Security Assertion Markup Language (SAML) is an XML-based standard that can perform single sign-on (SSO) exchanges. Use SAML if users logging on to the Web Console, the Command Center, or the Edge Monitor application should be authenticated by an external Identity Provider (IdP). In this case, user names, but not user passwords, are stored in the CommServe database.
Note
-
When a user accesses the Command Center, the log on session is redirected to the Web Console and the authentication is performed from the Web Console.
-
To enable SAML users to log in to the CommCell console, add the showGuiConsoleOnSamlLogin additional setting with value True. When users log on the Web Console using SAML, the CommCell Console GUI is available for download in the My Applications page.
Support
Security Assertion Markup Language (SAML) v2.0 is supported. For SAML specifications, go to the OASIS website, Security Assertion Markup Language (SAML) v2.0.
The following identity providers (IdP) have been validated for use with the Commvault software: Active Directory Federation Services (AD FS), Auth0, Azure Active Directory, Okta, OneLogin, and Salesforce. You are not limited to these identity providers.
High-Level Process Flow for SAML Interactions
The process includes the following actors:
-
Service Provider (SP): The Web Console is the resource owned by the SP. The SP shares metadata with the IdP.
-
Identity Provider (IdP): The user credentials are maintained by the IdP. The IdP shares metadata with the SP.
-
Web Browser: The messages sent between the SP and IdP go through a web browser.
Service Provider Initiated Flow
-
A user who is not logged in clicks a link for the Web Console on the customer's portal.
-
The SP generates a digitally signed SAML request.
-
The SP redirects the user to the IdP URL and includes the SAML request.
-
The IdP processes the request and prompts the user to enter login credentials.
-
The IdP validates the user credentials.
-
The IdP redirects the user to the Web Console URL and includes the SAML response.
-
The SP validates the response and creates a login session for the user.
Identity Provider Initiated Flow
-
A user goes to the IdP URL and logs on.
-
The IdP validates the user credentials.
-
The IdP redirects the user to the Web Console URL and includes the SAML response.
-
The SP validates the response and creates a login session for the user.
High-Level View of the SAML Request and Response
SAML Request Contents
-
Issuer ID: the Entity ID in the SP metadata
-
Request ID: a randomly generated ID number
-
Assertion Consumer Service URL (ACS URL): the same ACS URL as in the SP metadata
-
Date and time the request is created
SAML Response Contents
-
Issuer ID: the Entity ID in the IdP metadata
-
Response ID: a randomly generated ID number
-
Date and time the response is created
-
Status of the response, for example, success or failure
-
saml:AuthnStatement assertion: confirms the user is authenticated
-
saml:AttributeStatement assertion: contains user attributes, for example, the user name and email address
For information on adding the user name and email address to the response, see Building the SAML Response Contents.