How to Upgrade CPM to v2.2.x and Integrate It With Identity Providers such as Active Directory & Okta
As data governance and compliance becomes increasingly critical, we know how important it is for Enterprises and Public Sector entities to have complete control of data flow within an organization. We wanted these enterprises to have full and effective control of who can access CPM, and we wanted events like the employee termination process to be worry-free, with minimal administration and without any risk of permission breaches.
For organizations grappling with backup and recovery woes of their AWS resources, N2WS offers N2WS Backup & Recovery (CPM), a cloud-native backup, recovery, and disaster recovery solution built specifically for AWS. Legacy solutions don’t work out in terms of cost, reliability, and speed. Human error and knowledge transfer stemming from home-grown scripts are becoming an increasing and crucial risk for data security and stewardship. With CPM, you can automatically back up data as frequently as needed and recover data at a faster pace than with traditional backup solutions. CPM is a reliable and cost-effective service with a simple administration that does not require a lot of technical expertise.
With our latest release, CPM 2.2.x, CPM can now support integration with all SAML based identity providers such as Okta, LDAP and Microsoft Active Directory Federation Services (AD FS). This key feature will reduce administrative tasks and simplify the lives of end users who no longer need to remember multiple usernames and passwords to log in to numerous applications. Not only does this offer more convenient, centralized control, it enhances data governance and stewardship by managing permissions as well as automating the employee termination process.
In this how-to guide, we’ll walk through the upgrade path from older versions (including any necessary precautions) and the steps needed to integrate with SAML-based Identity providers, using Okta as a use case.
How to Upgrade
Prior to upgrading to the new version of CPM, terminate the current CPM instance. Then, start a new one. Complete the following steps:
Using the EC2 console option, launch a new instance in the same region and Availability Zone as the previous one.
Terminate the old instance—make sure that the backup is not running while initiating termination.
To be on the safe side, create a CPM data volume snapshot by clicking the “Create snapshot” hyperlink. This snapshot can be useful in case the upgrade process fails. Once the CPM server is up and running, the snapshot can be deleted.
With the new instance in the running state, connect it to a browser via HTTPS.
Select the existing data volume from the dropdown list and paste it into AWS credentials.
The new CPM version will be up and running as soon as the configuration has finished selecting the old data volume from all the available volumes.
If your backup scripts are using SSH, you may need to run the scripts manually by logging in to the CPM Server, to accept the usage of the private key.
There are multiple upgrade paths, depending on the CPM version you are running. To upgrade v2.0.2, first apply the patch “patch_2.0.2_required_for_2.1.0_upgrade.tar”, then apply the latest patch. On top of the CPM version, agent versions must also be upgraded – the latest agent version is 2.11.
Please refer to the User Guide for upgrading agents and policies. Don’t worry if you mistakenly apply the same patch twice; this is completely safe and won’t cause any disruption to your environment. A word of caution: do not apply patches while backups, restorations, or disaster recovery processes are running.
How to Integrate with SAML-based Identity Providers
CPM version 2.2.x supports integration with all SAML based identity providers (IdP). With the help of this integration, user authentication happens at IdP level, providing a seamless login to CPM. The main configuration steps involved in this integration are configuring IdP to work with CPM, and configuring CPM to work with IdP.
Configuring IdP to Work With CPM – Okta Use Case
We will now show you how to configure CPM to work with Okta—a SAML based leading provider of identity to enterprises. Okta supports more than 5000 integrations and provides simple and secure access to a large number of enterprises.
Log in to the Okta organization using admin credentials. If you don’t have access, sign up at the developer portal.
- Go to the feedback tab in App Wizard.
- Select “I’m a software vendor. I’d like to integrate my app with Okta.” to add CPM to the Okta Integration Network (OIN).
- Click “Submit your app for review.” You will now be redirected to the OIN Manager.
In the OIN Manager, in the “General Settings” tab, click “Start Submission Form.” Enter the application name, i.e. Cloud Protection Manager and website details.
In the SAML tab, enter the required details and click the “Submit for Review” button. You can now track the integration status in the OIN manager.
Configuring CPM to Work With IdP
In CPM, go to “General Settings” and enable “Identity Provider.” Once enabled, please fill in the required details for Okta, such as Entity ID, and sign in and sign out URLs—CPM will redirect users to these URLs when they log in and log out.
Once you have entered the details, click the “Test Connection” button to confirm that everything is working correctly.
Please note that integration with CPM is supported only for Advanced, Enterprise, and custom versions.
Advantages of Active Directory (AD) Integration
Reduction in Administrative Tasks
Integrating cloud applications to Active Directory significantly reduces administrative tasks. If an employee changes his or her AD password, passwords for all the cloud applications change automatically. Also, once she leaves the organization, deleting her ID from AD revokes access to all the applications. This is a great advantage for large enterprises. Moreover, with AD groups the administration is further simplified by assigning permissions to a group rather than to individual users. Just add the members to a group and they will be assigned the same rights as the group.
High Levels of Compliance and Governance
As mentioned above, deleting an employee ID from AD revokes all access. This further reduces the overall risks involved with user management and strengthens the compliance levels of any organization. Also, with AD integration, multiple user, audit and compliance level reports, such as “inactive user” and “users never logged on”, can also be extracted via PowerShell scripts or other third-party tools readily available in the market.
With AD based authentication, life for end users becomes super simple. You, as an end user do not need to remember different passwords for all the applications you access. Just remember your AD ID and password, and log in to all the enterprise applications, including those hosted in public cloud. This is very useful if you are a big enterprise running multiple applications.
It’s clear that Active Directory, Okta, and other SAML-based Identity provider integration has many benefits, and with version 2.2.x of CPM supporting this integration, customers are guaranteed the highest level of security and compliance. Moreover, with a smooth upgrade path and reliable support from the Cloud Protection Manager technical team, we highly encourage you to try it out.