How to enroll NetBackup master server as a service provider to ADFS

Article: 100047744
Last Published: 2020-05-22
Ratings: 0 0
Product(s): NetBackup


To enroll NetBackup master server as a service provider to ADFS

  1. Log on to the ADFS server and start the ADFS Management Console from the Windows Administrative tools.

  2. Click Add Relying Party Trust to open the Add Relying Party Trust Wizard.
    1. Use the Add Relying Party Trust Wizard to configure NetBackup as a service provider.
  3. On the Welcome screen, select the Claims aware option. This enables the ADFS application to consume security tokens to make authentication and authorization decisions.
  4. Use the Import data about the relying party from a file option to import the SP metadata XML file previously downloaded from the NetBackup master server.

  5. Select the Access Control Policy based on the requirement of your organization.
  6. Add a rule to enable ADFS to access attribute values of authenticated users from the Active Directory. Select the Configure claims issuance policy for this application option, before exiting the Add Relying Party Trust wizard.
  7. In the Edit Claim Issuance Policy window, click Add Rule. The Add Transform Claim Rule Wizard opens.

  8. Ensure that you select the Send LDAP Attributes as Claims template in the Choose Rule Type screen.

  9. In the Configure Claim Rule screen, provide any name to identify the claim rule.
  10. Ensure that you select the Attribute store as Active Directory.
  11. Define SAML attributes (Outgoing Claim Types field) that map to the
    1. userPrincipalName and the memberOf attributes in the AD or LDAP directory.

      Note: While adding the IDP configuration to the NetBackup master server, the values entered for the user (-u) and user group (-g) options must match the SAML attribute names (Outgoing Claim Types field) that are mapped to the userPrincipalName and the memberOf attributes in the AD or LDAP.
  12. Attribute mappings are used to map SAML attributes in the SSO with its corresponding attributes in the AD or LDAP directory. The SAML attribute mappings are used for generating SAML responses, which are sent to the NetBackup master server.


Downloading the IDP metadata XML file

You can access the IDP metadata XML file from the ADFS server by entering the following URL in your browser:

https://<ADFS host

name>/FederationMetadata/2007-06/FederationMetadata.xml, where <ADFS host name> is the IP address or host name of the ADFS server.


Installing an external CA certificate to ADFS

If you want to use an external KeyStore for Single Sign-On, you must install the external CA certificate to the ADFS. Perform the following steps:


Note: If you are using NetBackup CA certificates, the below procedure is not applicable. Instead, disable the revocation certificate check by running the following command:

Get-AdfsRelyingPartyTrust -Identifier https://<Master Server>/netbackup/sso/callback/SAML2Client | Set-AdfsRelyingPartyTrust

-SigningCertificateRevocationCheck None

-EncryptionCertificateRevocationCheck None
  1. Right-click the relying party trust configured for the NetBackup master server and click Properties.
  2. Click the Encryption tab.
  3. Click View Certificate and then Install Certificate.
  4. In the Certificate Import Wizard, select the Local Machine option.
  5. Choose to place all certificates in the Trusted Root Certification Authorities store.
  6. Click Finish.

Was this content helpful?