How to use Active Directory, Okta and other SAML-based identity providers with CPM

How to Upgrade CPM to v2.2.x and Integrate It With Identity Providers such as Active Directory & Okta

How to Upgrade CPM to v2.2.x and Integrate It With Identity Providers such as Active Directory & OktaAs data governance and compliance becomes increasingly critical, we know how important it is for Enterprises and Public Sector entities to have complete control of data flow within an organization. We wanted these enterprises to have full and effective control of who can access CPM, and we wanted events like the employee termination process to be worry-free, with minimal administration and without any risk of permission breaches.

For organizations grappling with backup and recovery woes of their AWS resources, N2WS offers Cloud Protection Manager (CPM), a cloud-native backup, recovery, and disaster recovery solution built specifically for AWS. Legacy solutions don’t work out in terms of cost, reliability, and speed. Human error and knowledge transfer stemming from home-grown scripts are becoming an increasing and crucial risk for data security and stewardship. With CPM, you can automatically back up data as frequently as needed and recover data at a faster pace than with traditional backup solutions. CPM is a reliable and cost-effective service with a simple administration that does not require a lot of technical expertise.

With our latest release, CPM 2.2.x, CPM can now support integration with all SAML based identity providers such as Okta, LDAP and Microsoft Active Directory Federation Services (AD FS). This key feature will reduce administrative tasks and simplify the lives of end users who no longer need to remember multiple usernames and passwords to log in to numerous applications. Not only does this offer more convenient, centralized control, it enhances data governance and stewardship by managing permissions as well as automating the employee termination process.

In this how-to guide, we’ll walk through the upgrade path from older versions (including any necessary precautions) and the steps needed to integrate with SAML-based Identity providers, using Okta as a use case.

How to Upgrade

Prior to upgrading to the new version of CPM, terminate the current CPM instance. Then, start a new one. Complete the following steps:

Step 1

Using the EC2 console option, launch a new instance in the same region and Availability Zone as the previous one.

launch a new EC2 instance

 

Step 2

Terminate the old instance—make sure that the backup is not running while initiating termination.

Terminate the old EC2 instance

 

Step 3

To be on the safe side, create a CPM data volume snapshot by clicking the “Create snapshot” hyperlink. This snapshot can be useful in case the upgrade process fails. Once the CPM server is up and running, the snapshot can be deleted.

create a CPM data volume snapshot

 

Step 4

With the new instance in the running state, connect it to a browser via HTTPS.

connect the instance to a browser via HTTPS

 

Step 5

Select the existing data volume from the dropdown list and paste it into AWS credentials.

paste volume into AWS credentials

 

Step 6

The new CPM version will be up and running as soon as the configuration has finished selecting the old data volume from all the available volumes.

Step 7

If your backup scripts are using SSH, you may need to run the scripts manually by logging in to the CPM Server, to accept the usage of the private key.

There are multiple upgrade paths, depending on the CPM version you are running. To upgrade v2.0.2, first apply the patch “patch_2.0.2_required_for_2.1.0_upgrade.tar”, then apply the latest patch. On top of the CPM version, agent versions must also be upgraded – the latest agent version is 2.11.

Please refer to the User Guide for upgrading agents and policies. Don’t worry if you mistakenly apply the same patch twice; this is completely safe and won’t cause any disruption to your environment. A word of caution: do not apply patches while backups, restorations, or disaster recovery processes are running.

How to Integrate with SAML-based Identity Providers

CPM version 2.2.x supports integration with all SAML based identity providers (IdP). With the help of this integration, user authentication happens at IdP level, providing a seamless login to CPM. The main configuration steps involved in this integration are configuring IdP to work with CPM, and configuring CPM to work with IdP.

Configuring IdP to Work With CPM – Okta Use Case

We will now show you how to configure CPM to work with Okta—a SAML based leading provider of identity to enterprises. Okta supports more than 5000 integrations and provides simple and secure access to a large number of enterprises.

Step 1

Log in to the Okta organization using admin credentials. If you don’t have access, sign up at the developer portal.

Step 2

  1. Go to the feedback tab in App Wizard.
  2. Select “I’m a software vendor. I’d like to integrate my app with Okta.” to add CPM to the Okta Integration Network (OIN).
  3. Click “Submit your app for review.” You will now be redirected to the OIN Manager.

add CPM to the Okta Integration Network (OIN).

 

Step 3

In the OIN Manager, in the “General Settings” tab, click “Start Submission Form.” Enter the application name, i.e. Cloud Protection Manager and website details.

Start submission the OIN Manager

 

Step 4

In the SAML tab, enter the required details and click the “Submit for Review” button. You can now track the integration status in the OIN manager.

track the integration status in the OIN manager

 

Configuring CPM to Work With IdP

In CPM, go to “General Settings” and enable “Identity Provider.” Once enabled, please fill in the required details for Okta, such as Entity ID, and sign in and sign out URLs—CPM will redirect users to these URLs when they log in and log out.

Once you have entered the details, click the “Test Connection” button to confirm that everything is working correctly.

enable “Identity Provider" in CPM

 

Please note that integration with CPM is supported only for Advanced, Enterprise, and custom versions.

Advantages of Active Directory (AD) Integration

Reduction in Administrative Tasks

Integrating cloud applications to Active Directory significantly reduces administrative tasks. If an employee changes his or her AD password, passwords for all the cloud applications change automatically. Also, once she leaves the organization, deleting her ID from AD revokes access to all the applications. This is a great advantage for large enterprises. Moreover, with AD groups the administration is further simplified by assigning permissions to a group rather than to individual users. Just add the members to a group and they will be assigned the same rights as the group.

High Levels of Compliance and Governance

As mentioned above, deleting an employee ID from AD revokes all access. This further reduces the overall risks involved with user management and strengthens the compliance levels of any organization. Also, with AD integration, multiple user, audit and compliance level reports, such as “inactive user” and “users never logged on”, can also be extracted via PowerShell scripts or other third-party tools readily available in the market.

Simplification

With AD based authentication, life for end users becomes super simple. You, as an end user do not need to remember different passwords for all the applications you access. Just remember your AD ID and password, and log in to all the enterprise applications, including those hosted in public cloud. This is very useful if you are a big enterprise running multiple applications.

Final Note

It’s clear that Active Directory, Okta, and other SAML-based Identity provider integration has many benefits, and with version 2.2.x of CPM supporting this integration, customers are guaranteed the highest level of security and compliance. Moreover, with a smooth upgrade path and reliable support from the Cloud Protection Manager technical team, we highly encourage you to try it out.

You can trial our SAML-based identity provider integration feature for free, as well as test out all other Enterprise level features using our 30-day free trial. There is absolutely no credit card needed to launch a CPM instance.

Share this post →

You might also like: