Deleting Identity Provider

    Deleting Identity Providers

    To delete an identity provider:

    1. Log in to Veeam Service Provider Console.

    For details, see Accessing Veeam Service Provider Console.

    1. At the top right corner of the Veeam Service Provider Console window, click Configuration.
    2. In the configuration menu on the left, click Security.
    3. Open the Single Sign-On tab.
    4. Select the identity provider in the list.
    5. At the top of the list, click Remove.

    Deleting Identity Provider

    After you delete an identity provider, all user identities associated with it will also be deleted.

    Viewing Identity Provider Details

    To view details on configured identity providers:

    1. Log in to Veeam Service Provider Console.

    For details, see Accessing Veeam Service Provider Console.

    1. At the top right corner of the Veeam Service Provider Console window, click Configuration.
    2. In the configuration menu on the left, click Security.
    3. Open the Single Sign-On tab.

    Each identity provider in the list is described with the following set of properties:

    • Status — status of the IdP.
    • Identity Provider Name — display name of the IdP.
    • Mapping Rules — mapping rules configured for the IdP.
    • Provider Type — name of the IdP service.
    • Protocol — authentication protocol.

    Viewing Identity Provider Details