How to enable Single Sign On (SSO)

OwnBackup supports single sign-on using SAML 2.0 and a supporting third-party Identity Provider (IdP) that works in tandem with its internal user management system. This means that instead of relying on OwnBackup’s local authentication for password and security policies, you may set your own authentication using your managed Identity Provider. The users in OwnBackup also benefit by not having to remember and manage yet another password for this service, and instead use a single service to sign-on into OwnBackup.

Set Up at the IdP (Identity Provider)

OwnBackup uses SAML 2.0 and supports IdP-initiated flows only (not SP-initiated flows). Therefore, in order to authenticate, the IdP must allow the SAML Assertion to be used. You will need to add OwnBackup as a new Service Provider (sometimes referred to as an SP), that has the following attributes:

1. Identifier (Entity ID) - can be obtained from the SSO XML file from the SSO feature setup page in OwnBackup.
   (e.g. https://sso-app1.ownbackup.com, https://sso-emea1.ownbackup.com etc.)
2. Reply URL (Assertion Consumer Service) -  Set to https://XXXX.ownbackup.com/saml/consume according to your region. 
   (e.g. https://app1.ownbackup.com/saml/consume, https://emea1.ownbackup.com/saml/consume, etc.)
3. Ensure the User/Subject Type is set to Username, and that it is also a valid email address already existing as an OwnBackup active user.
4. Set the Name ID Format to urn:oasis:names:tc:SAML:nameid-format:emailAddress

• You can obtain the SSO XML file from the SSO feature setup page in OwnBackup, if that is needed for a specific IdP setup.

Set Up at the OwnBackup UI

To set up single sign-on integration between your IdP and OwnBackup, enter into the UI the following information in the Account Settings --> Security page:

1. Identity Provider Name: A friendly display name for the integration (e.g. Okta OwnBackup).
2. Identity Provider’s SAML issuer name - A unique identifier of the IdP (Usually an https:// URL). The SAML issuer is typically the Entity ID, which can be verified in the IdP’s metadata xml.
3. Identity Provider’s certificate SHA-2 fingerprint, in uppercase, with : marks between the hex code.  
   (e.g. 7C:C4:22:66:15:E1:7B:34:C0:AB:2A:81:E6:11:56:09:92:C5:51:49,
   or upload the public certificate itself in .pem format).
4. Logout URL - The link to where you wish to direct users, when clicking the OwnBackup logout button.

Provider Specific Configurations

• Okta - How to Configure SAML 2.0 for OwnBackup

Behaviors when Enabling Single Sign-On

Most password policies and security measures at OwnBackup change when you enable single sign-on via SAML:  

• Only the Master Admin can enable/disable SSO.
• The user can no longer set their password in OwnBackup, and the password length complexity rules are those set by the identity provider.
• OwnBackup cannot enforce password expirations and cannot prevent reuse of old passwords.
• Two-factor authentication to OwnBackup is disabled, but you may enable it through your Identity Provider, if it’s available there.
• Users cannot use the Forgot/Reset Password mechanism and will be referred to their Identity Provider if they try to do so.
• If you would like to enable an API user after implementing Single Sign-On, please submit a case to our Support team, this user will have API access only and will not have access to the UI.
• If you are completely locked out and cannot manage authentication via the IdP, please submit a case to our Support team who can assist.