Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Code42 Support

Use the Code42 API to set SAML attributes

Overview

You can integrate any SAML 2.0-compliant identity provider with Code42. By default, you map an identity provider's username and email attributes to Code42.

For added security and flexibility, you can use Code42 APIs to set the SAML 2.0 context and class references in your identity provider's SSO requests, as well as the digest and signature algorithms to use. See the SAML attributes section below for the list of SAML authentication attributes whose mapping you can customize.

This article describes how to use the following Code42 API resources to customize mapping SAML authentication attributes: 

  • View the current SAML settings: identity-provider-saml-settings/IdentityProviderSamlSettings_View
  • Update the SAML settings: identity-provider-saml-settings/IdentityProviderSamlSettings_Update

Considerations

  • To complete this process, you must have the Customer Cloud Admin role.
  • This process requires use of the Code42 API.
Test SAML settings changes
Changes you make to SAML settings using the procedures in this article are made directly to the authentication provider settings in Code42. Ensure you verify that they work properly in a test organization first before using the SAML settings in production.

View current SAML settings

View the current SAML settings for an authentication provider in Code42 using the identity-provider-saml-settings/IdentityProviderSamlSettings_View  API resource.

In the following example: 

  • Replace <AuthToken> with the authentication token you obtained in the Authentication section.
  • Replace www.crashplan.com with the URL of your Code42 cloud instance.
  • Replace <AuthProviderID> with the ID you obtained as described in Authentication provider ID.
curl -vvv -X GET -H "Authorization: v3_user_token <AuthToken>" 'https://www.crashplan.com/api/v6/identity-provider-saml-settings/view?uid=<AuthProviderID>'

An excerpt of an example successful response:

{"metadata":{"date":"2019-08-14T15:08:21.892-05:00","headers":[]},"data":{"uid":"913123517744122250","displayName":"Azure","authnContextComparison":"EXACT","authnContextClassRef":["urn:oasis:names:tc:SAML:2.0:ac:classes:Password"],"requestAuthnDigestMethod":"http://www.w3.org/2000/09/xmldsig#sha1","requestAuthnSignatureMethod":"http://www.w3.org/2000/09/xmldsig#rsa-sha1","modificationDate":"2019-08-14T10:21:27.826-05:00"}}

For information on the returned values, see the SAML attributes section.

Update the SAML settings

Update the SAML settings for an authentication provider in Code42 using the identity-provider-saml-settings/IdentityProviderSamlSettings_Update  API resource.

In the following example: 

  • Replace <AuthToken> with the authentication token you obtained in the Authentication section.
  • Replace www.crashplan.com with the URL of your Code42 cloud instance.
  • Replace <AuthProviderID> with the ID you obtained as described in the Authentication provider ID section.
  • Provide values for these parameters as described in the SAML attributes section:
    • authnContextComparison
    • authnContextClassRef
    • requestAuthnDigestMethod
    • requestAuthnSignatureMethod
curl -vvv -X POST -H "Authorization: v3_user_token <AuthToken>" https://www.crashplan.com/api/v6/identity-provider-saml-settings/update -H 'Content-Type: application/json' -d 
'{
    "settings": {
        "uid": "<AuthProviderID>",
        "authnContextClassRef": [
            "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword"
        ],
        "authnContextComparison": "MAXIMUM",
        "requestAuthnDigestMethod": "http://www.w3.org/2001/04/xmlenc#sha512",
        "requestAuthnSignatureMethod": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
    }
}'

Identity provider SAML settings API structure and syntax

Summary

For more information about the Code42 API documentation viewer, see Code42 API documentation viewers. For more information about Code42 API syntax, see Code42 API syntax and usage.

Authentication

The identity provider SAML settings API requires an authentication token in the header of all requests. To obtain an authentication token, use your Code42 administrator credentials to submit a GET request to:

  • United States: 
    • If you sign in to the Code42 administration console at https://www.crashplan.com/console, use: 
      https://www.crashplan.com/c42api/v3/auth/jwt?useBody=true
    • If you sign in to the Code42 administration console at https://console.us.code42.com/console, use: 
      https://console.us.code42.com/c42api/v3/auth/jwt?useBody=true
  • Ireland: If you sign in to the Code42 administration console at https://console.ie.code42.com/console, use: 
    https://console.ie.code42.com/c42api/v3/auth/jwt?useBody=true

For example:

curl -X GET -u "username" -H "Accept: application/json" "https://www.crashplan.com/c42api/v3/auth/jwt?useBody=true"

If your organization uses two-factor authentication for local users, you must also include a totp-auth header value containing the Time-based One-Time Password (TOTP) supplied by the Google Authenticator mobile app. The example below includes a TOTP value of 424242.

curl -X GET -u "username" -H "totp-auth: 424242" "Accept: application/json" "https://www.crashplan.com/c42api/v3/auth/jwt?useBody=true"

A successful request returns an authentication token. For example:

{
    "v3_user_token": "eyJjdHkiOiJKV1QiLCJlbmMiOiJBMTI4R0NNIiwiZXhwIjoiMjAxOC0wNC0zMFQyMTo0MDoyNy4xMDZaIiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.0H-4bl43zA3cIE5D3o_8vZzJIUgtJt64mZbimNa2TNha761RgVBFaTfttMODXF1ntLUTHl-rD0JuHEAMrIxjpnaODictPizrDVeTA1PgkPrsKot9jp6D7uTEC1Y56qHS1qjP6WHQBpv6ADBfrAfePX3NnwkA5a1I8pB88kSWc1MXZ4uMt-rFcNtlLLPVfwtEXHyNG_bxYJOOn28y2ysJGSBD_Xx1-uK4zKvjWwXfVQG581TntFPy0LamJfJ7IM4wOIG-QrKeV796fJAaHBxNfOe4UWC8WeNcDEvgNZvOPchWTHY4l66OaOjHNeEkoKkxvc35j4V_QpYxe6GXRYK4NA.TJXe9M6goiZbw-tr.y0lUTHHkHU5tRS7bWI8jntMLcxv0HajXTXquV62IG4400i7wi0YSX-6vpsXVgivzztxnPaukgUsLavhZ8-wCiMdEkut4GfijTlDAM_tfmJyZG6Cn5GKIJgSCENrR1JTxvC6dhTvHc41p6T3jXqBWikoJwD9z9Ec3u-OhM3gotQZUfCq0rR8T043RZSN9-0TpxhpPUEUAS6rkAI07QP08l_nUqdQTsNF0Tafe1yfPTYJabkslHhYMlLRYuXwhWr_39h5BY89ud0cW_OyUtjzz83m9iGxv6sba9VBIb2Y95ipXLu6Ie-5wz8zivfjizX6ZQatp5Ep4UZxzsMdqD9j0BFXkXQZuITJLtKfmUX-FZYR8utNrbwtt8u2tvNUK8Ix4Fwa3bWPxlkwrhOdz70M-mxluxpR6EKSrf8xwHagMcahzVPcW5NVL2khr4MwMUKyRV69dAdGiaTKh2rd52znA0aE3OCtelnBrBn4rls0KX71_qZEAdPaLyyqZ4VaurWUfl35zSi2LW_a3-TebgIebHZxC-MxvFEH4DQq6gJDdoX92_YEYEn4tO_dhUTlD0CZ9HhT39XFrO9MBe4DoDzG-Iql_A-nhmCyOrRmQvUlR72XpHVFQQx3X6tqdPxFocgDh5z03-kLB4SjznQSlzJNbzl_knXTBGopoFLn3WHvjX8q327Vmwx1hjrQnO8Eg5rJMoXTJCMEEOkMyjkbFeEzEhTf2jcvvAlnNnxdtjb1Zo05RWwMsPwwHAgGr-0mm-ungNjIGW0MyMTZtK0StP1uRqfI1Q6ghqnGZxEZN_0fvsVlsz4u9A1eBYRE0xzg8p-0g62nAQ8GftpYaUoymgqbL2WCL15r38emLklXSruztosGU4Dtusg4JHEhYPxO4ieqeBu6FLX9fPSA_y3zmd_AEjW40-_6zC3quPYJwytaEIwVH6phtfa2phsOLLw-U-b2QY09-d27YirIjgNRZ7rO4GF3iX8hW3LfFIWj0WKA5HGtGHg.JzHVCE8zfy1qRBf__rhchA"
}
Token considerations
  • Use this authentication token in your requests.
  • Authentication tokens expire after one hour.
  • You must have credentials for a Code42 user with the Customer Cloud Admin role.
  • The authentication example above only applies to users who authenticate locally with Code42. Single sign-on (SSO) users must also complete SAML authentication with their SSO provider. If you need assistance with this process, contact your SSO provider.

Authentication provider ID

The identity provider SAML settings API requires that you provide the unique ID of the identity management authentication provider. To obtain the ID, select the authentication provider in the administration console and copy the ID from the address bar.

  1. Sign in to the Code42 administration console.
  2. Navigate to Administration > Settings > Identity Management.
  3. Select an authentication provider.
    The provider's unique ID displays at the end of the URL in the browser address bar.
  4. Copy the provider's ID to provide in commands to view or update the provider's SAML settings.
    Authentication provider unique ID

SAML attributes

Use the following parameters to update the SAML settings used by the Code42 authentication provider:

The following code example uses these parameters:

curl -vvv -X POST -H "Authorization: v3_user_token <AuthToken>" https://www.crashplan.com/api/v6/identity-provider-saml-settings/update -H 'Content-Type: application/json' -d 
'{
    "settings": {
        "uid": "<AuthProviderID>",
        "authnContextClassRef": [
            "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword"
        ],
        "authnContextComparison": "MAXIMUM",
        "requestAuthnDigestMethod": "http://www.w3.org/2001/04/xmlenc#sha512",
        "requestAuthnSignatureMethod": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
    }
}'

authnContextClassRef

This parameter sets the context class reference to authenticate users. This parameter is optional and can be omitted from the command call.

You can use any of the SAML 2.0 authentication context classes to authenticate users. The Authentication Context Class Reference values listed in the table below are the most commonly used in the SAML 2.0 specification. (Because some identity providers have created their own authentication classes which aren't listed in the SAML 2.0 specification, such as for multi-factor authentication, you can still specify any valid authentication class reference as long as it has a correctly formatted URN.)

The value supplied to the parameter should have one of the following prefixes:

  • urn:oasis:names:tc:SAML:2.0:ac:classes (SAML 2.0) or
  • urn:oasis:names:tc:SAML:1.2:ac:classes (SAML 1.2)

For more information about SAML 2.0 authentication context classes, see the SAML 2.0 specification.  

 

Valid values Description
InternetProtocol Provide an IP address.
InternetProtocolPassword Provide an IP address in addition to a username/password combination.
Kerberos Use a password to acquire a Kerberos ticket.
MobileOneFactorUnregistered Authenticate mobile devices without requiring explicit end-user interaction.
MobileTwoFactorUnregistered Authenticate mobile devices with two-factor based authentication.
MobileOneFactorContract Authenticate mobile devices through contract customer registration and single factor authentication.
MobileTwoFactorContract Authenticate mobile devices through contract customer registration and two-factor authentication.
Password Provide a password over an unprotected HTTP session.
PasswordProtectedTransport Provide a password over a protected HTTPS session.
PreviousSession Authenticate using a previously-used authentication context.
X509 Use a digital signature where the key was validated as part of an X.509 PKI.
PGP Use a digital signature where the key was validated as part of a PGP PKI.
SPKI Use a digital signature where the key was validated via an SPKI.
XMLDSig Use a digital signature according to the XML Digital Signature specification.
Smartcard Authenticate using a smartcard.
SmartcardPKI Authenticate using a smartcard with enclosed private key and a PIN.
SoftwarePKI Authenticate with an X.509 certificate stored in software.
Telephony Authenticate using a telephone number.
NomadTelephony Authenticate using a roaming telephone number such as a phone card.
PersonalTelephony Authenticate using a telephone number and a user suffix.
AuthenticatedTelephony Authenticate using a telephone number, a user suffix, and a password.
SecureRemotePassword Provide a Secure Remote Password.
TLSClient Provide a client certificate secured with the SSL/TLS protocol.
TimeSyncToken Provide a time synchronization token.
Unspecified Authenticate by using unspecified means. The server does not expect a particular authentication method. Instead the server will attempt to authenticate the user via its configured authn options. 

authnContextComparison

This parameter specifies the comparison method used to evaluate the requested context class (AuthnContextClassRef). This parameter is required and must be populated with any of the supported values (EXACT, MINIMUM, MAXIMUM, BETTER).

For more information about the AuthnContextComparison method, see the SAML 2.0 specification.

Valid values Description
EXACT (Default) Must be the exact match of at least one of the authentication contexts specified.
MINIMUM Must be at least as strong (as deemed by the responder) as one of the authentication contexts specified.
MAXIMUM Must be as strong as possible (as deemed by the responder) without exceeding the strength of at least one of the authentication contexts specified.
BETTER Must be stronger (as deemed by the responder) than any one of the authentication contexts specified.
Not Specified Uses the default value EXACT.

requestAuthnDigestMethod

This digest algorithm performs a checksum of the contents of the SAML request to ensure it was not edited in transit. 

For more information about digest algorithms, see the W3 XML Security Algorithm Cross-Reference.

Valid values Description
http://www.w3.org/2000/09/xmldsig#sha1 SHA1 digest algorithm
http://www.w3.org/2001/04/xmlenc#sha256 SHA256 digest algorithm
http://www.w3.org/2001/04/xmldsig-more#sha384 SHA384 digest algorithm
http://www.w3.org/2001/04/xmlenc#sha512 SHA512 digest algorithm

requestAuthnSignatureMethod

This parameter is a cryptographic signature algorithm for the checksum of the contents of the SAML request. The signature algorithm should match the digest algorithm with a variety of pre-pended private key generation indicators.

For more information about signature algorithms, see the W3 XML Security Algorithm Cross-Reference.

Valid values Description
http://www.w3.org/2000/09/xmldsig#rsa-sha1 RSA-SHA1 signature algorithm
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 RSA-SHA256 signature algorithm
http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 RSA-SHA384 signature algorithm
http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 RSA-SHA512 signature algorithm
  • Was this article helpful?