Skip to main content
Code42 Support

Configure Centrify for SSO in your Code42 environment

Available in:

StandardPremiumEnterprise
Small Business
Applies to:

Overview

This tutorial explains how to configure your Code42 environment with on on-premises authority server to use single sign-on (SSO) with Centrify. In this article, Centrify is also referred to as an identity provider.

This article assumes you are already familiar with SSO and the SAML standard. For more information about how the Code42 platform implements SSO, see our Introduction To Single Sign-On.

Compatible Code42 platform components

Compatible With SSO
  • Code42 app for Windows, Mac, and Linux
  • Administration console
Incompatible With SSO
  • Code42 apps for iOS, Android, and Windows Phone

Considerations

Code42 Authority server
  • The authority server's SSO entityID is generated based on the administration console Website protocol, host and port and Require SSL to access console fields. Do not modify these settings after configuring SSO.
  • Your authority server must be able to access the Identity Provider metadata file.
  • The Code42 platform supports service provider-initiated SSO but does not support identity provider-initiated SSO. This means that:
    • Users cannot log in to your Code42 environment from an identity provider website or application.
    • You cannot automatically provision Code42 platform user accounts from the identity provider.
Authentication And User Management
  • Users that sign in with SSO must exist in your Code42 environment, and their usernames must match SSO.
  • SSO provides user authentication but does not provide user management. One of the following directory services provides user management:
    • Local Code42 platform directory
    • LDAP
Code42 app
  • Version 6.0.x and later: You do not need to modify Code42 app versions 6.0.x and later to enable SSO. By default, users can sign in using SSO.
  • Version 5.4.x and earlier: To use SSO for CrashPlan, you must deploy a modified Code42 app installer to your users.
External authentication systems
Our Customer Champions can help with authentication issues caused by interaction with Code42 products. However, troubleshooting authentication issues outside your Code42 environment is beyond the scope of our Customer Champions.
For assistance with external authentication systems, contact your authentication vendor.

Before you begin

Verify identity provider configuration
  • Make sure the SSL certificate of your SSO identity provider has been signed by a trusted Certificate Authority (CA).
  • Make sure you have administrative access to the identity provider or have contact with an identity provider administrator.
Verify network configuration
  • An API call is made to your master server's Website protocol, host, and port, so that port must be open to the client signing in. 
  • Configure your private network, Internet, and VPN settings to allow client devices to communicate with your identity provider on ports 80 and 443. Test client connectivity to the identity provider before you proceed.
  • If you want to use URL-based metadata exchange to configure your authority server and identity provider to work together, make sure two-way communication is available between them on TCP ports 80 and 443. If two-way communication is not available or not allowed, you must download the identity provider's metadata file and make it accessible to your authority server.
  • Confirm the required ports with your identity provider to determine if custom ports are being used.

Step 1: Prepare your Authority server

Configure SSO certificate settings

  1. If your SSO identity provider uses encryption keys longer than 128 bits, configure your authority server to accept longer encryption keys.
  2. If your security policy requires a CA-signed certificate for SSO, replace the SSO certificate on your authority server.

Configure Administration console security

  1. Install an SSL certificate that has been signed by a trusted Certificate Authority (CA).
  2. If your identity provider does not allow ports in SSO metadata, forward port 443 to port 4285 for inbound connections to the authority server.
  3. Update your authority server's default administration console address to use SSL:
    1. Go to Settings > Server.
    2. Change your authority server's Website protocol, host and port to use https and port 4285.
      If port port 443 is mapped to 4285, exclude the port.
      • Example without port forwarding: https://master-server.example.com:4285
      • Example with port forwarding: https://master-server.example.com
    3. Click Save.
  4. Require SSL for administration console access to your authority server:
    1. Go to Settings > Security.
    2. Select Require SSL to access console.
    3. Click Save.
    4. Restart the authority server.
Port mapping
If you mapped port 443 to 4285, omit 4285 from the example URLs listed in this article.

Step 2: Prepare Centrify

Use the Centrify Cloud Manager to add the CrashPlan PROe SAML application. We recommend leaving the settings at the default values unless otherwise specified.

  1. Sign in to Centrify Cloud Manager.
  2. Add the CrashPlan PROe SAML web application from the Centrify catalog.
  3. In CrashPlan PROe URL, enter https://master-server.example.com:4285 and save your changes.
    Replace master-server.example.com with the the fully qualified domain name (FQDN) or IP address of your Code42 authority server.
  4. Record the URL for the Centrify metadata file or download the metadata file.
    This file must be made accessible to your authority server.
    • If your authority server has two-way communication with Centrify, record the URL displayed in Identity Provider metadata URL.
    • If your authority server is behind a firewall, download the metadata file using the Identity Provider metadata URL.
  5. Modify the other application settings as needed. Click Application Help to view instructions.

Step 3: Add Centrify to your authority server

The Centrify metadata file must be accessible to your authority server to complete this step. If your network configuration prevents URL-based metadata exchange, or if you need to manually edit the identity provider's metadata file, see Making The Centrify Metadata File Accessible below.

  1. Sign in to the administration console on your authority server.
  2. Navigate to Settings > Security > Single Sign-On.
  3. Click Add Identity Provider or Federation.
  4. In Identity Provider metadata URL, enter the URL for the identity provider metadata XML file.
  5. Click Continue.
    Additional identity provider settings appear.
    Identity provider settings
  6. In Display name, enter an identity provider name to display to users that sign in with SSO.
    If more than one SSO identity provider is offered by your Code42 environment, users are presented with a list of identity providers to choose from. The list includes all identity providers offered throughout your Code42 environment because the users' organizations are not known until they sign in.
  7. (Optional) Customize mappings between Code42 platform user attributes and identity provider SSO assertion attributes.
    1. Deselect Use default mapping.
    2. Configure mapping settings for each Code42 platform user attribute:
      • Username: Specify the SSO identifier or attribute that maps to the Code42 platform username.
        • Select Use nameId to use the SSO name identifier.
        • Select Use Attribute tag to enter a custom SSO attribute.
      • Email: Enter the SSO attribute that contains user email addresses.
      • First name: Enter the SSO attribute that contains user first names.
      • Last name: Enter the SSO attribute that contains user last names.
  8. Click Save.

Step 4: Test SSO authentication

To avoid impacting your production environment, use a test organization to verify that SSO is working properly.

  1. If necessary, add a test user to the identity provider.
  2. Sign in to the administration console on your authority server.
  3. Create a test organization.
  4. Create a user in the test organization that matches the identity provider test user.
  5. Configure the test organization to use SSO.
    1. Navigate to Organizations, then select the organization.
    2. From the Action menu, select Edit.
    3. Click Security.
      Organization SSO configuration
    4. Deselect Inherit security settings from parent.
    5. From Select an authentication method, choose SSO.
      The configured SSO identity providers appear.
    6. Select the identity providers that you want to offer for the organization.
    7. From Select a directory service, select Local for testing purposes.
      Additional steps must be performed to use SSO with LDAP.
    8. Click Save.
  6. Sign in to the administration console as the test user to verify that SSO is working.

Step 5: Modify the Code42 app to enable SSO

Code42 app version 6.0.x and later

You do not need to modify Code42 app versions 6.0.x and later to enable SSO. By default, users can use sign in using SSO. Learn how to upgrade your existing apps to version 6.0.x and later. 

Code42 app version 5.4.x and earlier 

The Code42 app is not configured to allow SSO by default. To use SSO in your Code42 environment, create an SSO-enabled Code42 app installer for new devices, and modify existing devices to enable SSO.

Modify the Code42 app installer and deploy it to new users

Modify the Code42 app installer to enable SSO authentication. Use this installer to set up the Code42 app for users that authenticate with SSO.

  1. Follow the instructions in Preparing The Code42 app For Deployment to set SSO custom properties using the following values:
    1. Set address to the hostname (or IP address) and port of your authority server.
      For example: master-server.example.com:4282
    2. Set registrationKey to the registration key for the appropriate organization.
    3. (Optional) To allow new users to start backing up the default file selection immediately without authenticating, set password to ${deferred}.
    4. Set ssoAuth.enabled to true.
    5. (Optional) To require SSO authentication and disable other authentication methods, set ssoAuth.required to true.
      When SSO authentication is required, users cannot sign in unless their organization is configured to use SSO.
    6. (Optional, Code42 app version 4.x only) To customize the SSO message that is displayed to users, modify the ssoAuth.provider value.
      • This option is not available in version 5.x of the Code42 app.
      • For Code42 app version 4.x, the default message is "Login with single sign-on".
  2. After the modified Code42 app installer is built, distribute it to users that sign in using SSO.

Modify existing Code42 apps to enable SSO

If users in your Code42 environment use Code42 apps that are not SSO-enabled, modify each existing Code42 app to enable SSO.

Desktop management software
We recommend using desktop management software to automate this process.
Option A: Uninstall and install the SSO-enabled Code42 app
  1. Uninstall the Code42 app.
  2. Use the SSO-enabled Code42 app installer to install the Code42 app.
Option B: Modify an installed Code42 app to enable SSO
  1. Download our custom content template.
  2. Extract the template and locate the custom.properties file.
  3. Open the custom.properties file in a plain text editor.
  4. Set the address to the hostname and port of your authority server.
  5. Verify that ssoAuth.enabled is set to true.
  6. (Optional) To require SSO authentication and disable other authentication methods, set ssoAuth.required to true.
    You do not need to make any further modifications to the file. If you have chosen to use a custom.properties file that has already been modified, note that settings not related to SSO may affect Code42 app configuration settings.
  7. On the device, create the following directory and place the custom.properties file inside:
    • Windows: C:\Program Files\CrashPlan\custom
    • Mac: /Library/Application Support/CrashPlan/custom
    • Linux: /usr/local/crashplan/custom
  8. Restart the Code42 service.
  9. To sign in with single sign-on, deauthorize the device using one of these methods:

Step 6: Configure organizations to use SSO

Enable SSO for one or more organizations to start using SSO in your Code42 environment. If two or more identity providers are offered in your Code42 environment, tell the users in each organization which identity provider they should choose when they sign in.

Disabled inheritance
If you disable inheritance for an organization, that organization is not affected by changes to its parent organization.

Option A: Enable SSO for a specific organization

  1. Sign in to the administration console on your authority server.
  2. Navigate to Organizations, then select the organization.
  3. From the Action menu, select Edit.
  4. Click Security.
    Organization SSO configuration
  5. Deselect Inherit security settings from parent.
  6. From Select an authentication method, choose SSO.
    The configured SSO identity providers appear.
  7. Select the identity providers that you want to offer for the organization.
  8. From Select a directory service, select Local.
    Additional steps must be performed to use SSO with LDAP.
  9. Click Save.

Option B: Enable SSO for all organizations

Modify the system-wide organization settings to enable SSO for all organizations.

  1. Sign in to the administration console on your authority server.
  2. Navigate to Settings > Organization.
  3. Click Security.
  4. From Select an authentication method, choose SSO.
    The configured SSO identity providers appear.
  5. Select the identity providers that you want to offer to your organizations.
  6. From Select a directory service, select Local.
    Additional steps must be performed to use SSO with LDAP.
  7. Click Save.

Step 7: Add new users that sign in with SSO

New users can create their own accounts when they first sign in to a SSO-enabled Code42 app. Alternatively, you can use the administration console to create user accounts.

Option A: Deploy the SSO-enabled Code42 app

Distribute the SSO-enabled Code42 app installer to new users.

  • New users can register accounts in your Code42 environment by signing in with SSO credentials.
  • New users begin backing up the default file selection immediately without authenticating if all of the following conditions are met:
    • The organization is configured to auto-start backups.
    • The Code42 app is modified to contain the correct organization registration key.
    • The Code42 app is modified to defer the user's password.
      Users are not able to sign in to the Code42 app or restore unless they have a valid SSO account.

Option B: Add users in the administration console

Use the administration console to add users to an organization that uses SSO.

  • Verify that the users in the organization exist in the SSO identity provider used by the organization.
  • Make sure that the Code42 environment usernames match the SSO usernames.

What to expect

Sign in with SSO

In version 5.4.x and earlier, users must select the SSO option when signing in to the Code42 app or the administration console.

Multiple identity providers

If more than one SSO identity provider is offered by your Code42 environment, users are presented with a list of identity providers to choose from. The list includes all identity providers offered throughout your Code42 environment because the users' organizations are not known until they sign in.

Reduced authentication prompts

When a user signs in with SSO, the user does not need to reenter credentials for subsequent authentication attempts until the SAML authentication token expires. A SAML token applies to an application rather than a device, which means that a user might need to enter credentials again when signing into a different app. For example, signing in to the Code42 app does not also authenticate the administration console because one is an app on the device and the other is accessed via a web browser.

Lost access to an identity provider

A user might lose access to an identity provider for the following reasons:

  • A user is moved to an organization that does not offer his or her identity provider
  • An identity provider is removed from an organization or federation

In either case, all user devices associated with that identity provider are automatically deauthorized by your authority server. Users cannot sign in until they are added to the authentication service configured for the organization.

Make the Centrify metadata file accessible

If your identity provider or network configuration prevents URL-based metadata exchange, or if you need to manually edit the identity provider's metadata file, you must make the identity provider metadata file accessible to your authority server. There are several ways to make the metadata file available:

  • Place the metadata file in the installs directory on your authority server.
  • Make the metadata file available on your corporate web server.

Option A: Place the metadata file on the authority server

  1. Add the identity provider metadata file to the installs directory on your authority server:
    • Linux: /opt/proserver/installs/
      Applies to Code42 servers installed as root on Ubuntu
    • Windows: C:\Program Files\CrashPlan PROe Server\installs\
  2. Set file permissions so that the SAML metadata file is readable by the Code42 server service. In Linux, the numeric file mode 755 should suffice, although the ideal settings for your environment might differ.
  3. Use a web browser to verify that you can access the metadata file.
    For example: https://master-server.example.com:4285/installs/<metadata_filename>
    • Replace master-server.example.com with the fully qualified hostname or IP address of your authority server.
    • Replace <metadata_filename> with the name of the metadata file.
    • If you mapped port 443 to 4285, do not include the port in the URL.

Option B: Place the metadata file on a corporate web server

  1. Add the identity provider metadata file to a web server that is accessible to your authority server.
  2. Record the URL for the metadata file.
  3. Use a web browser to verify that you can access the metadata file.

External resources

  • Was this article helpful?