Add a Single Sign-on Provider

20 May 2024

You can now configure Cohesity DataProtect as a Service to use an Identity Provider (IdP), such as Okta, for single sign-on (SSO) access. Cohesity DataProtect as a Service must be added as an application to your IdP such as Okta. The SSO must then be configured along with the SSO URL and certificate file in Cohesity DataProtect as a Service. After the integration, users can sign in to Cohesity DataProtect as a Service using either the IdP sign in page or sign in with the SSO link in the Cohesity DataProtect as a Service login page.

The following identity providers are supported:

Identity Provider

Documentation Link

Active Directory Federation Services (AD FS)

Configure SSO with Active Directory Federation Services (AD FS)

Azure

Configure SSO with Azure

Duo Single Sign-on

Integration with Duo for SSO

Ping Identity

Integration with Ping Identity for SSO

Okta Single Sign-on

Configure SSO with Okta

Configure SSO

To configure SSO:

  1. In DataProtect as a Service, navigate to Settings > Access Management > Single Sign-On.
  2. Click Configure SSO.

  3. Select one of the following options:

    • SAML: Security Assertion Markup Language (SAML) is an XML-based protocol used for SSO login.

    • OpenID Connect: OpenID Connect is an open authentication protocol that uses OAuth2.0 framework.

  4. If you select SAML, then refer to the following table: 

    Name

    Description

    SSO Domain

    Unique domain name that will differentiate this IdP from others. As Cohesity DataProtect as a Service supports multiple IdPs, this has to be a unique string (usually company domain). For a user to be redirected to this IdP, the user will need to log in via SSO using username@SSO_DOMAIN.

    When a user logs in toCohesity DataProtect as a Service using SSO and enters the email address as foo@bar.com, Cohesity DataProtect as a Service looks for the IdP that has the SSO Domain configured as bar.com and redirects this user foo to the matching IdP. This is how Cohesity DataProtect as a Service determines which IdP the user needs to be forwarded to.

    SSO ProviderFrom the drop-down, select the SSO provider name of your choice. Select the I have read the SSO documentation provided by <SSO provider name> check box. Cohesity recommends reading the SSO documentation before proceeding to the next step.
    Assign to OrganizationOptional. In a multitenant-enabled cluster, you can configure SSO for an organization that has been added to the Cohesity cluster. Select an organization from the drop-down.
    Single Sign-on URLPaste the URL that you copied from your IdP.
    Provider Issuer IDPaste the issuer ID that you copied from your IdP.
    X.509 CertificateClick Select File and browse to the location to select the file that you downloaded and renamed previously.

  5. If you select OpenID Connect (OIDC), perform the following steps and then refer to the table: 

    Prerequisites:

    1. Create the OIDC app within your Identity Provider (IdP). For more information, see Create OIDC app integrations.

      OIDC is an open standard and Single-Sign On with Cohesity DataProtect as a Service is intended to work with any OpenID Connect supported Identity Provider. For setup details, refer to your Identity Provider's documentation.

    2. Map the OIDC configuration details from Okta IDP to Cohesity DataProtect as a Service side configurations:

      1. To get the Issuer ID:

        1. Navigate to Security > API.

        2. On the API page, click Authorization Servers.

          You can find the issuer ID in the Issuer URI section.

      2. To get the Client ID:

        1. Navigate to Applications.

        2. On the Helios Test OIDC App page, click General.

          You can find the Client ID in the Client Credentials window.

      3. To generate the JSON Web Key Set (JWKS) URL:

        1. Construct the URL as follows:

          Format: <issuer ID>/.well-known/openid-configuration

          For example: https://***-00000000.okta.com/oauth2/default/.well-known/openid-configuration.

        2. Enter the constructed URL in the address bar of the browser and JSON output will be displayed.

    Name

    Description
    OpenID Server Domain Enter a unique domain name.
    OpenID Server URL for the public (JWKS) Enter the JSON Web Key Set (JWKS) URL. You can get this URL from your identity provider.
    Client ID Enter the ID of the application created in the identity provider.
    Issuer ID Enter the Issuer ID URL. You can get the URL from your identity provider.
    Public Key Expiration (Seconds) Specifies the time in seconds before which Cohesity starts fetching for new public keys from the identity provider. The default value is 86400 seconds (24 hours).
    Public Key Refresh Interval (Seconds) Specifies the cache refresh interval in seconds to limit the requests to the OIDC server and also to refresh the public key, in case of token signature validation failure. The default value is 600 seconds (10 minutes).
    Token Validity (Seconds) Specifies the validity time in seconds for the token. The validity check is done only if the token is not expired. If it’s expired, then the 401 unauthorized or invalid token error is displayed. The default value is 15 minutes.

  6. Enter the following details:

    Name

    Description

    Default Role for all SSO Users

    Select a role to use as the default role for users signing on with SSO. Typically, you would select this option only during the initial SSO configuration. You can change this option later.
    Access to All Clusters or Limited Clusters Select if the identity provider users can have access to all clusters or limited clusters.
    Sign Auth Request

    Optional. Enable this option if you want authorization requests to be signed with the Cohesity DataProtect as a Service public key. The Cohesity DataProtect as a Service public key must be uploaded to the IdP site.

    This option is not available if you select the OpenID Connect protocol.

    Perform the following steps to obtain the Cohesity DataProtect as a Service public certificate:

    1. Log in to Cohesity DataProtect as a Service.

    2. Start a browser and enter https://helios.cohesity.com/v2/mcm/sslCertificate in the browser address bar.

    3. Copy-paste the certificate to Notepad or Word Processor.

    4. In the copied certificate, replace \n with a new line. 

      -----BEGIN CERTIFICATE-----
      MIIG1zCCBb+gAwIBAgIJAIuZz4iuB+NVMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
      VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
      MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
      cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
      dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTIwMDcyOTIwMzYzNFoX
      DTIyMDcyOTIwMzYzNFowRjEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
      dGVkMSEwHwYDVQQDExhoZWxpb3MtZGF0YS5jb2hlc2l0eS5jb20wggEiMA0GCSqG
      SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSToInp3D+wBCvJuHfhQwfl8qFr2aWe5rA
      tu6TV5udPCq+ORqC2UZ05HtLnv9NTXLJtISpH208fJmMBIsmQL6u6LgQ3bA7B3w5
      q9e+Q/nsvDUS1MI0wjJsdVb96UZJHU4hRFeFm2seMB1jhscOOaWBdcP3wEaSum8O
      oSqc7Gs1UGZImxJrNmC0ikCOH9kDK8qj9Bie05CQUM4nGhpzjr3zgGte1MvGBxji
      GOOW/dW/qB5lmScndAoXMmzwytQVWxHasXRpYCawGEuG0+V4iGVJs14dSvKT8o4b
      JOHFwXHcU8mesdfPvq9YTkH6TkYdl5S4WFYygR5rltwzDCc4NmH/AgMBAAGjggNX
      MIIDUzAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
      AjAOBgNVHQ8BAf8EBAMCBaAwOAYDVR0fBDEwLzAtoCugKYYnaHR0cDovL2NybC5n
      b2RhZGR5LmNvbS9nZGlnMnMxLTIxNjcuY3JsMF0GA1UdIARWMFQwSAYLYIZIAYb9
      bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5
      LmNvbS9yZXBvc2l0b3J5LzAIBgZngQw
      -----END CERTIFICATE-----

    5. Save the Notepad or Word Processor as .pem or .crt format.

    6. The Cohesity DataProtect as a Service public key must be uploaded to the IdP site.

  7. Click Save.

    Cohesity DataProtect as a Service validates the connection to the IdP. If the connection succeeds, the SSO provider is added to the provider list and you can edit, delete or deactivate the provider. Users can start accessing Cohesity DataProtect as a Service through their IdP home page or the Cohesity DataProtect as a Service sign-in page by clicking the Sign in with SSO link.

Considerations

  • If you have logged into Cohesity DataProtect as a Service using Okta credentials (or any other IdP), you will not be able to directly access some of the portals in the Help Center such as Claim a Cluster, Get Support, and Read the Docs as these portals require Cohesity Support portal credentials to log in.

  • If no default role is assigned to a user in the IdP entry, then such users will be rejected. Users will need to have an explicit entry.
  • If the SAML assertions are to be signed and encrypted, then the Cohesity DataProtect as a Service certificate must be used.

Next > Add Cohesity DataProtect as a Service users and groups from your SSO domain.