NetBackup 8.2 and later revisions offer support for Multi-Factor Authentication (MFA) or its subset, Two-Factor Authentication (2FA). Our support also extends to the usage of the Common Access Card (CAC) and Personal Identity Verification (PIV) cards used in sensitive environments.
Release History and Functionality
Veritas continually enhances NetBackup ability to integrate with Security Assertion Markup Language (SAML) compliant Identity providers (IDP) to enable Single Sign On (SSO) functionality. This allows a variety of applications to be accessible using a single set of login credentials. Please review the linked video for an overview.
NetBackup 8.2 and later versions enable Web UI users to sign in with a Common Access Card (CAC), personal identity verification (PIV) card, or a digital certificate.
NetBackup 8.3 and later versions leverage Single Sign-On (SSO) for authenticating into the NetBackup Web UI. To use SSO, you must have a SAML 2.0 compliant identity provider configured in your environment. Only one AD or LDAP domain is supported for each primary (master) server domain. Configuration of the IDP is achieved using NetBackup APIs or the NetBackup command nbidpcmd.
NetBackup 9.0 and subsequent versions allows a SAML user to create and delete their own API key. Note in this release that the administrator cannot add a key for a SAML user or change the validity period (expiration) of the key.
NetBackup 9.1 and later revisions provide MFA support for the Java NetBackup Administration Console through SAML-based Identity Provider or CAC/PIV smart cards or digital user certificates. This release of NetBackup allows both non-SAML and SAML users to create and delete their own keys and reissue expired keys. The administrator can also add a key for a SAML user and change the expiration date of the key.
Depending on which IDP you are using, see the following articles for steps on downloading the IDP metadata XML file and enrolling the NetBackup primary server with the IDP:
PingFederate: https://www.veritas.com/docs/100047746
Shibboleth: https://www.veritas.com/docs/100047747
While the above listed providers were qualified as part of the release, other SAML 2.0-compliant identity providers are also expected to work if the expected userPrincipalName and memberOf attributes are received in the SAML Auth Response. While adding the IDP configuration to the NetBackup primary (master) server, the values entered for the user (-u) and user group (-g) options must match the SAML attribute names that map to the userPrincipalName and the memberOf attributes in the AD or LDAP.
If you run into integration issues with other SAML compliant identity providers, kindly request the vendor to contact the Veritas Technology Ecosystem (VTE) program at VTE@veritas.com to request formal product certification. Customers may also reach out to their Veritas Sales Engineer, Account Manager or request a follow-up from the Sales Team.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.