NetBackup™ Self Service Configuration Guide

Last Published:
Product(s): NetBackup (10.0)
  1. Configuring a Self Service solution
    1.  
      About configuring a Self Service solution
    2.  
      Self Service scheduled backup
    3.  
      Configuration checklist
  2. Configuring a NetBackup master server
    1.  
      About configuring the NetBackup master server
    2.  
      Enabling communication with a Windows NetBackup master server
    3.  
      Enabling communication with a UNIX NetBackup master server
    4.  
      Enabling communication with a NetBackup appliance
    5.  
      Enabling communication with a NetBackup master server using the REST API
    6.  
      Creating NetBackup Template Policies
  3. Configuring Self Service
    1.  
      About Self Service configuration
    2.  
      Configuring backup servers
    3.  
      Configuring protection
    4.  
      Configuring the Backup Now form
    5.  
      Configuring tenants
    6.  
      Access rights
    7.  
      Registering computers
    8. Configuring the home page
      1.  
        Home page integration settings
  4. Customizing Self Service
    1.  
      Language settings
    2.  
      Creating or customizing a request form
    3.  
      Themes
    4.  
      Notices
  5. User authentication methods
    1.  
      About user authentication methods
    2.  
      Forms based authentication
    3.  
      Windows Authentication
    4.  
      Active Directory Import
    5.  
      Configuring Self Service to use Federated Single Sign-On
  6. Troubleshooting
    1.  
      About troubleshooting
    2.  
      Where to find troubleshooting information
    3.  
      Impersonation of a tenant user
    4.  
      Issues with Remote PowerShell to Windows master servers
    5.  
      Issues with HTTPS configuration
  7. Appendix A. NetBackup policy types
    1.  
      List of NetBackup policy types
  8. Appendix B. Dashboard traffic light status and usage
    1.  
      About dashboard traffic light status and usage
    2.  
      Assets with a protection type
    3.  
      Assets without a Protection Type
    4.  
      Usage and Charging
  9. Appendix C. Synchronizing data from NetBackup
    1.  
      About synchronizing data from NetBackup
  10. Appendix D. NetBackup Self Service data caching process
    1.  
      About NetBackup Self Service data caching process
    2.  
      NetBackup Data Synchronization
    3.  
      Backup Now
    4.  
      Protect
    5.  
      Unprotect
  11. Appendix E. Integration settings
    1.  
      About integration settings
    2.  
      NetBackup Adapter
    3.  
      NetBackup Adapter Usage
    4.  
      NetBackup Adapter Access Rights
    5.  
      Action Request Types
    6.  
      vCloud Director import
  12. Appendix F. REST API
    1.  
      About the REST API
  13. Appendix G. Glossary
    1.  
      Glossary

Configuring Self Service to use Federated Single Sign-On

Self Service supports Federated Single Sign-On through the WS-Federation Passive Protocol. It is implemented with Microsoft Windows Identity Foundation (WIF), and uses Security Assertion Markup Language (SAML) tokens for claims transfer. It does not, however, support the SAML2 Protocol, SAML-P.

When Self Service is installed, it is configured with Forms Authentication that requires first logon to use the admin account.

To authenticate through the identity provider:

  1. Create users in the Self Service database, who correspond to users in the identity provider.
  2. Edit the Self Service web.config file to enable federated single sign-on.
Create a user in Self Service

The User ID is used to identify users in Self Service. Claims are used to identify users in the identity provider. For authentication to succeed, users in Self Service must have a User ID that matches the value in one of the claims from the identity provider.

Self Service looks at the following claims when it attempts to find the Self Service user: Name, Email, Windows Account Name, and UPN. Typically Name and Windows Account Name have the format domain\username, and typically Email and UPN have the format username@domain.

You can enter Users through the portal or import in bulk, either directly from Active Directory or by a .CSV file.

Edit web.config to enable Federated Single Sign-On

To change the web.config file to enable federated single sign-on:

  1. Navigate to install_path\WebSite.
  2. Open web.config with Notepad as Administrator.
  3. Find the <modules> section and uncomment the two IdentityModel modules.
  4. Find the <authentication> section and change the mode to None.
  5. Enter the URL of the WS-Federation website in the issuer attribute of the <wsFederation> element
  6. Find the <trustedIssuers> section and enter the token-signing certificate thumbprint of the WS-Federation server.

    Note:

    You should not use cut and paste for the thumbprint as it can insert hidden characters into the file which interfere with the thumbprint matching.

  7. If these changes are on a test system that uses self-sign SSL certificates, uncomment the <certificateValidation> element.
  8. Save the web.config file.

If you have to switch back to Forms Authentication, the web.config file can be edited and the authentication mode set to forms: <authentication mode="Forms">. One instance where you would switch back to Forms Authentication is to recover from a problem.

Log on to Self Service

To confirm that the system is fully configured for Federated logon:

  1. Close and re-open Internet Explorer
  2. Enter the URL of Self Service
  3. If your environment uses test certificates, accept the two certificate errors
  4. Enter the credentials for the previously created user. The user should successfully log on.