Managing Identity Providers

Veeam Service Provider Console allows you to create and manage IdP configurations to set up SSO authentication.

Before You Begin

To create an IdP configuration, you must configure your portal web address. Note that your portal web address must not match with the Administrator portal web address used by your service provider. For details, see Customizing Portal Branding.

Required Privileges

To perform the following tasks, a user must have one of the following roles assigned: Service Provider Global Administrator, Service Provider Administrator.

Adding Identity Providers

SAML authentication requires SP to set up trust relationship with IdP. To do that in Veeam Service Provider Console, you must create an IdP configuration:

  1. Log in to Veeam Service Provider Console.

For details, see Accessing Veeam Service Provider Console.

  1. At the top right corner of the Veeam Service Provider Console window, click Configuration.
  2. In the configuration menu on the left, click Security.
  3. On the SIngle Sign-On tab, click New and select an identity provider service from the drop-down list.

The identity provider configuration wizard will open.

Provider Info

  1. At the Provider Info step of the wizard, specify general information on the IdP:

Note that the name must be at least 5 and not more than 32 characters long and must not contain special characters.

If you apply changes to Client ID value after link generation, click New link.

If you apply changes to Client ID value after link generation, click New link.

Provider Info

  1. At the Settings step of the wizard, you can change SP and IdP settings. To do that, clear the Use default configuration check box and specify the following settings:
  • From the Outbound signing algorithm drop-down list, select a certificate signature algorithm for requests sent by Veeam Service Provider Console.
  • From the Minimum accepted incoming signing algorithm drop-down list, select a certificate signature algorithm required from requests received by Veeam Service Provider Console.

Requests with signing algorithm weaker than the selected algorithm will be rejected.

  • From the Comparison method drop-down list, select a comparison method for authentication context.
  • From the Context class drop-down list, select an authentication method used by the IdP.
  1. At the Security Configuration step of the wizard, select one of the following options for a security certificate that will be used by Veeam Service Provider Console to connect to the IdP:
  • Generate a self-signed certificate

With this option selected, a new self-signed certificate will be generated automatically.

  • Use the selected security certificate

With this option selected, you can upload a certificate in the PKCS#12 format from your local disk or file share and provide the certificate password.

  1. At the Summary step of the wizard, review the IdP settings and click Finish.

The XML file containing metadata will be automatically downloaded to your computer.

At this point you can configure trust relationship with Veeam Service Provider Console on the IdP side. For details on how it can be performed, see Single Sign-On Access Configuration Examples.

  1. Select the new identity provider in the list.
  2. From the Configuration drop-down list, select Complete Configuration.

If you have mapping rules configured, you can also select Test Login. It allows you to perform a trial authorization. If it is successful, the identity provider configuration is completed automatically.

Complete Configuration

Editing Identity Provider Display Name

To edit an identity provider:

  1. Log in to Veeam Service Provider Console.

For details, see Accessing Veeam Service Provider Console.

  1. At the top right corner of the Veeam Service Provider Console window, click Configuration.
  2. In the configuration menu on the left, click Security.
  3. Open the Single Sign-On tab.
  4. Select the identity provider in the list.
  5. At the top of the list, click Edit.

Alternatively, you can right-click the necessary identity provider and choose Edit.

The Edit Identity Provider wizard will open.

  1. In the Display name field, specify a new IdP display name.
  2. Click Finish.

Editing Identity Provider

Disabling Identity Providers

Although you can add multiple identity providers, only one of them can be enabled at the same time. If you add a second identity provider, you cannot complete its configuration until another identity provider is enabled. To disable an identity provider:

  1. Log in to Veeam Service Provider Console.

For details, see Accessing Veeam Service Provider Console.

  1. At the top right corner of the Veeam Service Provider Console window, click Configuration.
  2. In the configuration menu on the left, click Security.
  3. Open the Single Sign-On tab.
  4. Select the identity provider in the list.
  5. At the top of the list, click Disable.

Alternatively, you can right-click the necessary identity provider and choose Disable.

Updating Identity Provider Configuration

You can update IdP configuration saved in Veeam Service Provider Console. This can be useful if changes were applied to a profile on IdP server and IdP configuration in Veeam Service Provider Console must be synchronized with these changes.

To update IdP configuration:

  1. Log in to Veeam Service Provider Console.

For details, see Accessing Veeam Service Provider Console.

  1. At the top right corner of the Veeam Service Provider Console window, click Configuration.
  2. In the configuration menu on the left, click Security.
  3. Open the Single Sign-On tab.
  4. Select the identity provider in the list.
  5. From the Configuration drop-down list, select Resync Configuration.

Alternatively, you can right-click the necessary identity provider, choose Configuration and select Resync Configuration.

Updating Identity Provider Configuration

Deleting Identity Providers

To delete an identity provider:

  1. Log in to Veeam Service Provider Console.

For details, see Accessing Veeam Service Provider Console.

  1. At the top right corner of the Veeam Service Provider Console window, click Configuration.
  2. In the configuration menu on the left, click Security.
  3. Open the Single Sign-On tab.
  4. Select the identity provider in the list.
  5. At the top of the list, click Remove.

Alternatively, you can right-click the necessary identity provider and choose Remove.

After you delete an identity provider, all user identities associated with it will also be deleted.

Viewing Identity Provider Details

To view details on configured identity providers:

  1. Log in to Veeam Service Provider Console.

For details, see Accessing Veeam Service Provider Console.

  1. At the top right corner of the Veeam Service Provider Console window, click Configuration.
  2. In the configuration menu on the left, click Security.
  3. Open the Single Sign-On tab.

Each identity provider in the list is described with the following set of properties:

  • Status — status of the IdP.
  • Identity Provider Name — display name of the IdP.
  • Mapping Rules — mapping rules configured for the IdP.
  • Provider Type — name of the IdP service.
  • Protocol — authentication protocol.

Viewing Identity Provider Details

Page updated 1/4/2024

Page content applies to build 8.1.0.21377