17. N2WS IdP Integration

IdP users are users whose credentials are received from the organization’s IdP. CPM can be configured to allow users in the organization’s IdP system to login to CPM using their IdP credentials.

Contents:

17 N2WS CPM IdP Integration

17.1 Configuring IdPs to Work with CPM

17.2 Configuring Groups and Group Permissions on the CPM Side

17.3 Configuring Groups on the IdP Side

17.4 CPM Login Using IdP Credentials

17.5 Configuring CPM to Work with Active Directory / AD FS

17.6 Configuring an AD FS User Claim

N2WS CPM IdP Integration

CPM supports users configured locally (local users) and users configured using the organization’s federated identity provider (IdP).

  • Local users are created and managed using the CPM User Management capabilities described above.
  • IdP users are users whose credentials are received from the organization’s IdP. CPM can be configured to allow users in the organization’s IdP system to login to CPM using their IdP credentials. Integration with IdP systems is performed using the SAML 2.0 protocol.

CPM supports Active Directory 2012 and 2016

CPM supports IDP vendors who support SAML 2.0

Note: The CPM root user can only login through the local user account even when CPM is configured to work with IdP.

Configuring CPM to work with IdP consists of the following:

  • Configuring the IdP to work with CPM
  • Configuring CPM to work with the IdP
  • Configuring CPM Groups in CPM
  • Configuring CPM Groups and Users in IdP

Configuring IdPs to Work with CPM

CPM supports the SAML 2.0 protocol for integration with IdP systems. N2W Software qualifies only certain IdP systems internally, but any SAML 2.0 compliant IdP system should be able to work smoothly with CPM.

Prerequisite to IdP Integration with CPM

Prior to configuring CPM to work with an IdP system, it is required that CPM be configured in the IdP system as a new application. Consult the IdP system’s documentation on how to configure a new application.

Note: When configuring CPM as a new IdP application, verify that:

The default Name ID format used in SAML requests is set to Unspecified, or modify the default CPM configuration as per section on CPM configuration below.

The X509 certificate Secure hash algorithm is set to SHA-256.

The following URL values are used:

Note: <CPM_ADDRESS> is either the DNS name or the IP address of the CPM Server.

Entity ID – https://<CPM_ADDRESS>/remote_auth/metadata

Sign in response – https://<CPM_ADDRESS>/remote_auth/complete_login/

Sign out response – https://<CPM_ADDRESS>/remote_auth/complete_logout/

As part of configuring CPM as a new IdP application, the IdP system will request a file containing the CPM x509 certificate. The certificate file can be obtained from the CPM General Settings screen in the Identify Provider Configuration section. Click the Download CPM’s certificate file button and choose a location to save the file. See section 17.1.2.

If configuring CPM to work with Microsoft Active Directory/AD FS, refer to section 17.4.1.

Configuring CPM for IdP Integration

To configure CPM to work with the organization’s IdP go to the CPM General Settings screen. In the Identity Provider section, set Identity Provider to enabled. Once enabled, several IdP-related parameters are presented (see Figure 17‑1).

If configuring CPM for integration with Microsoft Active Directory/AD FS, refer to section 17.5.

Note: CPM accepts either the IP address or DNS name in many fields. However, some IdPs require that CPM be configured using the format used when configuring CPM as an application in the IdP system. If the IdP uses DNS names, use DNS names in CPM, and if the IdP uses IP address, use IP addresses in CPM.

Figure 17‑1

Identity Provider – Enables/disables access for IdP users.

CPM IP or DNS – The IP Address or DNS name of the CPM server.

Entity ID – The IdP Identity Provider Identifier provided by the IdP system. Consult the IdP system’s documentation.

Sign in URL – The authentication request target is the URL, provided by the IdP system, to which CPM will redirect users after entering their IdP credentials. Consult the IdP system’s documentation.

Sign out URL – The logout request target is the URL, provided by the IdP system, to which CPM will redirect users once they logout of CPM. Consult the IdP system’s documentation.

NameID format – The format of the SAML NameID element.

X509 Cert – The X509 certificate is provided by the IdP system for uploading. Consult the IdP system’s documentation about obtaining their x509 certificate.

Once all the parameters have been entered, click the Test connection . . . button to test the connection between CPM and the IdP.

Configuring Groups and Group Permissions on the CPM Side

Groups and the permissions assigned to groups are configured in CPM. When an IdP user logs into CPM, the information about the user’s group membership is received from the IdP and that group’s permissions are assigned to the user.

Note: Every IdP user must belong to a CPM group. IdP users who do not belong to a group, even if they have user-specific permissions as detailed below, cannot log on to CPM. Logon by IdP users who do not belong to a group will be failed with an appropriate error message.

CPM comes with 4 pre-defined groups named default*, as shown in Figure 17‑1. Additional groups can be created and removed easily in the Identify Provider section of the CPM General Settings screen (see Figure 17‑1).

Note: The default groups cannot be modified or deleted. To see the permission settings assigned to the default groups, click the group name.

To add a new group:

  1. Click the Add New Group button. The add group screen will appear.

Note: The group permission settings essentially mirror the user permissions detailed in chapter 16.

Figure 17‑2

Enabled – When set to No, users belonging to the group will not be able to log on to CPM.

Name – Name of the group.

User Type – For details, see chapter 16.

Managed

Independent

Delegate

Note: When Delegate is selected, the Original Username to which this group is a delegate is required although the Original Username does not yet need to exist in CPM. After creation, the Original Username cannot be modified.

For User Type Managed:

  • Allowed File Level Recovery – When set to Yes, members of the group can use the file-level recovery feature.
  • Max Number of Accounts – The maximum number of AWS accounts users belonging to this group can manage.
  • Max Number of Instances – The maximum number of instances users belonging to this group can manage.
  • Max Non-Instance EBS – The maximum number of Gigabytes of EBS storage that is not attached to EC2 instances that users belonging to this group can manage.
  • Max RDS – The maximum number of Gigabytes of RDS databases that users belonging to this group can manage.
  • Max Redshift Clusters – The maximum number of Gigabytes of Redshift clusters that users belonging to this group can manage.
  • Max DynamoDB Tables – The maximum number of Gigabytes of DynamoDB tables that users belonging to this group can manage.

For User Type Delegate:

  • Original Username – User name of delegate.
  • Perform Recover – Whether the delegate can initiate a recovery.
  • Change Accounts – Whether the delegate can make changes to an account.
  • Change Backup – Whether the delegate can make changes to a backup.

Configuring Groups on the IdP Side

IdPs indicate a user’s group membership to CPM using IdP claims. Specifically, the IdP must configure an Outgoing Claim Type of cpm_user_groups whose value is set to all the groups the user is a member of, both CPM related groups and non-CPM related groups.

Additionally, the names of the group users are assigned to in the IdP must be of the form cpm_ <GROUP_NAME_IN_CPM> (e.g. cpm_mygroup where mygroup is the name of a group that was created in CPM). The <GROUP_NAME_IN_CPM> part of the name must match the name of a group in CPM (see section 17.3). For example, to give IdP users permissions of the CPM group default_managed_users:

  • The relevant users must be members of an IdP group called cpm_default_managed_users
  • The IdP must have an outgoing claimed called cpm_user_groups and the value of the claim must include the names of all the user’s groups in the IdP, which presumably includes cpm_default_managed_users.

Note: An IdP user logging onto CPM can belong to only one CPM group, i.e. of all the groups listed in the cpm_user_groups claim, only one can be a CPM group, such as cmp_mygroup. If an IdP user is a member of more than one CPM group, the log on will fail with a message indicating the user belongs to more than one CPM group.

Understanding CPM User Permissions

A user logged into the CPM system can have several types of permissions. This section discusses the different types of permissions as they are applied to CPM IdP integration. For full treatment of the meanings of these permissions, see sections 16.3 and 16.4. To override CPM group permissions on a per user basis, see section 17.3.2

General User Attributes

Attribute NameMandatory (Y/N)MeaningValid Values
user_typeNType of user.
  • Managed
  • Independent
  • Delegate
user_nameNUsername in CPM.Alphanumeric string
user_emailNUser’s email address.Valid email address

Attributes for Independent and Managed Users

Attribute NameMandatory (Y/N)MeaningValid Values
allow_file_level_recoveryNWhether the user is allowed to use the CPM file-level restore feature.yes, no
max_accountsNThe number of AWS accounts the user can manage in CPM. Varies by CPM license type.Number between 1 and max licensed
max_instancesNThe number of instances the user can backup. Varies by CPM license type.Number between 1 and max licensed
max_independent_ebs_gibNTotal size of EBS independent volumes being backed up in GiB (i.e. volumes not attached to a backed-up instance).Number between 1 and max licensed
max_rds_gibNTotal size of AWS RDS data being backed up in GiBNumber between 1 and max licensed
max_redshift_gibNTotal size of AWS Redshift data being backed up in GiBNumber between 1 and max licensed
max_dynamodb_gibNTotal size of AWS DynamoDB data being backed up in GiB.Number between 1 and max licensed

Attributes for Delegate Users

Attribute NameMandatory (Y/N)MeaningValid Values
original_usernameYThe name of the user for whom user_name is a delegate.Alphanumeric string
allow_recoveryNWhether the user can perform CPM restore operations.yes, no
allow_account_changesNWhether the user can manage CPM user accounts.yes, no
allow_backup_changesNWhether the user can modify backup policies.yes, no

All the permissions detailed above are set for a group when the group is created in CPM. Additionally, it is possible to assign CPM permission at the level of individual IdP users as described in 17.3.2. When there is a conflict between a user’s group permissions and a user’s individual permissions, the individual permissions take precedence.

A permission string consists of key=value pairs, with pairs separated by a semicolon.

For convenience, below is a string of all the possible security parameters. CPM will accept a partial list consisting of any number of these parameters in any order:

user_type=independent;email=yeepee@redpil.com;allow_recovery=yes;

allow_account_changes=yes;allow_backup_changes=yes;allow_file_level_restore=no;

max_accounts=1;max_instances=2;max_independent_ebs_gib=3;max_rds_gib=4;

max_redshift_gib=5;max_dynamodb_gib=5;original_username=robi@stam

 

Overriding Group Settings at the User Level

Users get the CPM permissions assigned to their group. However, it is possible to give specific IdP group members permissions different from their group permissions.

To override the group permission for a specific user:

  • The IdP administrator must first enter the new permissions in an IdP user attribute associated with the user. The attribute can be an existing attribute that will now serve this role (e.g. msDS-cloudExtensionAttribute1) or a custom attribute added to the IdP user schema specifically for this purpose.
  • The content of the attribute specifies the user’s CPM permissions in the key=values format detailed in the section above.
  • Permissions specified in the user attribute will override permissions inherited from the group.
  • Permission types not specified in the user attribute will be inherited from the group’s permissions. For example, if the attribute contains only the value max_accounts=1, all other permissions will be inherited from the user’s group permissions.
  • Once a user attribute has been configured with the correct permissions, an IdP claim rule with Outgoing Claim Type cpm_user_permissions must be created. The value of the claim must be mapped to the value of the attribute chosen above.
  • When the user-level claim is enabled, the user will be able to log on to CPM with permissions that are different from the group’s permissions.

If configuring Microsoft Active Directory/AD FS, refer to section 17.6 for details.

CPM Login Using IdP Credentials

In order to use IdP credentials to log on to CPM, users need to select the Sign in with: Identity Provider option on the CPM Logon screen (see Figure 17‑3).

Figure 17‑3

Clicking the Identity Provider button will redirect the user to the organization’s IdP system using SAML.

Note: To log on to CPM as root, log on with the standard user and password option.

Configuring AD/AD FS for Integration with CPM

To enable CPM to integrate with AD/AD FS, CPM must be added to AD FS as a Relying Party Trust.

Note: The following AD FS screenshots are from AD 2012. The AD 2016 screens are very similar.

To run the Add Relying Party Trust Wizard:

  1. In the left pane of the AD FS console, click Relying Party Trusts.
  2. In the right pane, click Add Relying Party Trust. . .. The Wizard opens.

C:\Users\Ami\AppData\Local\Microsoft\Windows\INetCache\Content.Word\add_relying_party_trust_001 (003).png

Figure 17‑4

Click Start.

Click the Enter data about the relying party manually option.

Click Next.

On the Welcome screen, type the display name for CPM (e.g. CPM by N2WS), and click Next.

On the Choose Profile screen, click the AD FS profile option, and then click Next.

Skip the Configure Certificate screen by clicking Next.

On the Configure URL screen:

  1. Select the Enable support for SAML 2.0 WebSSO protocol check box.
  2. In the Relying Party SAML 2.0 SSO Service URL box, type https:// followed by the CPM DNS name or IP address, and then followed by /remote_auth/complete_login/.

For example, the resulting string might look like:

https://ec2-123-245-789.aws.com/remote_auth/complete_login/

Click Next.

In the Configure Identifiers screen, type https:// followed by the CPM DNS name or IP address, and then followed by /remote_auth/metadata in the Relying party trust identifier box.

C:\Users\Ami\AppData\Local\Microsoft\Windows\INetCache\Content.Word\add_relying_party_trust_007 (003).png Figure 17‑5

For example, the resulting string might look like:

https://ec2-123-245-789.aws.com/remote_auth/metadata

Click Add on the right.

C:\Users\Ami\AppData\Local\Microsoft\Windows\INetCache\Content.Word\add_relying_party_trust_008 (003).png

Figure 17‑6

Click Next.

On the Configure Multi-factor Authentication Now? screen, select the I do not want to configure multi-factor authentication settings for this relying party trust at this time option, and click Next.

On the Issuance Authorization Rules screen, click the Permit all users to access this relying party option, and click Next.

On the Ready to Add Trust screen, review the setting of the Relying party trust configured with the Wizard. When finished, click Next.

On the Finish screen of the Wizard, click Close. There is no need to click the Open the Edit Claim Rules dialogue for this relying party trust when the wizard closes option.

Setting AD FS Properties

Once the Relying Party Trust has been configured, set the AD FS properties.

To set the AD FS properties:

  1. Go back to the AD FS management console, and in the middle pane, right-click the CPM line under Relying Party Trust, and select Properties.
  2. On the screen that opens, select the Endpoints tab, and click Add SAML….

In the Edit Endpoint screen, select SAML Logout from the Endpoint type list.

Figure 17‑7

In the Trusted URL: box, type the DNS name or IP address of the AD FS server followed by /adfs/ls/?wa=wsignout1.0 (e.g. https://adserver.mycompany.com/adfs/ls/?wa=wsignout1.0)

In the Response URL: box, type DNS name or IP address of the CPM server followed by /remote_auth/complete_logout/ (e.g. https://ec2-123-245-789.aws.com/remote_auth/complete_logout/).

Click OK.

Go to the Advanced tab, and in the Secure hash algorithm list, select SHA-256. Click Apply.

Installing the CPM Certificate

In order for CPM to work with AD FS the X.509 certificate used by CPM needs to be added to the AD FS Trusted Root Certification Authorities list. If you installed your own certificate in CPM when you first configured CPM (as per section 2.5.3) then your certificate may already be in your AD FS root trust. Otherwise you will need to add it. If you used the certificate CPM creates during installation, you will need to add that certificate into the AD FS Trusted Root Certification Authorities.

To add a root certificate to the AD FS Trusted Root Certification Authorities:

  1. Go to the Signature tab under properties and click Add….
  2. In the File box at the bottom of the screen, type the name of the file containing the CPM x.509 certificate. This will be either:
    1. The root certificate you installed in CPM when it was first configured as per section 2.5.3 of the User Guide, if not already in the AD FS Trusted Root Certification Authorities, or
    2. The certificate CPM created when it was first configured.
    3. To obtain a copy of the certificate being used by CPM, either the one you originally installed or the one CPM created, click the Download CPM’s certificate file button in the Active Directory Configuration section of the CPM General Settings screen (see Figure 17‑13).
  3. Once you have entered the name of the file, click Open.
  4. The CPM certificate is now visible in the center pane in the Signature tab.
  5. In the center pane of the Signature tab, double click the CPM certificate.
  6. Under the General tab, click Install Certificate….
  7. In the Certificate Import Wizard screen, click the Local Machine option, and click Next.
  8. Click the Place all certificates in the following store option, click Browse…, and then select the Trusted Root Certification Authorities store. Click OK.
  9. Click Next.
  10. Click Finish. Then click OK on the pop-up screen, click OK on the General tab, and click OK on the Properties screen.

The next step is to create a Name ID claim in AD FS.

Creating an AD FS Name ID Claim

To create an AD FS claim:

  1. Open the ADFS management console. In the main page of the management console, select Relying Party Trusts in the left pane.
  2. In the middle Relying Party Trust pane, select CPM’s party (e.g. CPM by N2WS).
  3. In the right pane, click Edit Claim Rules…

In the Edit Claim Rules screen, click Add Rule.

Figure 17‑8

Figure 17‑9

In the Claim rule template list, select Transform an Incoming Claim and click Next.

Complete the Add Transform Claim Rule Wizard screen:

  1. In the Claim rule name box, type a name for the claim.
  2. In the Incoming claim type list, select Windows account name.
  3. In the Outgoing claim type list, select Name ID.
  4. In the Outgoing name ID format list, select Unspecified.
  5. Click the Pass through all claim values option.
  6. Click OK.

Figure 17‑10

The next step is to add a Token-Groups claim.

Adding a Token-Group’s Claim

An ADFS Token-Groups claim must be configured so that AD FS will send CPM the list of groups a user is a member of. To configure the Token Group’s claim, perform steps 1 and 2 of the Configuring Name ID Claim process in section 17.4.4. Then continue as follows:

  1. In the Claim rule template list, select Send LDAP Attributes as Claims and click Next.

Figure 17‑11

  1. In the Claim rule name box, type a name for the rule you are creating.

In the Attribute store list, select Active Directory.In the Mapping of LDAP attributes to outgoing claim types table:

  1. In the left column (LDAP Attribute), select Token-Groups – Unqualified Names.
  2. In the right column (Outgoing Claim Type), type cpm_user_groups.

Figure 17‑12

Testing the Connection

At this point AD FS has been configured to work with CPM. It is now possible to perform a connectivity test between CPM and AD FS.

To test the connection between CPM and AD FS:

  1. Go to the CPM General Settings screen.
  2. Click Identity Provider.
  3. Click Test connection….
  4. Type a valid AD username and password on the logon page.
  5. Click Sign in.

Configuring CPM to Work with Active Directory / AD FS

To configure CPM to work with the organization’s AD server:

  1. Go to the CPM General Settings screen.
  2. Select Identity Provider.
  3. In the Identity Provider list, select Enabled. Several IdP related parameters are presented.

Figure 17‑13

In the Entity ID box, type the AD FS Federation Service Identifier, as configured in AD FS. See Figure 17‑14 to locate this parameter in AD FS.

Figure 17‑14

In the Sign in URL box, type the URL to which CPM will redirect users for entering their AD credentials.

This parameter is configured as part of AD FS. The AD FS server’s DNS name, or IP address, must be prepended to the URL Path listed in AD FS. See Figure 17‑14 to locate this information in AD FS.

C:\Users\Ami\AppData\Local\Microsoft\Windows\INetCache\Content.Word\ad_adfs_url (002).png

Figure 17‑15

In the NameID format list, select the format of the SAML NameID element.

In the x509 cert box, upload the X509 certificate of the AD FS server. The certificate file can be retrieved from the AD FS management console under Service -> Certificates, as shown Figure 17‑16:

Figure 17‑16

To export the certificate:

  1. Double click the Token signing field to open the Certificate screen.
  2. Click the Details tab and click Copy to File . . . on the bottom right.
  3. Click Next to continue with the Certificate Export Wizard.
  4. Click the Base-64 Encoded X.509 (.cer) option and click Next.
  5. Type a name for the exported file and click Next.
  6. Click Finish.

Once all the parameters have been entered, click the Test connection . . . button to verify the connection between CPM and the IdP.

Configuring an AD FS User Claim

Once a user attribute has been configured with the correct permissions, an ADFS claim rule with Outgoing Claim Type cpm_user_permissions must be created before the user-level permissions can take effect.

To create the claim rule:

  1. Open the AD FS management console.
  2. In the main page of the management console, in the left pane, select Relying Party Trusts.
  3. Select CPM’s party (e.g. CPM by N2WS) in the middle pane, and in the right pane, click Edit Claim Rules.

Figure 17‑17

In the Edit Claim Rules screen, click Add Rule.

Figure 17‑18

Figure 17‑19

In the Add Transform Claim Rule Wizard screen, select Send LDAP Attributes as Claims in the Claim rule template list, and click Next.

The Claim Rule Wizard opens the Edit Rule screen. Complete as follows:

  1. In the Claim rule name box, type a name for the rule you are creating.
  2. In the Attribute store list, select Active Directory.
  3. In the Mapping of LDAP attributes to outgoing claim types table:
    1. In the left column (LDAP Attribute), type the name of the user attribute containing the user permissions (e.g. msDS-cloudExtensionAttribute1).
    2. In the right column (Outgoing Claim Type), type cpm_user_permissions.

Figure 17‑20

Click OK to create the rule.

Once the user-level claim is enabled, the user will be able to log on to CPM with permissions that are different from the group’s permissions.

Share this post →