SAML Authentication
Veeam Backup & Replication supports single sign-on authentication based on the SAML 2.0 protocol. Enterprise organizations who use a single sign-on (SSO) service in their IT infrastructure can extend single sign-on capabilities to Veeam Backup & Replication. A user of the organization logged in to the single sign-on service can access Veeam Backup & Replication if their account was added by the Veeam Backup Administrator.
SAML authentication scenario involves the following parties:
- User that logs in to the Veeam Backup & Replication console or Veeam Backup & Replication Web UI.
- Service provider (SP) — an application accessed by the user. In the Veeam backup infrastructure, the service provider is Veeam Backup & Replication.
- Identity provider (IdP) — an external service (hosted on premises or in the public cloud) that facilitates SSO, for example, Active Directory Federation Services (AD FS), Microsoft Entra ID, Okta, Auth0, Keycloak, and so on. The IdP keeps user identity data in a user store (or attribute store). Upon requests from the SP, the IdP issues SAML authentication assertions, that is, identifies the user and provides the SP with required information about the user.
The SP and IdP exchange information in the XML format in accordance with the SAML V2.0 Standard.
How SAML Authentication Works
Veeam Backup & Replication supports the following scenario for SAML authentication:
- A Veeam Backup Administrator adds an external user account in the Users and Roles > Security settings and assigns a role to this user. For more information, see Adding External Users.
- A user runs the Veeam Backup & Replication console or opens the Veeam Backup & Replication Web UI.
- On the sign-in page, the user clicks Sign in with SSO.
- Veeam Backup & Replication redirects a SAML authentication request to the IdP. If the user has not previously logged in with the single sign-on service, the IdP redirects the user to the URL of the single sign-on service.
Note |
If the user logs in to the desktop application, they need to authenticate in the single sign-on service every time. For the Web UI, the user will log in automatically until the authorization cookie expires. |
- After the user authenticates in the single sign-on service, the IdP issues a SAML assertion and redirects it to Veeam Backup & Replication in the SAML response.
- The user gains access to Veeam Backup & Replication and can perform operations according to the assigned role.
Configuring SAML Authentication
To configure SAML authentication, perform the following steps:
- Get an XML metadata file from your IdP.
- From the main menu, select Users and Roles > Identity Provider.
- Select the Enable SAML authentication check box.
- In the Identity provider (IdP) information section, specify the IdP metadata file. To do this, click Browse and select the file.
- In the Service Provider (SP) information section, do the following:
- Click Install to specify a valid server certificate. You can select an existing backup server certificate from the certificate store or import a certificate from a file. For more information, see Backup Server Certificate.
- Click Download to get an XML metadata file for your IdP. Use this file to add the Veeam Backup & Replication server as the service provider in your IdP configuration.
- Click OK.
After you configure SAML authentication, you can add external users or groups to Veeam Backup & Replication and assign roles to them. To do this, perform the following steps:
- From the main menu, select Users and Roles > Security.
- Click Add > External user or group.
- In the Type field, select User or Group.
- In the Name field, enter the name of the user or group in the UPN format, for example, john.doe@domain.com.
- From the Role list, select the role that you want to assign to this user or group.
- Click OK.