Using Okta as Your Identity Provider

Updated

To integrate with Okta, add a SAML application in your Okta account and in the Command Center. Metadata from the Okta application is shared with the Command Center application during this process.

Okta is a third-party identity provider (IdP) that can act as the IdP when your users log on to Commvault. Commvault is the service provider (SP).

Before You Begin

If you need to create a SAML app for a specific company, in the upper-right corner of the page, from the Select a company list, select the company that you want to create the SAML app for.

Create an Application in Okta

Create a new application using SAML 2.0 as the sign-on method.

  1. Log on to your Okta account.

  2. From the navigation pane, click Applications.

  3. Click Create App Integration, and then select SAML 2.0.

  4. Click Next.

    The Create SAML Integration page appears.

  5. On the General Settings tab, in the App name box, type a name for the application.

  6. Click Next.

  7. Under Configure SAML > SAML Settings, in the Single sign on URL box and the Audience URI (SP Entity ID) box, enter the URL for the Web Console.

    For example, if you use Metallic, enter the URL as https://mnnn.metallic.io:443/webconsole where nnn is your ring number.

  8. From the Name ID format list, select Email Address.

  9. Continue to follow the prompts, accepting the default values.

  10. Click Finish.

  11. Open the application, and then click Sign On.

  12. Under the View Setup Instructions button, click Identity Provider metadata, and then save the IdP metadata file as an XML file.

    The identity provider metadata file that you save is the IdP metadata file that you will upload to Commvault.

  13. Keep your Okta account open.

    The value in the Single sign on URL box in Okta must be updated after a new URL is created in Commvault.

Add a SAML Application in Commvault

  1. From the navigation pane, go to Manage > Security.

    The Security page appears.

  2. Click the Identity servers tile.

    The Identity servers page appears.

  3. In the upper-right corner of the page, click Add > SAML.

    The Add SAML app page appears.

  4. On the General tab, in the Name box, enter the domain name that you want to associate users with.

    Note

    • The SAML application is created using the domain name.

    • For SAML user groups mapping to function correctly, the name that you enter here must be the same as your Metallic Tenant Name.

    • If you want to add a SAML application for the users of the Active Directory (AD) that is configured in the CommCell environment, then enter the AD NetBIOS name. During the SAML authentication, AD is contacted to collect the user details such as email address, UPN, Full Name, User Group, and so on.

  5. Click Next.

  6. On the Identity provider metadata tab, in the Upload IDP metadata box, browse to the XML file that contains the IdP metadata, and then click Open.

    The Entity ID and the Redirect URL from the file are displayed.

  7. Click Next.

  8. On the Service provider metadata tab, review the value in the Service provider endpoint box.

    This value is automatically generated and is used in the SP metadata file. The format of the value is https://mycompany:443/webconsole.

  9. To digitally sign the SAML message, move the Auto generate key for digital signing of SAML messages toggle key to the right.

  10. Click Next.

  11. On the Associations tab, identify the users who can log on using SAML:

    • To identify users by their email addresses, in the Email suffixes box enter an email suffix, and then click Add.

    • To identify users by the companies they are associated with, from the Companies list, select a company, and then click Add.

    • To identify users by the domains they are associated with, from the Domains list, select a domain, and then click Add.

    • To identify users by the user groups they are in, from the User groups list, select a user group, and then click Add.

      Note:

      • If you migrate from an Exchange On-premises server to an Exchange Online server, you must add the appropriate domain and user group.

      • You can add any combination of associations, and you can add multiple associations in each category.

  12. Click Submit.

    The SP metadata file is generated, the IdP metadata is saved, and the SAML app properties page appears.

  13. In the upper-right corner of the page, click Download SP metadata.

    The name of the file that is downloaded begins with SPMetadata.

  14. On the General tab, in the General section, next to NameID attribute, click the Edit button .

  15. From the NameID attribute list, based on what is in the IdP response, select either Email or User Principal Name.

  16. Click Submit.

  17. On the Service provider metadata tab, copy the value in the Single sign on url box.

Update the Single Sign-On URL in Okta

  1. In your Okta account, select the SAML application.

  2. On the General tab, in the SAML Settings tile, click Edit.

  3. Follow the prompts to specify the general settings.

  4. Under Configure SAML > SAML Settings, in the Single sign on URL box, paste the URL that you copied from the Single sign on URL box in the Command Center.

Optional Okta Configurations

Configure Single Log Out in Okta

  1. From the generated SP metadata XML file, copy the following information:

    • SP EntityId

    • SingleLogoutService location with POST binding

  2. To download the signature certificate, log on to the Command Center, and then in your web browser, enter the SAML App URL in the following format:

    https://webconsole_hostname/commandcenter/downloadSPCertificate.do?appName=URL encoded SAML app name

    For example, enter https://company.com/commandcenter/downloadSPCertificate.do?appName=app%20Name.

  3. Press Enter.

  4. In your Okta account, under General > Advanced Settings, select the Enable Single Logout box.

  5. In the Single Logout URL box, enter the SingleLogoutService location that you copied from the SP metadata XML file.

  6. In the SPIssuer box, enter the entityID that you copied from the SP metadata XML file.

  7. In the Signature Certificate box, upload the certificate that you downloaded from the SAML app URL.

  8. Click Next, and then click Finish.

  9. On the Sign On tab, under the View Setup Instructions button, click Identity Provider metadata, and then save the new IdP metadata file as an XML file.

  10. Go to the SAML application created in the Commvault.

  11. On the Identity Provider Metadata tab, click the Edit button .

  12. Upload the new IDP metadata file.

  13. Click Save.

Give Other Okta Users Access to the SAML Application

  1. In your Okta account, under Assignments, click Assign, and then select one of the following options:

    • To give access to individual Okta users, click Assign to People.

    • To give access to a user group, click Assign to Groups.

  2. Select the user or user group that you want to give access to, and then click Add.

Add User Group Attribute Statements to the SAML Application

  1. In your Okta account, under Group Attribute Statements, click Add.

  2. In the Name box, enter user_groups.

  3. In the Filter box, assign filters as required.

    For example, to assign users from a user group name that starts with "domain users", select Starts With, and then enter domain users.

  4. Preview the SAML assertion, and verify that your IdP response XML includes the user group attribute.

    For example:

    <saml2:Attribute Name="user_groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">  <saml2:AttributeValue

    xmlns:xs="http://www.w3.org/2001/XMLSchema"

    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">GroupName Match Starts with "domain users" (ignores case)

    </saml2:AttributeValue>

    </saml2:Attribute>
  5. In the Command Center, map the Okta user_group SAML attribute with the user group user attribute.

    For information about mapping attributes, see Mapping SAML Attributes.