How to use single sign-on and LDAP together

Last updated
Save as PDF

Who is this article for?

CrashPlan Cloud

CrashPlan for Small Business

CrashPlan On-Premises

Find your product plan in the Code42 console on the Account menu.
Not a CrashPlan On-Premises customer? Search or browse Incydr and Instructor, CrashPlan Cloud, or CrashPlan for Small Business.

Instructor, no.

Incydr Professional, Enterprise, Gov F2, and Horizon, no.

Incydr Basic, Advanced, and Gov F1, no.

CrashPlan Cloud, no.

Retired product plans, yes.

CrashPlan for Small Business, no.

Overview

This tutorial explains how to configure single sign-on (SSO) for authentication and LDAP for authorization and user management in the same organization. Using SSO and LDAP together combines the security and ease-of-use benefits of SSO with the advantages of leveraging your existing LDAP directory structure for user management.

Considerations

Users in your Code42 environment must have matching LDAP and SSO usernames.
If users are moved to an organization that does not offer the same identity provider, their devices are automatically deauthorized by your authority server. The users cannot sign in until an administrator adds them to the authentication service configured for the organization.

Test SSO and LDAP
As a best practice, we recommend configuring SSO and LDAP in a test organization first to verify the configuration works as expected. Then, implement the settings for existing organizations or within your system-wide organization settings as described below.

Before you begin

Configure your authority server to use one or more SSO identity providers.
Configure your authority server to use an LDAP server.
(Optional) Set up LDAP scripts on your authority server to manage organization membership, roles, and automatically activate and deactivate users.

Step 1: Modify the Code42 app to enable SSO

The Code42 app is not configured to allow SSO by default. To use SSO in your Code42 environment, create an SSO-enabled Code42 app installer for new devices, and modify existing CrashPlan devices to enable SSO.

Modify the Code42 app installer and deploy it to new users

Modify the Code42 app installer to enable SSO authentication. Use this installer to set up the Code42 app for users that authenticate with SSO.

Follow the instructions in Prepare the Code42 app for deployment to set SSO custom properties using the following values:
1. Set address to the hostname (or IP address) and port of your authority server.
  For example: master-server.example.com:4282
2. Set registrationKey to the registration key for the appropriate organization.
3. (Optional) To allow new users to start backing up the default file selection immediately without authenticating, set password to ${deferred}.
4. Set ssoAuth.enabled to true.
5. (Optional) To require SSO authentication and disable other authentication methods, set ssoAuth.required to true.
  When SSO authentication is required, users cannot sign in unless their organization is configured to use SSO.
6. (Optional, Code42 app version 4.x only) To customize the SSO message that is displayed to users, modify the ssoAuth.provider value.
  - This option is not available in version 5.x of the Code42 app.
  - For Code42 app version 4.x, the default message is "Login with single sign-on".
After the modified Code42 app installer is built, distribute it to users that sign in using SSO.

Modify existing CrashPlan devices to enable SSO

If users in your Code42 environment use Code42 apps that are not SSO-enabled, modify each existing Code42 app to enable SSO.

Desktop management software
We recommend using desktop management software to automate this process.

Option A: Uninstall and install the SSO-enabled Code42 app

Uninstall the Code42 app.
Use the SSO-enabled Code42 app installer to install CrashPlan.

Option B: Modify an installed Code42 app to enable SSO

Download our custom content template.
Extract the template and locate the custom.properties file.
Open the custom.properties file in a plain text editor.
Set the address to the hostname and port of your authority server.
Verify that ssoAuth.enabled is set to true.
(Optional) To require SSO authentication and disable other authentication methods, set ssoAuth.required to true.
You do not need to make any further modifications to the file. If you have chosen to use a custom.properties file that has already been modified, note that settings not related to SSO may affect Code42 app configuration settings.
On the CrashPlan device, create the following directory and place the custom.properties file inside:
- Windows: C:\Program Files\CrashPlan\custom
- OS X: /Library/Application Support/CrashPlan/custom
- Linux: /usr/local/crashplan/custom
Restart the Code42 service.
To sign in with single sign-on, deauthorize the CrashPlan device using one of these methods:
- Deauthorize the device from the Code42 app
- Deauthorize the device from the Code42 console

Step 2: Configure organizations to use SSO and LDAP

Enable SSO and LDAP by modifying a specific organization or by modifying the system-wide organization settings.

Multiple identity providers
If two or more identity providers are offered in your Code42 environment, tell the users in each organization which identity provider they should choose when they sign in.

Option A: Enable SSO and LDAP for a specific organization

Sign in to the administration console on your authority server.
Navigate to Organizations, then select the organization.
From the action menu, select Edit.
Click Security.
If necessary, deselect Inherit security settings from parent.
Configure SSO as the authentication method:
1. From Select an authentication method, choose SSO.
  The configured SSO identity providers appear.
2. Select the identity providers that you want to offer for the organization.
Configure LDAP as the directory service:
1. From Select a directory service, select LDAP.
  The configured LDAP servers appear.
2. Select an LDAP server.
Click Save.

Option B: Enable SSO and LDAP for all organizations

Modify the system-wide organization settings to enable SSO and LDAP for all organizations.

Sign in to the administration console on your authority server.
Navigate to Settings > Organization.
Click Security.
Configure SSO as the authentication method:
1. From Select an authentication method, choose SSO.
  The configured SSO identity providers appear.
2. Select the identity providers that you want to offer for the organization.
Configure LDAP as the directory service:
1. From Select a directory service, select LDAP.
  The configured LDAP servers appear.
2. Select an LDAP server.
Click Save.

Step 3: Add new users that sign in with SSO and LDAP

New users can create their own accounts when they first sign in to a SSO-enabled Code42 app. Alternatively, you can use the Code42 console to create user accounts.

Option A: Deploy the SSO-enabled Code42 app

Distribute the SSO-enabled Code42 app installer to new users.

New users can register accounts in your Code42 environment by signing in with SSO credentials.
New users begin backing up the default file selection immediately without authenticating if all of the following conditions are met:
- The organization is configured to auto-start backups.
- The Code42 app is modified to contain the correct organization registration key.
- The Code42 app is modified to defer the user's password.
  Users are not able to sign in to the Code42 app or restore unless they have a valid SSO account.

Option B: Add users in the Code42 console

Use the Code42 console to add users to an organization that uses SSO.

Verify that the users in the organization exist in the SSO identity provider used by the organization.
Make sure that the Code42 environment usernames match the SSO usernames.