How to enable SAML Single Sign On (SSO)

OwnBackup supports single sign-on using SAML 2.0 and a supporting third-party Identity Provider (IdP) that works in tandem with its internal user management system. This means that instead of relying on OwnBackup’s local authentication for password and security policies, you may set your own using your managed Identity Provider. The users in OwnBackup also benefit by not having to remember and manage yet another password for this service and instead use a single service to sign-on with into OwnBackup.

Setup at the IdP (Identity Provider)

OwnBackup indeed uses SAML 2.0 and supports IdP-Initiated flows only (Not SP-Initiated Flows), therefore the IDP  must provide the SAML Assertion to be used in order to authenticate. You will need to add OwnBackup as a new Service Provider (sometimes referred to as SP), with the following attributes:

1. Identifier (Entity ID) - can be obtained from the SSO XML file from the SSO feature setup page in OwnBackup (e.g. https://sso-app1.ownbackup.com, https://sso-emea1.ownbackup.com etc.)
2. Reply URL (Assertion Consumer Service) -  Set to https://XXXX.ownbackup.com/saml/consume according to your region. (e.g: https://app1.ownbackup.com/saml/consume, https://emea1.ownbackup.com/saml/consume, etc.)
3. Ensure the User/Subject Type is set to Username and that it is also a valid email address already existing as an OwnBackup active User
4. Set the Name ID Format to urn:oasis:names:tc:SAML:nameid-format:emailAddress

• You can obtain the SSO XML file from the SSO feature setup page in OwnBackup if that is needed for a specific IdP setup.

Setup at OwnBackup UI

In order to set up single sign-on integration between you Idp and OwnBackup, please input to the UI the following information on the Account Settings-->Security page:

1. Identity Provider Name: A friendly display name for the integration (e.g. Okta OwnBackup)
2. Identity Provider’s SAML issuer name - Unique Identifier of the IdP (Usually an https:// URL), the SAML issuer is typically the Entity Id which can be verified in the IDP’s Metadata xml
3. Identity Provider’s certificate SHA-2 fingerprint in uppercase with : marks between the hex code - (e.g. 7C:C4:22:66:15:E1:7B:34:C0:AB:2A:81:E6:11:56:09:92:C5:51:49, or upload the public certificate itself in .pem format)
4. Logout URL - The link to where you wish the OwnBackup logout button will direct users to

Behaviors when Enabling Single Sign-On

Most password policies and security measures at OwnBackup change when you enable single sign-on via SAML:  

• Only the Master Admin can enable/disable SSO.
• For troubleshooting purposes, local authentication will still be active for 60 minutes after activating SSO, after that, if successful, all users will be under SSO.
• The user can no longer set their password in OwnBackup, and the password length complexity rules are those set by the identity provider.
• OwnBackup cannot enforce password expirations and prevent reuse of old passwords.
• Two-factor authentication to OwnBackup is disabled, but you may enable it through your Identity Provider if it’s available there.
• Users cannot use the Forgot/Reset Password mechanism and will be referred to their Identity Provider if they try to do so.
• If you would like to enable an API user after implementing Single Sign-On, please submit a case to our Support team, this user will have API access only and will not have access to the UI.
• If you are completely locked out and cannot manage authentication via the IdP, please submit a case to our Support team who can assist.