Using Azure Active Directory as Your Identity Provider

Azure Active Directory (Azure AD) is a third-party identity provider (IdP) that can act as the IdP when your users log on to Commvault. Commvault is the service provider (SP).

To integrate with Azure AD, add a SAML application in your Azure AD account and in Command Center. Metadata from the Azure application (IdP) and the Command Center application (SP) are shared during this process.

Before You Begin

You must have the Azure Active Directory Premium P1 or Premium P2 edition. For information, go to the Microsoft Azure Active Directory documentation.

Step 1: Creating an Application in the Azure Portal

  1. Go to the Microsoft Azure portal.
  2. From the navigation pane, go to Azure Active Directory > Enterprise applications, and then click New application ().
  3. Under Add an application, click the Non-gallery application tile.
  4. Enter a name for the application, and then click Add.
  5. Review the overview, and complete the following steps required by Microsoft: Assign a user for testing and Create your test user in test.
  6. From the navigation pane, click Single sign-on, and then click the SAML tile.

    The SAML-based Sign-on page appears.

  7. In the SAML Signing Certificate section, next to Federation Metadata XML, click the Download link.

    The federated metadata file that you download is the IdP metadata file that you will upload to Commvault.

  8. Remain on the SAML-based Sign-on page.

    The SP metadata file that you will create in Commvault must be uploaded to your Azure application from the SAML-based Sign-on page.

Step 2: Adding a SAML Application in Commvault

  1. From the navigation pane, go to Manage > Security > Identity server.

    The Identity servers page appears.

  2. In the upper-right corner of the page, click Add.

    The Add domain dialog box appears.

  3. Click SAML.
  4. In the Domain name box, enter a domain name to which you want users to associate with.

    Note: SAML application is created using the domain name.

  5. In the SMTP address box, enter the SMTP address of the users.

    For example, if the username is jdoe@gmail.com, enter gmail.com as the SMTP address.


    • You can enter multiple SMTP addresses separated by a comma.
    • Only users with specified SMTP addresses will be able to log in using this app.
  6. Upload the IdP metadata:
    1. Next to the Upload IDP metadata box, click Browse.
    2. Browse to the location of the XML file that contains the IdP metadata, select the file, and then click Open.
  7. Review the value in the Webconsole url box.

    This value is automatically generated and is used in the SP metadata file. The format of the value is https://mycompany:443/webconsole.

  8. To digitally sign the SAML message, move the Auto generate key for digital signing of SAML messages toggle key to the right.
  9. Click Save.

    The SP metadata file is generated, the IdP metadata is saved, and the identity server properties page appears.

  10. In the upper-right corner of the page, click Download SP metadata.

    The name of the file that is downloaded begins with SPMetadata. The SP metadata file must be uploaded to the Azure application.

  11. In the General section, copy the value in the SP Entity ID box and the Single sign on url box.

    These values are required in the Azure application.

Step 3: Uploading the Metadata to the Azure Portal

  1. In the Microsoft Azure portal, on the SAML-based Sign-on page, click Upload metadata file.
  2. Upload the SP metadata file created in Command Center.
  3. In the Basic SAML Configuration section, click Edit.
  4. In the Identifier (Entity ID) box, paste the entity ID that you copied from the SAML app in Command Center.

    This is the value from the SP Entity ID box.

  5. In the Reply URL (Assertion Consumer Service URL) box, paste the single sign-on URL that you copied from Command Center.

    This is the value from the Single sign on url box.

  6. In the Logout URL box, verify that the HTTP-Redirect URL was uploaded from the SP metadata file.

    If the Logout URL box is empty, open the SP metadata file, and then manually copy and paste the HTTP-Redirect URL into the Logout URL box.

    For example, in the following snippet from an SP metadata file, the HTTP-Redirect URL is https://chthai.prodcert.loc:443/webconsole/server/SAMLSingleLogout?samlAppKey=ODkzRTRCODk0OEY2NDk4:

    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"

  7. Click Save.
  8. Under User Attributes & Claims, in unique User Identifier box, select user.userprincipalname.

Last modified: 12/16/2020 4:21:44 AM