Home

    Single Sign On (SSO)

    Monday, July 11, 2022In: Account & User Settings Print

    Enabling Single Sign On

    OwnBackup supports single sign-on using SAML 2.0 and a supporting third-party Identity Provider (IdP) that works in tandem with its internal user management system. This means that instead of relying on OwnBackup’s local authentication for password and security policies, you may set your own authentication using your managed Identity Provider. The users in OwnBackup also benefit by not having to remember and manage yet another password for this service, and instead use a single service to sign-on into OwnBackup.

    Set Up at the IdP (Identity Provider)

    OwnBackup uses SAML 2.0 and supports IdP-initiated flows only (not SP-initiated flows). Therefore, in order to authenticate, the IdP must allow the SAML Assertion to be used. You will need to add OwnBackup as a new Service Provider (sometimes referred to as an SP), that has the following attributes:

    1. Identifier (Entity ID) - can be obtained from the SSO XML file from the SSO feature setup page in OwnBackup.
      (e.g. https://sso-app1.ownbackup.com, https://sso-emea1.ownbackup.com etc.)
    2. Reply URL (Assertion Consumer Service) -  Set to https://XXXX.ownbackup.com/saml/consume according to your region. 
      (e.g. https://app1.ownbackup.com/saml/consume, https://emea1.ownbackup.com/saml/consume, etc.)
    3. Ensure the User/Subject Type is set to Username, and that it is also a valid email address already existing as an OwnBackup active user.
    4. Set the Name ID Format to urn:oasis:names:tc:SAML:nameid-format:emailAddress
    • You can obtain the SSO XML file from the SSO feature setup page in OwnBackup, if that is needed for a specific IdP setup.

    Setting Up with the OwnBackup UI

    To set up single sign-on integration between your IdP and OwnBackup, enter into the UI the following information in the Account Settings --> Security page:

    1. Identity Provider Name: A friendly display name for the integration (e.g. Okta OwnBackup).
    2. Identity Provider’s SAML issuer name - A unique identifier of the IdP (Usually an https:// URL). The SAML issuer is typically the Entity ID, which can be verified in the IdP’s metadata xml.
    3. Identity Provider’s certificate SHA-2 fingerprint, in uppercase, with : marks between the hex code.  
      (e.g. 7C:C4:22:66:15:E1:7B:34:C0:AB:2A:81:E6:11:56:09:92:C5:51:49,
      or upload the public certificate itself in .pem format).
    4. Logout URL - The link to where you wish to direct users, when clicking the OwnBackup logout button.

    Provider Specific Configurations

    Behaviors when Enabling Single Sign On

    Most password policies and security measures at OwnBackup change when you enable single sign-on via SAML:  

    • Only the Master Admin can enable/disable SSO.
    • The user can no longer set their password in OwnBackup, and the password length complexity rules are those set by the identity provider.
    • OwnBackup cannot enforce password expirations and cannot prevent reuse of old passwords.
    • Two-factor authentication to OwnBackup is disabled, but you may enable it through your Identity Provider, if it’s available there.
    • Users cannot use the Forgot/Reset Password mechanism and will be referred to their Identity Provider if they try to do so.
    • If you would like to enable an API user after implementing Single Sign-On, please submit a case to our Support team, this user will have API access only and will not have access to the UI.
    • If you are completely locked out and cannot manage authentication via the IdP, please submit a case to our Support team who can assist.

     

    Adding a new User

     

    Master Admin Steps

    1. As a Master Admin, log in using Single Sign On (SSO).
    2. Create a new user assigned to a Business Unit.

    A verification email from OwnBackup is sent to the new user. (The email states that the user has been created as a Read Only user).

    NOTE: After enabling SSO, the user must wait 60 minutes before logging in again.

    New User Steps

    1. In the verification email received from OwnBackup, click the "Confirm" link. An OwnBackup confirmation page opens.
    2. Click Accept Invitation. The OwnBackup login page opens.
    NOTE: You cannot use this page to log in.
    1. Navigate to the URL for the “IdP-Initiated Login” used by your Id Provider.
    2. Enter your log in credentials. You will then be redirected to the OwnBackup application as a valid SSO user.

    Tags

    Single Sign OnSAMLSSO

    « Previous ArticleNext Article »


    Contact Us

    Sometimes you just want to talk to someone. Our customer support team is available by phone:

    Request a Technical Support Call Back
    Submit a Ticket