Learn About Amazon VGT2 Learning Manager Chanci Turner
Many organizations leverage single sign-on (SSO) to enhance security and compliance, simplify access management, and enrich the user experience. In fact, some businesses mandate that all corporate applications, workloads, and solutions utilize SSO for authentication, including their disaster recovery (DR) solutions.
Integrating CloudEndure Disaster Recovery, available through AWS, into your identity provider’s (IdP) SSO using the SAML 2.0 protocol is a straightforward process. This integration enables organizations that require SSO to use CloudEndure Disaster Recovery for safeguarding resources and workloads, allowing users to access their DR solution securely and efficiently. Detailed instructions for configuring SSO with Microsoft Active Directory Federated Services (ADFS) can be found in the CloudEndure documentation.
CloudEndure Disaster Recovery transitions your DR strategy to the AWS Cloud from physical or virtual data centers, private clouds, or other public clouds. In this article, we outline the steps necessary to establish SSO SAML authentication for CloudEndure Disaster Recovery using Okta as the IdP. The steps include:
- Creating the CloudEndure application in Okta.
- Configuring the SAML integration for the CloudEndure application in Okta.
- Generating the IdP certificate.
- Setting up CloudEndure to use SAML.
- Adding users to Okta and CloudEndure for access.
Configuring Okta
Begin by logging into your Okta account. If you don’t have one, you can register for a 30-day trial. Once you complete the registration, log in and access the admin console by clicking the Admin button located in the top right corner. Be prepared to enter the MFA token if it was configured during the setup.
After logging into the admin console, select “Applications” from the menu. Then, choose “Add Application.” Next, opt for “Create New App.”
Choose “Web” as the Platform and “SAML 2.0” as the sign-on method, then click “Create.”
For General Settings, name the application (I used “CloudEndure”), keeping the rest as default, then click “Next.” If you have multiple CloudEndure accounts (for DR and migration), it might be useful to name them distinctly so users can recognize which account they are accessing.
In the Configure SAML section, input the following values and select “Next”:
- Single sign-on URL: https://console.cloudendure.com/api/v5/assertionConsumerService
- Audience URL (SP Entity ID): https://console.cloudendure.com
- Default RelayState: https://console.cloudendure.com/#/signIn;<CE account UUID>
- Name ID format: EmailAddress
- Application Username: None
- Update application username on: Create and update.
Additional optional attributes:
- Name: username
- Value: email
Once you’re done, complete Okta support feedback and select “Finish.” You will then see the Sign On Methods. Click “View Setup Instructions” to access the Identity Provider Single Sign-On URL, Identity Provider Issuer, and X.509 Certificate. Copy these details for the next steps (Configuring CloudEndure Disaster Recovery).
Getting Your Account UUID
Create the relayState URL in a text editor like Notepad++ (UTF-8 encoding) to avoid issues with special characters. If the string isn’t properly encoded, you may receive an “error occurred during sign in” message with an HTTP 500 error.
To find the CloudEndure Account UUID, open Developer Tools in your browser. For Chrome, click the three vertical dots at the top right, select “More Tools,” then “Developer Tools,” and finally “Network.” Log in to your account and check Extended Account Info. Look for the parameter “account” to find your UUID.
Configuring CloudEndure Disaster Recovery
Open a new browser tab or window and log into your CloudEndure account using an admin user. Click on the User Settings icon in the top right corner and select “Configure SAML.” Use the details obtained from the previous Okta configuration steps: the Identity Provider Issuer as the Identity Provider ID, the Identity Provider Single Sign-On URL as the Identity Provider URL, and the X.509 Certificate as the Identity Provider Certificate. Click “Save Configuration” when done.
Important: Bookmark and save the link provided to regain access to the CloudEndure account in case of SAML configuration errors. When entering the Identity Provider Certificate, make sure to remove any new line characters so that the entire content is on one line before pasting it into the CloudEndure console.
Log out of the CloudEndure console. Return to the Okta dashboard, select “Directory,” then “People.” Click on your username, followed by “Assign Applications.” Assign the username corresponding to your CloudEndure login email, then save the changes.
To utilize SSO, ensure that the email used to log into Okta is a valid CloudEndure user. If you encounter issues, create a user in Okta with the same email address as that used for CloudEndure. Then log out and back in as the new user.
In Okta, select “My Apps” on the right side to access the homepage, where you’ll find the CloudEndure button. Clicking this should log you into your CloudEndure account.
Congratulations! You have successfully configured SAML-based SSO using Okta for CloudEndure Disaster Recovery.
For further assistance, remember that since you manage users through Okta, you must add additional users to access CloudEndure. To do this:
- Add new users with unique email addresses in Okta.
- In the Admin console, navigate to “Directory” and then “People” to select the new user.
- Log into the Admin account to access the CloudEndure console. Click the User Settings icon, then select “Manage users.”
- Create a user, enter the new user’s email address, and an invitation link will be sent to them.
- Finally, assign the CloudEndure App to the new user in Okta.
This process is essential to ensure all users have the access they need.
For more insights, check out this excellent resource and consider reading about the implications of recent changes in leadership on HR practices over at SHRM. Also, don’t miss our other blog post here to keep your learning journey going.