Configuring SSO Settings
Veeam Backup for AWS supports single sign-on (SSO) authentication based on the SAML 2.0 protocol. SSO authentication scheme allows a user to log in to different software systems with the same credentials using the identity provider service.
To configure SSO settings for Veeam Backup for AWS, complete the following steps:
- Switch to the Configuration page.
- Navigate to Settings > Identity Provider.
- In the Identity Provider Configuration section, import identity provider settings from a file obtained from your identity provider:
- Click Upload Metadata.
- In the Upload Identity Provider Configuration window, click Browse to locate the file with identity provider settings.
- Click Upload to import the metadata.
- Pass the service provider authentication settings to the identity provider. To obtain the settings, in the Veeam Backup for AWS Configuration section, click Download. Veeam Backup for AWS will download a metadata file with the service provider authentication settings to your local machine. Alternatively, you can copy the service provider settings manually:
- Click Copy Link to the right of SP Entity ID / Issuer.
- Click Copy Link to the right of Assertion Consumer URL.
If you want to sign and encrypt authentication requests sent from Veeam Backup for AWS to the identity provider, you must select a certificate with a private key that will be used for encryption and signing:
After you configure SSO settings, you can add user accounts that will be able to log in to Veeam Backup for AWS using single sign-on. For more information, see Adding User Accounts.
To authenticate a user whose identity has been received from the identity provider, Veeam Backup for AWS redirects the user to the identity provider portal. After the user logs in to the portal, the identity provider sends a SAML authentication response to Veeam Backup for AWS. The SAML response must contain the UserName attribute to allow Veeam Backup for AWS to identify the user. That is why if your identity provider does not send the UserName attribute by default, you must create a claim rule on the identity provider side to send this attribute in the SAML authentication response to the Veeam Backup for AWS request.