How can we help?

We think these articles could help:

    See More
    Home > Administrator Resources > 4.1 > Configuring > Single Sign On With Ping Identity

    Single Sign On With Ping Identity

    Applies to:
    • CrashPlan PROe

    Overview

    This tutorial explains how to integrate your Code42 environment to work with Ping Identity (also known as Ping One). Ping Identity provides a standards-based service to enable centralized user access control using  Single Sign-On (SSO) technologies such as SAML and OpenID. Ping Identity's cloud-based SSO service also supports the use of an identity bridge to link to an existing directory service, such as Google Apps or Active Directory.

    Before You Begin

    You should have a good understanding of how the Code42 environment works with SSO before attempting to configure your enterprise server to work with Ping Identity or Ping One.

    Before beginning the process, you will need a Ping One account. Ping Identity provides a basic account (under 50 users) for no cost.

    Considerations

    • Please see the list of advantages and disadvantages of using SSO versus LDAP.
    • SSO is supported in CrashPlan PROe version 3.4.1 and later.

    • You may need to modify your firewall rules to allow the use of SSO
      • Outbound traffic on TCP ports 80 and 443 to the Identity Provider is required from all CrashPlan apps that will use SSO
      • Two-way communication on TCP ports 80 and 443 between the Identity Provider and and your master server is required. The Service Provider (your master server) and Identity Provider need to be able to communicate with each other to perform metadata exchange.
      • Confirm the required ports with your SSO provider, in the unlikely event that custom ports are being used
    • Your master server needs to be able to access the Identity Provider metadata file, which may be stored in one of two locations:
      • Locally, on your enterprise server's file system
      • On a web server in your LAN, or via WAN
        • In this case, your enterprise server must be able to access the web server hosting the Identity Provider metadata on the port and protocol you have chosen (either http or https)

     

    Basic Ping One Configuration

    Before You Begin

    The basic configuration method utilizes the free or basic type of Ping One account, which does not provide the option of using an external identity provider, such as Google Apps or Active Directory.

    Step 1: Sign Into Ping One As An administrator

    Step 2: Add The CrashPlan PROe Application To Your Ping One Application Library

    1. Go to Applications > My Applications, and click Add New Application.Ping My Applications
    2. Choose Search Application Catalog.
      • Enter "PROe" in the search blank. When CrashPlan PROe shows up in the search results, click the application logo, then choose Setup.Ping Application Catalog
    3. Review the SSO Instructions page. You may want to print or save this page for future reference.
    4. Click Continue to Next StepPing Add instructions
    5. Configure your connection by filling in the necessary fields:
      1. In the ACS URL  field enter: https://yourServer:4285/api/SsoAuthLoginResponse
      2. In the Entity ID field enter: https://yourServer:4285
      3. in the Target Resource field, enter: https://yourServer:4285/console
        • In the examples above, replace "yourServer" with your actual server's fully qualified domain name (FQDN) or IP address.
        • If you do not want to use SSL, change the port from 4285 to 4280 and change "https" to "http".
        • Leave the rest of the settings unchanged. The Code42 environment
           does not support Single Logout at this time.
      4. Click Continue to Next Step.Ping Configure App for CrashPlan
    6. Enter details for attribute mapping.
      • Attribute mapping allows you to map the CrashPlan PROe username to an attribute provided by Ping One. In this example, we are mapping the uid attribute of the Code42 environment to the Ping One email address field.
      • After choosing the proper attribute mapping parameters for your Code42 environment, click Save and Publish.Ping Attribute Mapping
    7. Review the configuration and download the SAML metadata file.
      • Click the Download link to the right of the SAML Metadata field.  A copy of this file must later be placed on your master server in the installs directory, as described below.SAML Metadata

    Step 3: Add A Test User To The Ping One Users Directory

    1.  Go to the Users tab of your Ping One account.
    2. Click the Add New User button.
    3. Fill out the following fields, then click Save.
      • First Name
      • Last Name
      • E-mail

    Add a test user

    Step 4: Install The SAML Metadata File In The Correct Location On the Master Server

    1. This directory varies according to OS platform:
      • Linux: /opt/proserver/installs
      • Windows 32-bit (x86): C:\Program Files (x86)\CrashPlan PROe Server\installs
      • Windows 64-bit: C:\Program Files\CrashPlan PROe Server\installs
      • Mac OSX: /Applications//PROServer.app/Contents/Resources/Java/installs
    2. Simply drag and drop the file to the destination folder, or use a tool such as scp or cp to copy the file to the destination directory.
    3. Set file permissions so that the SAML metadata file is readable by the CrashPlan service. In Linux, the numeric file mode 755 would work, although the ideal settings for your environment might differ.

    Step 5: Configure Your Master Server's Single Sign-On Settings

    1. On your master server's administration console, go to Settings > Security > Single Sign-On.
    2. Click the Enable checkbox.
    3. Enter a name for the Identity Provider, e.g. "Ping".
    4. Enter the correct value for Identity provider metadata (URL). This URL resolves to an XML file on your master server's filesystem that tells the master server how to connect to the identity provider (in this case, Ping One). The value entered is a URL constructed using the hostname or IP address of your master server and the actual filename of the identity provider metadata file, which you installed in a previous step. The following entry is an example URL. Replace the IP address with your master server's hostname or IP address, and the filename (saml2-metadata-idp.xml) with your actual filename: http://192.0.2.212:4280/installs/sam...tadata-idp.xml

    5. Click Save.
      • If the settings are successfully saved, you will see an alert box in the lower left of the console screen stating "Your changes have been saved."
      • If you receive a "System error" warning instead, please verify the URL of the identity provider metadata file.CrashPlan SSO Configuration

    6. The Service provider metadata URL is now generated and visible. You may click on the URL to view the XML file.
      • The entityID attribute in the service provider metadata file should match the SP entityId field in the Ping One application settings, as configured above.Ping XML Metadata File

    Step 6: Enable SSO For An Organization

    1. Go to Organizations in your administration console, then select an organization.
    2. Under Action Menu > Edit > Security, click the Use Ping for authentication checkbox.
    3. Save changes.CrashPlan Enable SSO

    Step 7: Add A Test User To The SSO-Enabled Organization

    Step 8: Test The Ping One SSO Configuration

    1. Sign out of the administration console
    2. Sign in using the Ping SSO optionCrashPlan Console Sign In
    1. Click the Sign in using Ping button.
    2. You will be redirected to Ping One for authentication. Enter the username (in this example, the email address) of the test user you configured above.Ping SSO Redirect
    3. After you successfully enter the credentials for the test user, you are redirected back to CrashPlan PROe and automatically signed in. The test user's authentication token will allow the test user to sign in for a default time period, configurable in Ping One.
      1. You can test this by signing out of CrashPlan PROe and signing back in using SSO.
      2. You should be automatically signed in without having to enter the test user's credentials.

    Step 9: Configure The CrashPlan App

    In order to enable SSO on the CrashPlan app, a custom installer must be used during installation. Complete instructions on the creation of a customized CrashPlan app can be found in the article Customizing The CrashPlan App. Read and understand the process of creating a customized CrashPlan app before proceeding with the steps outlined below, which are specific to SSO.

    Setting The SSO-Related Properties For The Custom Installer

    During the creation of a custom installer, the 'custom.sh' script is run, or the file 'custom.properties' is edited, in order to set the value of a number of customizable properties. The following properties pertain to SSO:

    Property Name Values Notes
    ssoAuth.enabled true or false SsoAuth will not be available unless this is true. Default is false.
    ssoAuth.required true or false If set to true, SSO authentication is enforced, and the standard login fields are hidden. Default is false.
    ssoAuth.provider Display name of your SSO provider (label). Name of the SsoAuth identity provider. Only used if ssoAuth.enable=true. Default is Shibboleth. This value is user-facing.

    Set the properties in the table above to the desired values:

    • ssoAuth.enabled must be set to 'true'.
    • ssoAuth.required may be set to either 'false' (the default) or 'true'. Set to 'true' if you want to force users to use SSO for authentication.
    • ssoAuth.provider should be set to the name you wish to be displayed to users as the name of the identity provider upon successful login.

    Once you have set these properties, and the other properties as described in Customizing The CrashPlan App​, continue with the standard process to create the custom installers.

    Ping One Using An Identity Bridge With CAS

    Before You Begin

    Using an identity bridge with Ping Identity or Ping One requires a non-free account. You are responsible for choosing and provisioning the correct level of services for your needs.

    Step 1: Sign Into Ping One As An Administrator

    Upon Initial Account Setup, You Will Need To:

    1. Choose an account type. Choose Cloud Access Services (CAS).
    2. Enter a registration key. This is provided by Ping Identity.

    Step 2: Configure Your Identity Bridge

    1. On your master server's administration console, go to Settings > Security > Single Sign-On
    2. Go to Setup > Identity Repository
      This example uses Google Apps as an identity provider. Follow the guide and take equivalent actions if you choose a different identity provider.
      A properly configured Google Apps account is required in order to serve as an Identity Bridge for Ping One. The creation and setup of a Google Apps account for use with SSO and Ping One is beyond the scope of this article. Ping Identity has provided an article on configuring Google Apps to work with Ping Identity.
    3. Complete the configuration of the identity bridge using the Ping One wizard:
      1. Enter the value for Google Apps For Business Domain Name
      2. Click Save Configuration
    4. Once the identity bridge is successfully set up, the status field on Setup > Identity Repository will display "In use" instead of "In progress."SSO Ping Identity Bridge

    Step 3: Add The CrashPlan PROe Application To My Applications On Ping One:

    1. Go to Applications > My Applications in your administration console, and click Add Application.Ping My Applications List
    2. Choose Search Application Catalog
      • Enter "PROe" in the search blank. When CrashPlan PROe shows up in the search results, click the application logo, then choose Setup.Ping Catalog Search
    3. Review the SSO Instructions page. You may want to print or save this page for future reference.
    4. Click Continue to Next Step.Ping Add List
    5. Configure your connection by filling in the necessary fields:
      1. In the ACS URL  field enter: https://yourServer:4285/api/SsoAuthLoginResponse
      2. In the Entity ID field enter: https://yourServer:4285
      3. in the Target Resource field, enter: https://yourServer:4285/console
        • In the examples above, replace "yourServer" with your actual server's fully qualified domain name (FQDN) or IP address.
        • If you do not want to use SSL, change the port from 4285 to 4280 and change "https" to "http".
        • Leave the rest of the settings unchanged. The Code42 environment
           does not support Single Logout at this time.
      4. Click Continue to Next Step.Ping Configure App for CrashPlan
    6. Enter details for attribute mapping.
      • Attribute mapping allows you to map the CrashPlan PROe username to an attribute provided by Ping One. In this example, we are mapping the uid attribute of the Code42 environment to the Ping One email address field.
      • After choosing the proper attribute mapping parameters for your Code42 environment, click Save and Publish.Ping Attribute Mapping with Identity Bridge
    7. Review the configuration and download the SAML metadata file.
      • Click the Download link to the right of the SAML Metadata field.  A copy of this file must later be placed on your master server in the installs directory, as described below.
    8. Click FinishSAML Metadata Google Apps

    Step 4: Install The SAML Metadata File In The Correct Location On The Master Server

    1. This directory varies according to OS platform:
      • Linux: /opt/proserver/installs
      • Windows 32-bit (x86): C:\Program Files (x86)\CrashPlan PROe Server\installs
      • Windows 64-bit: C:\Program Files\CrashPlan PROe Server\installs
      • Mac OSX: /Applications//PROServer.app/Contents/Resources/Java/installs
    2. Simply drag and drop the file to the destination folder, or use a tool such as scp or cp to copy the file to the destination directory
    3. Set file permissions so that the SAML metadata file is readable by the CrashPlan service. In Linux, the numeric file mode 755 would work, although the ideal settings for your environment might differ.

    Step 5: Configure Your Master Server's Single Sign-On Settings

    1. On your master server's administration console, go to Settings > Security > Single Sign-On.
    2. Click the Enable checkbox.
    3. Enter a name for the Identity Provider, e.g. "Ping".
    4. Enter the correct value for Identity provider metadata (URL). This URL resolves to an XML file on your master server's filesystem that tells the master server how to connect to the identity provider (in this case, Ping One). The value entered is a URL constructed using the hostname or IP address of your master server and the actual filename of the identity provider metadata file, which you installed in a previous step. The following entry is an example URL. Replace the IP address with your master server's hostname or IP address, and the filename (saml2-metadata-idp.xml) with your actual filename: http://192.0.2.212:4280/installs/sam...tadata-idp.xml
    5. Click Save.
      1. If the settings are successfully saved, you will see an alert box in the lower left of the console screen stating "Your changes have been saved."
      2. If you receive a "System error" warning instead, please verify the URL of the identity provider metadata file.CrashPlan SSO Configuration
    6. The Service provider metadata URL is now generated and visible. You may click on the URL to view the XML file.
      • The entityID attribute in the service provider metadata file should match the SP entityId field in the Ping One application settings, as configured above.Ping XML Metadata File

    Step 6: Enable SSO For An Organization:

    1. Go to Organizations, then select an organization.
    2. Under Action Menu > Edit > Security, click the Use Ping for authentication checkbox.
    3. Save changes.CrashPlan Enable SSO in Org

    Step 7: Add A Test User To The SSO-enabled Organization

    1. Since you are using an identity bridge, the test user must have the same username as a valid user in your identity bridge. In this example, we are using Google Apps. Therefore, the test user must exist in Google Apps, and have the necessary permissions.
    2. You don't need to assign a password to the test user on the master server, since the identity bridge handles authentication.

    Step 8: Test The Ping One SSO Configuration

    1. Sign out of the administration console.
    2. Sign in using the Ping SSO option.
      1. Click the Sign in using Ping button.
        CrashPlan Sign In
      2. You will be redirected to your identity bridge/identity provider for authentication (e.g. Google Apps). Enter the username (in this example, the email address of the Google Apps user) of the test user you configured above.
      3. After you successfully enter the credentials for the test user, you are redirected back to CrashPlan PROe and automatically signed in. The test user's authentication token will allow the test user to sign in for a default time period, configurable in Ping One.
        1. You can test this by signing out of CrashPlan PROe and signing back in using SSO.
        2. You should be automatically signed in without having to enter the test user's credentials.

    Step 9: Configure The CrashPlan App

    In order to enable SSO on the CrashPlan app, a custom installer must be used during installation. Complete instructions on the creation of a customized CrashPlan app can be found in the article Customizing The CrashPlan App. Read and understand the process of creating a customized CrashPlan app before proceeding with the steps outlined below, which are specific to SSO.

    Setting The SSO-Related Properties For The Custom Installer

    During the creation of a custom installer, the 'custom.sh' script is run, or the file 'custom.properties' is edited, in order to set the value of a number of customizable properties. The following properties pertain to SSO:

    Property Name Values Notes
    ssoAuth.enabled true or false SsoAuth will not be available unless this is true. Default is false.
    ssoAuth.required true or false If set to true, SSO authentication is enforced, and the standard login fields are hidden. Default is false.
    ssoAuth.provider Display name of your SSO provider (label). Name of the SsoAuth identity provider. Only used if ssoAuth.enable=true. Default is Shibboleth. This value is user-facing.

    Set the properties in the table above to the desired values:

    • ssoAuth.enabled must be set to 'true'.
    • ssoAuth.required may be set to either 'false' (the default) or 'true'. Set to 'true' if you want to force users to use SSO for authentication.
    • ssoAuth.provider should be set to the name you wish to be displayed to users as the name of the identity provider upon successful login.

    Once you have set these properties, and the other properties as described in Customizing The CrashPlan App​, continue with the standard process to create the custom installers.

    Further Considerations

    • SSO currently does not handle logout (single sign-off). Thus, if a user logs out of the Code42 environment, the master server does not notify other service providers, and vice-versa.
    • There is no control available in the administration console or the CrashPlan app to sign out of the SSO system. To force a user to sign out of the SSO identity provider, clear the ldp.c42 cookie from the web browser used to log in.
    • LDAP supports automated user management with the "Active Script", "Org Name Script" and "Role Name Script." However, SSO does not support custom scripts.
    • Multiple identity providers in the same environment are not supported.
    • SSO authentication may fail if the master server does not have a valid SSL certificate. If a self-signed certificate does not work, a certificate from an official Certificate Authority (CA) is required.
    • Your master server validates the SSL certificate of your SSO identity provider. If your identity provider's digital certificate does not contain the signature of a trusted Certificate Authority, validation may fail. To resolve this, install a CA-signed digital certificate on the identity provider.
    • The CrashPlan mobile apps on all platforms do not support SSO at this time.
    • SSO supports the use of the “auto register” option during CrashPlan app installation, using the value '${deferred}' for the password property in the custom installer. However, unlike the case with LDAP, the Code42 environment is not able to verify the user at the time of installation. Instead, the new user is allowed to back up immediately, without authenticating. However, users are not able to sign in to the CrashPlan app or restore unless they have a valid SSO account. If the password property is not set to deferred, the user is prompted to sign in upon first usage, as with LDAP.
    • The following warning message (found in logs on your master server) is normal: “Not syncing SSO metadata at this moment due to rate limiting." Rate limiting prevents syncing with your identity provider more than once per minute.
    • The Code42 environment supports SP (service provider)-initiated SSO. The Code42 environment does not support IdP (identity provider)-initiated SSO at this time. The user agent (either the CrashPlan app or the CrashPlan web app) initiates a session by accessing the enterprise server (acting as the SP), which then issues a SAML 2.0 AuthnRequest for the user to be delivered to the IdP.
    • In the IdP metadata file, the Code42 environment supports HTTP-POST (but not HTTP-REDIRECT).  You must enable HTTP POST bindings in the IdP metadata.

    If any of the caveats above are not acceptable, we recommend using LDAP or Radius for authentication and authorization instead of SSO.

    You must to post a comment.
    Last Modified
    10:29, 16 Apr 2014

    Tags