Skip to main content
Code42 Support

How to use single sign-on and LDAP together

Applies to:
  • CrashPlan PROe

Overview

This tutorial explains how to configure single sign-on (SSO) for authentication and LDAP for authorization and user management in the same organization. Using SSO and LDAP together combines the security and ease-of-use benefits of SSO with the advantages of leveraging your existing LDAP directory structure for user management.

Considerations

  • Your enterprise servers must be running version 4.1.6.3 or later.
  • Users in your Code42 environment must have matching LDAP and SSO usernames.
  • If users are moved to an organization that does not offer the same identity provider, their devices are automatically deauthorized by your master server. The users cannot sign in until an administrator adds them to the authentication service configured for the organization.
Test SSO and LDAP
As a best practice, we recommend configuring SSO and LDAP in a test organization first to verify the configuration works as expected. Then, implement the settings for existing organizations or within your top-level organization settings as described below.

Before you begin

Step 1: Modify the CrashPlan app to enable SSO

CrashPlan PROe only. SharePlan does not require modifications to enable SSO.

The CrashPlan app is not configured to allow SSO by default. To use SSO in your Code42 environment, create an SSO-enabled CrashPlan app installer for new devices, and modify existing CrashPlan devices to enable SSO.

Modify the CrashPlan app installer and deploy it to new users

Modify the CrashPlan app installer to enable SSO authentication. Use this installer to set up the CrashPlan app for users that authenticate with SSO.

  1. Follow the instructions in Preparing The CrashPlan app For Deployment to set SSO custom properties.
  2. During the modification process, modify the following custom properties to enable SSO:
    1. Set registrationKey to the registration key for the appropriate organization.
    2. (Optional) To allow new users to start backing up the default file selection immediately without authenticating, set password to ${deferred}.
    3. Set ssoAuth.enabled to true.
    4. (Optional) To require SSO authentication and disable other authentication methods, set ssoAuth.required to true.
      When SSO authentication is required, users cannot sign in unless their organization is configured to use SSO.
    5. (Optional) To customize the SSO message that is displayed to users, modify the ssoAuth.provider value.
      The default message is "Login with single sign-on".
  3. After you set the SSO properties, follow the instructions to generate the CrashPlan app installers.
  4. Distribute the modified CrashPlan app installer to users that sign in using SSO.

Modify existing CrashPlan devices to enable SSO

If users in your Code42 environment use CrashPlan apps that are not SSO-enabled, modify each existing CrashPlan app to enable SSO.

Desktop management software
We recommend using desktop management software to automate this process.

Option A: Uninstall and install the SSO-enabled CrashPlan app

  1. Uninstall the CrashPlan app.
  2. Use the SSO-enabled CrashPlan app installer to install CrashPlan.

Option B: Modify an installed CrashPlan app to enable SSO

  1. Download our custom content template.
  2. Extract the template and locate the custom.properties file.
  3. Open the custom.properties file in a plain text editor.
  4. Set the address to the hostname and port of your master server.
  5. Verify that ssoAuth.enabled is set to true.
  6. (Optional) To require SSO authentication and disable other authentication methods, set ssoAuth.required to true.
    You do not need to make any further modifications to the file. If you have chosen to use a custom.properties file that has already been modified, note that settings not related to SSO may affect CrashPlan app configuration settings.
  7. On the CrashPlan device, create the following directory and place the custom.properties file inside:
    • Windows: C:\Program Files\CrashPlan\custom
    • OS X: /Library/Application Support/CrashPlan/custom
    • Linux: /usr/local/crashplan/custom
    • Solaris: /opt/sfw/crashplan/custom
  8. Restart the CrashPlan service.
  9. To sign in with single sign-on, deauthorize the CrashPlan device using one of these methods:

Step 2: Configure organizations to use SSO and LDAP

Enable SSO and LDAP by modifying a specific organization or by modifying the top-level organization settings.

Multiple identity providers
If two or more identity providers are offered in your Code42 environment, tell the users in each organization which identity provider they should choose when they sign in.

Option A: Enable SSO and LDAP for a specific organization

  1. Sign in to the administration console on your master server.
  2. Navigate to Organizations, then select the organization.
  3. From the Action menu, select Edit.
  4. Click Security.
    Configuring SSO and LDAP for an organization
  5. If necessary, deselect Inherit security settings from parent.
  6. Configure SSO as the authentication method:
    1. From Select an authentication method, choose SSO.
      The configured SSO identity providers appear.
    2. Select the identity providers that you want to offer for the organization.
  7. Configure LDAP as the directory service:
    1. From Select a directory service, select LDAP.
      The configured LDAP servers appear.
    2. Select an LDAP server.
  8. Click Save.

Option B: Enable SSO and LDAP for all organizations

Modify the top-level organization settings to enable SSO and LDAP for all organizations.

Disabling inheritance
If inheritance is disabled for an organization, that organization is not affected by changes to its parent organization.
  1. Sign in to the administration console on your master server.
  2. Navigate to Settings > Organization.
  3. Click Security.
  4. Configure SSO as the authentication method:
    1. From Select an authentication method, choose SSO.
      The configured SSO identity providers appear.
    2. Select the identity providers that you want to offer for the organization.
  5. Configure LDAP as the directory service:
    1. From Select a directory service, select LDAP.
      The configured LDAP servers appear.
    2. Select an LDAP server.
  6. Click Save.

Step 3: Add new users that sign in with SSO and LDAP

New users can create their own accounts when they first sign in to a SSO-enabled CrashPlan app. Alternatively, you can use the administration console to create user accounts.

Option A: Deploy the SSO-enabled CrashPlan app

Distribute the SSO-enabled CrashPlan app installer to new users.

  • New users can register accounts in your Code42 environment by signing in with SSO credentials.
  • New users begin backing up the default file selection immediately without authenticating if all of the following conditions are met:
    • The organization is configured to auto-start backups.
    • The CrashPlan app is modified to contain the correct organization registration key.
    • The CrashPlan app is modified to defer the user's password.
      Users are not able to sign in to the CrashPlan app or restore unless they have a valid SSO account.
SharePlan registration
The SharePlan app cannot be used to register SSO-enabled user accounts. If your Code42 environment uses SharePlan, deploy the CrashPlan app to create user accounts before deploying the SharePlan app.

Option B: Add users in the administration console

Use the administration console to add users to an organization that uses SSO.

  • Verify that the users in the organization exist in the SSO identity provider used by the organization.
  • Make sure that the Code42 environment usernames match the SSO usernames.