Skip to main content
Code42 Support

Introduction to single sign-on

Applies to:
  • CrashPlan PROe

Overview

Implementing single sign-on (SSO) in your Code42 environment provides security benefits and simplifies the sign-in experience. This article provides:

  • An overview of SSO
  • A comparison of the SSO functionality
  • A list of compatible Code42 platform components and third-party SAML 2.0 identity providers (IdPs)

For SSO configuration instructions, see our articles for each supported identity provider.

What is SSO?

SSO is an authentication method that allows a user to use the same credentials to sign in to multiple applications.

Definitions

The main components of an SSO system are:

identity provider
The system that performs the authentication. Often abbreviated as IdP.
service provider
A system acting as a gatekeeper for one or more resources (applications).
resource
A protected application, which may or may not be web-based. The resource and the service provider are often integrated.
user agent
A software application that acts on behalf of the user who wishes to access resources. The user agent is often a web browser, although it can also be a desktop application, mobile app, or another type of agent.

SSO authentication process

When a user attempts to access an SSO-enabled protected resource, such as a Code42 application or administration console, the user is redirected to the identity provider. If the user still has an active session with the identity provider, the user is automatically redirected to the desired resource. If the user does not have an active session, the user is prompted to enter credentials. Once authenticated, the user has access for a configurable period of time to all resources protected by the identity provider.

The following diagram describes how the Code42 platform components and the SSO identity provider interact.

  • Service provider: Code42 master server
  • User agent: Code42 applications or web browser
  • Identity provider: A SAML 2.0 identity provider that supports HTTP POST binding

Code42 SSO process diagram

Item Description
1 When a user attempts to sign in, the user agent sends a sign-in request to the service provider.
2 The service provider refers the user agent to the identity provider's SSO URL.
3 The user agent sends an authentication request to the identity provider.
4 The identity provider authenticates the user and provides the user agent with a SAML authentication token.
5 The user agent sends the authentication token to the service provider.
6 The service provider accepts the authentication token and grants the user access to the user agent.

SSO advantages, disadvantages, and limitations

Advantages
  • Delegates all authentication to the identity provider; the Code42 environment never proxies user credentials
  • Allows for centralized authentication in organizations that do not implement Active Directory or LDAP (for example, computers that are not tied to a directory)
  • Minimizes phishing opportunities
  • Provides detailed reporting on user access
  • Reduces user password fatigue from different username and password combinations
  • Reduces time spent re-entering passwords
  • Reduces IT costs due to lower number of IT help desk calls about passwords
Disadvantages
  • Prevents access to service providers if the identity provider is unavailable
    For this reason, SSO can be undesirable for systems requiring guaranteed access at all times, such as security or plant-floor systems.
  • Allows an unauthorized user to gain access to all protected resources if a user's credentials are compromised
    To reduce risk, ensure that credentials are stored securely, and consider implementing strong authentication methods such as smart-cards and one-time password tokens.
  • Provides user authentication but does not provide user management
    User management is provided by the local Code42 platform directory or LDAP (4.1.6 and later).
Code42 platform Limitations
  • The Code42 platform does not handle single sign-off. If a user logs out of the Code42 environment, the master server does not notify other service providers, and vice-versa.
  • When a user signs out of the SSO identity provider, he or she is not automatically signed out of the Code42 applications. There are two ways the user can be signed out of the Code42 applications:
    • An administrator can deauthorize the user's devices from the administration console.
    • The user can sign out of the Code42 applications.

Code42 platform SSO functionality by version

Code42 platform version 4.1.6 and later supports more SSO features than versions 4.1.4 and 4.1.5.

Feature Version 4.1.6 & Later Version 4.1.4 & 4.1.5
SAML 2.0 Yes Yes
Single identity provider Yes Yes
Multiple identity providers Yes No
Identity federation Yes No
SSO And LDAP Yes No

SSO compatibility

Version 4.1.6 of the Code42 platform introduced additional SSO-compatible components and is compatible with more identity providers than versions 4.1.4 or 4.1.5.

Code42 platform version 4.1.6 and later

SAML 2.0 identity providers

The Code42 platform has been tested with the following identity providers in version 4.1.6 and later:

Other SAML 2.0 identity providers that support HTTP POST binding may be compatible.

Code42 platform components

For version 4.1.6 and later, the Code42 platform components bundled with the enterprise server support SSO.

Compatible with SSO
  • CrashPlan app for Windows, OS X, and Linux
  • SharePlan app for Windows and OS X
  • SharePlan app for iOS and Android
  • SharePlan web app
  • Administration console
Incompatible with SSO
  • CrashPlan apps for iOS, Android, and Windows Phone

Code42 platform version 4.1.4 and 4.1.5

SAML 2.0 identity providers

The Code42 platform version 4.1.4 and 4.1.5 has been tested with the following identity providers:

Other SAML 2.0 identity providers that support HTTP POST binding may be compatible; however, Code42 tests only the above identity providers.

Code42 platform components

For versions 4.1.4 and 4.1.5 of the Code42 platform, some components support SSO.

Compatible with SSO
  • CrashPlan app for Windows, OS X, and Linux
  • Administration console
Incompatible with SSO
  • SharePlan app for Windows and OS X
  • SharePlan app for iOS and Android
  • SharePlan web app
  • CrashPlan apps for iOS, Android, and Windows Phone

External resources