SAML Single Sign-On

CloudEndure allows you to sign into the CloudEndure User ConsoleCloudEndure SaaS User Interface. A web-based UI for setting up, managing, and monitoring the Migration and Disaster Recovery solutions. using your corporate credentials through our SAML integration (SSO).

In order to use SAML to sign into the CloudEndure User ConsoleCloudEndure SaaS User Interface. A web-based UI for setting up, managing, and monitoring the Migration and Disaster Recovery solutions., you must first configure Single Sign-On SAML Authentication.

The following instructions illustrate how to configure Single Sign-On SAML Authentication through the Microsoft Active Directory Federated Services (ADFS).

Note: Configuration instructions may differ based on the platform your company uses.

Single Sign-On SAML Authentication through ADFS

Settings up SAML Authentication for Active Directory requires several steps both within Active Directory and the CloudEndure User ConsoleCloudEndure SaaS User Interface. A web-based UI for setting up, managing, and monitoring the Migration and Disaster Recovery solutions..

Important: The instructions below are accurate to Microsoft Windows Server 2016. Other versions of Windows Server may have a different interface. The instructions represent a third-party interface, which may change without warning. The information provided in this section is for general guidance only. The information is provided on "AS IS" basis, with no guarantee of completeness, accuracy or timeliness, and without warranty or representations of any kind, expressed or implied. In no event will CloudEndure and/or its subsidiaries and/or their employees or service providers be liable to you or anyone else for any decision made or action taken in reliance on the information provided above or for any direct, indirect, consequential, special or similar damages (including any kind of loss), even if advised of the possibility of such damages. CloudEndure is not responsible for the update, validation or support of this information.

Setting Up Trust in ADFS

In the Server Manager, click Tools, and then select AD FS Management.
Under Actions, click Add Relying Party Trust.
On the Welcome page, choose Claims aware and click Start.
On the Select Data Source page, click Enter data about the relying party manually and then click Next.
On the Specify Display Name page, type a name in a Display name. Under Notes, type a description for this relying party trust and then click Next.
On the Configure Certificate page, click Next.
On the Configure URL page:
1. Select the Enable support for the SAML 2.0 WebSSO protocol check box.
2. Under Relying party SAML 2.0 SSO service URL, type the Security Assertion Markup Language (SAML) service endpoint URL for this relying party trust - https://console.cloudendure.com/api/v5/assertionConsumerService
  Note: Alternatively, try https://console.cloudendure.com/api/v4/assertionConsumerService
3. Click Next.

On the Configure Identifiers page, specify https://console.cloudendure.com as an identifier for this relying party, click Add to add it to the list, and then click Next.
On the Choose Access Control Policy page, select a policy and click Next. For more information about Access Control Policies, see Access Control Policies in AD FS .
|
On the Ready to Add Trust page, review the settings, and then click Next to save your relying party trust information.
On the Finish page, click Close. This action will automatically display the Edit Claim Rules dialog box.
Note: The Edit Claim Rules dialog box can be opened later from the AD FS management console (select the new Relying Party Trust and click on Edit Claim Rules under Actions.)
In the Edit Claim Issuance Policy dialog box, navigate to Issuance Transform Rules and click Add Rule.
On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims from the list, and then click Next.
On the Configure Rule page:
1. Type the display name for this rule in the field under Claim rule name.
2. Select the appropriate Attribute Store from the dropdown menu.
3. Select the LDAP attribute and map it to the outgoing claim type:
  1. LDAP Attribute: User-Principal-Name
    Note: This should be the user's email address, which could be set differently under a separate LDAP attribute.
  2. Outgoing Claim Type: username
    Note: username is not one of the multiple selection options and should be typed in explicitly.
4. Click Finish

In the Edit Claim Rules dialog box, click OK to save the rule.

Enabling RelayState in ADFS

RelayState is a parameter of the SAML protocol that is used to identify the specific resource the user will access after they are signed in and directed to the relying party’s federation server.

Note: Certain identity management providers, such as OKTA, require users to set the relayState value manually. Input the following value: https://console.cloudendure.com/#/signIn;<CloudEndure account UUID>

For ADFS 2.0, you must install update KB2681584 (Update Rollup 2) or KB2790338 (Update Rollup 3) to provide RelayState support.

Use the following steps to enable the RelayState parameter on your AD FS servers:
1. Open the following file in Notepad: %systemroot%\inetpub\adfs\ls\web.config
2. Run IISReset to restart IIS.
3. Restart the Active Directory Federation Services (adfssrv) service.
4. In the microsoft.identityServer.web section, add a line for useRelayStateForIdpInitiatedSignOn as follows, and save the change:
  <microsoft.identityServer.web> ... <useRelayStateForIdpInitiatedSignOn enabled="true" /> ... </microsoft.identityServer.web>

Configuring SAML in the CloudEndure Console with AD FS

Before SSO can be used, you will need to set up the following parameters within the CloudEndure Console. You can obtain these parameters by following these directions:
1. Identity Provider ID
  - Download this file in the browser: https://<adfs_domain>/FederationMetadata/2007-06/FederationMetadata.xml
  - You can locate the Identity Provider ID in entityID, an attribute of <EntityDescriptor>, the ID should be in the second line of the XML file (by default http://<adfs_domain>/adfs/services/trust).
2. Identity Provider Certificate
  - Browse within the file you downloaded in Step a:
    https://<adfs_domain>/FederationMetadata/2007-06/FederationMetadata.xml
  - You can locate the Identity Provider Certificate under:
    <IDPSSODescriptor>/ <KeyDescriptor use=”signing”>/ <KeyInfo>/ <X509Data>/ <X509Certificate>
3. Identity Provider URL

Navigate to Service > Endpoints in the ADFS console in the tree view on the right.
Find the Endpoint of the Type SAML 2.0/WS-Federation (by default /adfs/ls/)
Add http://<adfs_domain> to it to get the Identity Provider URL.

Sign into the CloudEndure User ConsoleCloudEndure SaaS User Interface. A web-based UI for setting up, managing, and monitoring the Migration and Disaster Recovery solutions..
1. Click on the User Settings icon on the top-right hand side of the User ConsoleCloudEndure SaaS User Interface. A web-based UI for setting up, managing, and monitoring the Migration and Disaster Recovery solutions.. .
2. Select Configure SAML.
  $C:\Users\Pavel-pc\Documents\My Projects\CloudEndure Manual\Output\Pavel_pc\HTML5\Content\Resources\Images\saml1.png$
3. In the Configure SAML dialog, do the following:
  1. Bookmark the rescue link found in the "Bookmark this link and use it to regain access…" text.
  2. Enter your account details, including your Identity Provider ID, Identity Provider URL, and Identity Provider Certificate.
  3. Click SAVE CONFIGURATION.
  4. You can rest the SAML configuration by clicking REST CONFIGURATION. Note that resetting SAML settings is likely to prevent other users from being able to log into the CloudEndure AccountThe entity that signed up with CloudEndure..
    
    Click YES on the warning dialog to confirm the reset.

Signing into the CloudEndure User Console Using Corporate Credentials

Once SAML integration is configured, you can sign in to the CloudEndure User ConsoleCloudEndure SaaS User Interface. A web-based UI for setting up, managing, and monitoring the Migration and Disaster Recovery solutions. either through the CloudEndure User ConsoleCloudEndure SaaS User Interface. A web-based UI for setting up, managing, and monitoring the Migration and Disaster Recovery solutions. Sign In page or through a direct login link.

Note: You will no longer be able to sign into the User Console with your username and password after configuring SAML.

Note: Make sure to bookmark the rescue link found in the Bookmark this link and use it to regain access… text.

Manual Sign In

Navigate to the CloudEndure User Console Sign In page.
Click on Use corporate credentials (SSO) on the bottom.
$C:\Users\Pavel-pc\Documents\My Projects\CloudEndure Manual\Output\Pavel_pc\HTML5\Content\Resources\Images\saml6.png$

Enter your CloudEndure AccountThe entity that signed up with CloudEndure. Identifier to sign in and click CONTINUE. The AccountThe entity that signed up with CloudEndure. Identifier is a unique identified allocated to your AccountThe entity that signed up with CloudEndure. by CloudEndure. You can obtain your AccountThe entity that signed up with CloudEndure. Identifier as explained in this FAQ item.
$C:\Users\Pavel-pc\Documents\My Projects\CloudEndure Manual\Output\Pavel_pc\HTML5\Content\Resources\Images\saml7.png$

You will be automatically redirected to the login screen of your Identity Provider. Follow the login operations using your organizational credentials. Once logged in, you will be automatically redirect directly into the CloudEndure User ConsoleCloudEndure SaaS User Interface. A web-based UI for setting up, managing, and monitoring the Migration and Disaster Recovery solutions. as a signed in user.

Note: For your convenience, the Use corporate credentials settings will be remembered by your browser. The next time you log in, the corporate identity page will automatically show and your Account Identifier will be pre-filled for you.

Automatic Sign in using a Direct Link

Alternatively, you can navigate directly to https://console.cloudendure.com/#/signIn?accountIdentifier=XXXXXXXXXX (replace XXXXXXXXXX with your CloudEndure AccountThe entity that signed up with CloudEndure. Identifier.)

This link will immediately redirect you to the login screen of your Identity Provider. After logging in with your Identity Provider, you will be automatically redirected into the CloudEndure User ConsoleCloudEndure SaaS User Interface. A web-based UI for setting up, managing, and monitoring the Migration and Disaster Recovery solutions. as a signed in user.