> Essential > CommCell Configuration > Security > User Administration and Security > Adding a SAML Application

Enabling Single Sign-On for Tenants at the CommCell Level

In a multi-tenant Commvault environment, service providers can configure SAML authentication for all tenants by configuring SAML authentication at the CommCell level. When set at the CommCell level, SAML authentication applies to all companies in the Commvault environment.

To configure SAML authentication at the CommCell level, you must map a company name attribute. The value sent in the company name attribute must match the value in the Company alias box on the company details page. If a matching company alias is not found, the user cannot log on. If a value is not sent in the company name attribute, a new user is created at the CommCell level and is not associated with a company.

Note

When you configure SAML authentication at the CommCell level, advise tenants to not configure SAML authentication at the company level.

Before You Begin

  • Add a SAML application. For instructions, see Adding Identity Servers.

  • In the identity provider (IdP) response, identify the attribute that is used for the company name. The attribute can be a standard attribute or a custom attribute.

Procedure

  1. From the navigation pane, go to Manage > Security.

    The Security page appears.

  2. Click the Identity servers tile.

    The Identity servers page appears.

  3. In the Name column, click the SAML application name.

    The SAML application details page appears.

  4. On the General tab, in the Attribute mappings section, click the Edit button edit button outline grey/gray pencil.

    The Edit attributes dialog box appears.

  5. In the Custom attributes list, click Company name.

  6. In the SAML attributes box, enter the attribute that is used for the company name in the IdP response.

    For example, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/organization.

  7. Click Add.

  8. Click Save.

  9. On the Associations tab, identify the users who can log on using SAML:

    All users that have an associated email suffix or belong to an associated company, domain or user group, can log on using the SAML application

    Tip

    You can add any combination of associations, and you can add multiple associations in each category.

    Identification method

    Steps

    Email suffixes

    1. In the Email suffixes section, click the Edit button .

      edit button outline grey/gray pencilThe Edit association dialog box appears.

    2. In the email suffixes box, enter an email suffix, and then click Add.

    Companies

    1. In the Companies section, click the Edit button edit button outline grey/gray pencil.

      The Edit association dialog box appears.

    2. From the Select companies list, select a company, and then click Add.

    Domains

    1. In the Domains section, click the Edit button edit button outline grey/gray pencil.

      The Edit association dialog box appears.

    2. From the Select domain list, select a domain, and then click Add.

    User groups

    1. In the User groups section, click the Edit button edit button outline grey/gray pencil.

      The Edit association dialog box appears.

    2. From the Select user group list, select a user group, and then click Add.

  10. Click Save.

For information about mapping additional SAML attributes, see Mapping SAML Attributes.

Loading...