Using Azure Active Directory as Your Identity Provider

Updated

To integrate with Azure AD, add a SAML application in your Azure AD account and in the Command Center. Metadata from the Azure application (IdP) and the Command Center application (SP) are shared during this process.

Azure Active Directory is a third-party identity provider (IdP) that can act as the IdP when your users log on to Commvault. Commvault is the service provider (SP).

Before You Begin

You must have the Azure Active Directory Premium P1 or Premium P2 edition. For information, go to the Microsoft Azure Active Directory documentation.

Create an Application in the Azure Portal

  1. Go to the Microsoft Azure portal.

  2. From the navigation pane, go to Azure Active Directory > Enterprise applications, and then click New application ().

  3. Under Browse Azure AD Gallery, click Create your own application.

  4. Enter a name for the application, select Integrate any other application you don't find in the gallery (Non-gallery), and then click Create.

  5. Review the overview, and under the Getting Started section, complete the following steps required by Microsoft: Assign users and groups and Add user/group.

    Note: Only the users and groups that are assigned in the steps can access the application.

  6. From the navigation pane, go to Single sign-on, and then click the SAML tile.

    The SAML-based Sign-on page appears.

  7. In the upper-right corner of the Basic SAML Configuration section, click Edit.

  8. In the Identifier (Entity ID) box and the Reply URL (Assertion Consumer Service URL) box, enter the Web Console URL, and then click Save.

    Enter the URL in the following format: https://hostname:443/webconsole. For example, if you use Metallic, enter https://mnnn.metallic.io:443/webconsole where nnn is your ring number.

  9. In the upper-right corner of the User Attributes & Claims section, click Edit.

  10. In the Unique User Identifier box, specify user.userprincipalname.

  11. In the SAML Signing Certificate section, beside Federation Metadata XML, click Download.

    The federated metadata file that you download is the IdP metadata file that you will upload to Commvault.

  12. Remain on the SAML-based Sign-on page.

    You must upload the SP metadata file created in Commvault to your Azure application from the SAML-based Sign-on page.

Add a SAML Application in Commvault

  1. From the navigation pane, go to Manage > Security > Identity server.

    The Identity servers page appears.

  2. In the upper-right corner of the page, click Add.

    The Add domain dialog box appears.

  3. Click SAML.

  4. In the Name box, enter the domain name that you want to associate users with.

    Note

    • The SAML application is created using the domain name.

    • If you want to add a SAML application for the users of the Active Directory (AD) that is configured in the CommCell environment, then enter the AD NetBIOS name. During the SAML authentication, AD is contacted to collect the user details such as email address, UPN, Full Name, User Group, and so on.

  5. In the Email Suffix box, enter the email suffix of the users.

    For example, if the username is jpadilla@gmail.com, then the email suffix is gmail.com.

    Note

    • You can enter multiple email suffixes separated by a comma.

    • Only users that have specified email suffix can log on using this app.

  6. In the Upload IDP metadata box, browse to the XML file that contains the IdP metadata, and then click Open.

  7. Review the value in the Webconsole url box.

    This value is automatically generated and is used in the SP metadata file. The format of the value is https://mycompany:443/webconsole.

  8. If you are an MSP administrator creating the SAML app for a company, in the Created for company box, select the company.

    If you are creating the SAML app for the entire CommCell environment or if you are a tenant administrator, a company is not needed.

  9. To digitally sign the SAML message, move the Auto generate key for digital signing of SAML messages toggle key to the right.

  10. Click Save.

    The SP metadata file is generated, the IdP metadata is saved, and the identity server properties page appears.

  11. In the upper-right corner of the page, click Download SP metadata.

    The name of the file that is downloaded begins with SPMetadata. The SP metadata file must be uploaded to the Azure application.

Upload the Metadata to the Azure Portal

  1. In the Microsoft Azure portal, on the Single sign-on page, click Upload metadata file.

  2. Upload the SP metadata file.

  3. Click Add.

    The Identifier (Entity ID), Reply URL (Assertion Consumer Service URL), and Logout URL values are pre-filled using the SP metadata file.

  4. Click Save.