Skip to main content
Code42 Support

How to use single sign-on and LDAP together

Available in:

  • CrashPlan PRO
    • Standard
    • Premium
    • Enterprise
Applies to:

Overview

This tutorial explains how to configure single sign-on (SSO) for authentication and LDAP for authorization and user management in the same organization. Using SSO and LDAP together combines the security and ease-of-use benefits of SSO with the advantages of leveraging your existing LDAP directory structure for user management.

Considerations

  • This configuration is only available for Code42 environments with an on-premises authority server. 
  • Users in your Code42 environment must have matching LDAP and SSO usernames.
  • If users are moved to an organization that does not offer the same identity provider, their devices are automatically deauthorized by your authority server. The users cannot sign in until an administrator adds them to the authentication service configured for the organization.
Testing SSO and LDAP
As a best practice, we recommend configuring SSO and LDAP in a test organization first to verify the configuration works as expected. Then, implement the settings for existing organizations or within your system-wide organization settings as described below.

Before you begin

Step 1: Modify the Code42 app to enable SSO

The Code42 app is not configured to allow SSO by default. To use SSO in your Code42 environment, create an SSO-enabled Code42 app installer for new devices, and modify existing devices to enable SSO.

Modify the Code42 app installer and deploy it to new users

Modify the Code42 app installer to enable SSO authentication. Use this installer to set up the Code42 app for users that authenticate with SSO.

  1. Follow the instructions in Preparing The Code42 app For Deployment to set SSO custom properties using the following values:
    1. Set address to the hostname (or IP address) and port of your authority server.
      For example: master-server.example.com:4282
    2. Set registrationKey to the registration key for the appropriate organization.
    3. (Optional) To allow new users to start backing up the default file selection immediately without authenticating, set password to ${deferred}.
    4. Set ssoAuth.enabled to true.
    5. (Optional) To require SSO authentication and disable other authentication methods, set ssoAuth.required to true.
      When SSO authentication is required, users cannot sign in unless their organization is configured to use SSO.
    6. (Optional, Code42 app version 4.x only) To customize the SSO message that is displayed to users, modify the ssoAuth.provider value.
      • This option is not available in version 5.x of the Code42 app.
      • For Code42 app version 4.x, the default message is "Login with single sign-on".
  2. After the modified Code42 app installer is built, distribute it to users that sign in using SSO.

Modify existing Code42 apps to enable SSO

If users in your Code42 environment use Code42 apps that are not SSO-enabled, modify each existing Code42 app to enable SSO.

Desktop management software
We recommend using desktop management software to automate this process.
Option A: Uninstall and install the SSO-enabled Code42 app
  1. Uninstall the Code42 app.
  2. Use the SSO-enabled Code42 app installer to install the Code42 app.
Option B: Modify an installed Code42 app to enable SSO
  1. Download our custom content template.
  2. Extract the template and locate the custom.properties file.
  3. Open the custom.properties file in a plain text editor.
  4. Set the address to the hostname and port of your authority server.
  5. Verify that ssoAuth.enabled is set to true.
  6. (Optional) To require SSO authentication and disable other authentication methods, set ssoAuth.required to true.
    You do not need to make any further modifications to the file. If you have chosen to use a custom.properties file that has already been modified, note that settings not related to SSO may affect Code42 app configuration settings.
  7. On the device, create the following directory and place the custom.properties file inside:
    • Windows: C:\Program Files\CrashPlan\custom
    • OS X: /Library/Application Support/CrashPlan/custom
    • Linux: /usr/local/crashplan/custom
  8. Restart the Code42 service.
  9. To sign in with single sign-on, deauthorize the device using one of these methods:

Step 2: Configure organizations to use SSO and LDAP

Enable SSO and LDAP by modifying a specific organization or by modifying the system-wide organization settings.

Multiple identity providers
If two or more identity providers are offered in your Code42 environment, tell the users in each organization which identity provider they should choose when they sign in.

Option A: Enable SSO and LDAP for a specific organization

  1. Sign in to the administration console on your authority server.
  2. Navigate to Organizations, then select the organization.
  3. From the action menu, select Edit.
  4. Click Security.
    Configuring SSO and LDAP for an organization
  5. If necessary, deselect Inherit security settings from parent.
  6. Configure SSO as the authentication method:
    1. From Select an authentication method, choose SSO.
      The configured SSO identity providers appear.
    2. Select the identity providers that you want to offer for the organization.
  7. Configure LDAP as the directory service:
    1. From Select a directory service, select LDAP.
      The configured LDAP servers appear.
    2. Select an LDAP server.
  8. Click Save.

Option B: Enable SSO and LDAP for all organizations

Modify the system-wide organization settings to enable SSO and LDAP for all organizations.

Disabled inheritance
If you disable inheritance for an organization, that organization is not affected by changes to its parent organization.
  1. Sign in to the administration console on your authority server.
  2. Navigate to Settings > Organization.
  3. Click Security.
  4. Configure SSO as the authentication method:
    1. From Select an authentication method, choose SSO.
      The configured SSO identity providers appear.
    2. Select the identity providers that you want to offer for the organization.
  5. Configure LDAP as the directory service:
    1. From Select a directory service, select LDAP.
      The configured LDAP servers appear.
    2. Select an LDAP server.
  6. Click Save.

Step 3: Add new users that sign in with SSO and LDAP

New users can create their own accounts when they first sign in to a SSO-enabled Code42 app. Alternatively, you can use the administration console to create user accounts.

Option A: Deploy the SSO-enabled Code42 app

Distribute the SSO-enabled Code42 app installer to new users.

  • New users can register accounts in your Code42 environment by signing in with SSO credentials.
  • New users begin backing up the default file selection immediately without authenticating if all of the following conditions are met:
    • The organization is configured to auto-start backups.
    • The Code42 app is modified to contain the correct organization registration key.
    • The Code42 app is modified to defer the user's password.
      Users are not able to sign in to the Code42 app or restore unless they have a valid SSO account.

Option B: Add users in the administration console

Use the administration console to add users to an organization that uses SSO.

  • Verify that the users in the organization exist in the SSO identity provider used by the organization.
  • Make sure that the Code42 environment usernames match the SSO usernames.
  • Was this article helpful?