NetBackup IT Analytics Security and Encryption Reference

Last Published:
Product(s): NetBackup IT Analytics (11.6)

User authentication via single sign-on (SSO)

NetBackup IT Analytics supports Single Sign On (SSO) for a standard unified login. User authentication is performed through an external Identity Management Server allowing for an increased level of security for user passwords and identity details. Hence, Single Sign-on requires SSL-enabled NetBackup IT Analytics Portal, an external Identity Provider (IDP), and an external LDAP directory.

Single sign-on (SSO) prerequisites

  • NetBackup IT AnalyticsPortal must be SSL enabled (https protocol) using SSL certificates with the following properties:

    • Signature algorithm name: SHA256 with RSA

    • Subject public key algorithm: 2048-bit RSA key

  • An external Identity Provider (IDP) that supports SAML 2.0

  • SSL certificate must be added to the Portal Keystore using the Keystore Utility (deployCert)

Set up external identity provider (IDP) server

For the IDP to communicate with the NetBackup IT Analytics Portal, an LDAP directory is configured on the external server for user management. Certain attributes must be populated for each user will log in to the Portal. Users must also belong to at least one group.

Users and groups in the external LDAP directory

Set the following attributes for each user in the external LDAP directory. For each attribute, the properties name and friendlyName must be present and have values populated. These attributes must be exposed by both the external LDAP directory and the IDP server. The names of attributes are as follows:

  • displayName: <first_name> <last_name> For example Jane Smith

  • email: email address

  • mobile: cell phone or mobile number

  • telephoneNumber: work phone or home phone number

  • sAMAccountName: the unique user name that is used as a login

  • memberOf: List of group names to which the user belongs.

    Note:

    The attribute memberOf requires customization for a Microsoft Azure IDP. It is recommended to set Groups Assigned to the application instead of All groups or Security groups for "memberOf" attribute. Click here for more details.

Before using SSO to log into the Portal, an external user must belong to one external directory group that also exists as a User Group in the NetBackup IT Analytics Portal. If the setup criteria is met, when the user logs into the Portal for the first time, the user's profile is synchronized from the external directory. The user also inherits all privileges assigned to the User Group.

Registration with the IDP server

The registration process occurs by exchanging metadata XML files between the NetBackup IT Analytics Portal and the IDP server. On the Portal side, once SSO is configured and the Portal Tomcat service restarted, you can download the metadata XML file and provide it to the IDP server. This file contains the SSL certificate and identifies the NetBackup IT Analytics as a service provider for SSO. A similar metadata XML file must be downloaded from the IDP server and provided to the Portal.

See the Configure single sign-on (SSO) using security assertion markup language (SAML) in NetBackup IT Analytics System Administration guide.