Veritas NetBackup™ Self Service Configuration Guide
- Configuring a Self Service solution
- Configuring a NetBackup master server
- Configuring Self Service
- Customizing Self Service
- User authentication methods
- Appendix A. NetBackup policy types
- Appendix B. Dashboard traffic light status and usage
- Appendix C. Synchronizing data from NetBackup
- Appendix D. NetBackup Self Service data caching process
- Appendix E. Integration settings
- Appendix F. REST API
- Appendix G. Glossary
Configuring Self Service to use Federated Single Sign-On
Self Service supports Federated Single Sign on through the WS-Federation Passive Protocol. It is implemented with Microsoft Windows Identity Foundation (WIF), and uses Security Assertion Markup Language (SAML) tokens for claims transfer. It does not, however, support the SAML2 Protocol, SAML-P.
When Self Service is installed, it is configured with Forms Authentication that requires first logon to use the admin account.
To authenticate through the identity provider:
- Create users in the Self Service database, who correspond to users in the identity provider.
- Edit the Self Service
web.configfile to enable federated single sign-on.
The User ID is used to identify users in Self Service. Claims are used to identify users in the identity provider. For authentication to succeed, users in Self Service must have a User ID that matches the value in one of the claims from the identity provider.
Self Service looks at the following claims when it attempts to find the Self Service user: Name, Email, Windows Account Name, and UPN. Typically Name and Windows Account Name have the format
domain\username, and typically Email and UPN have the format
You can enter Users through the portal or import in bulk, either directly from Active Directory or by a
To change the
web.config file to enable federated single sign-on:
- Navigate to
web.configwith Notepad as Administrator.
- Find the <modules> section and uncomment the two IdentityModel modules.
- Find the <authentication> section and change the mode to None.
- Enter the URL of the WS-Federation website in the issuer attribute of the <wsFederation> element
- Find the <trustedIssuers> section and enter the token-signing certificate thumbprint of the WS-Federation server.
You should not use cut and paste for the thumbprint as it can insert hidden characters into the file which interfere with the thumbprint matching.
- If these changes are on a test system that uses self-sign SSL certificates, uncomment the <certificateValidation> element.
- Save the
If you have to switch back to Forms Authentication, the
web.config file can be edited and the authentication mode set to forms: <authentication mode="Forms">. One instance where you would switch back to Forms Authentication is to recover from a problem.
To confirm that the system is fully configured for Federated logon:
- Close and re-open Internet Explorer
- Enter the URL of Self Service
- If your environment uses test certificates, accept the two certificate errors
- Enter the credentials for the previously created user. The user should successfully log on.