Does anyone have a blog/step-by-step guide for setting up VSPC with SSO Azure AD?
VSPC - SSO with Azure AD
+13Of course, official documentation: https://helpcenter.veeam.com/docs/vac/provider_admin/sso.html?ver=60
Backups are like pizza, I love them. | Linkedin: @marco-fabbri-it
Yeah, I already showed that to the customer, but he was wondering if there was a simpler guide, and specific documented with screenshot for the Azure AD.
I guess if there is no such blog I can create the documentation too him (but it’s a cheap customer…...)
Microsoft 365 Certified: Enterprise Administrator Expert // @frankiversen
+13I don’t think there’s somewhere a simpler guide than that, idk.
Backups are like pizza, I love them. | Linkedin: @marco-fabbri-it
+13But there’s a deep dive fresh video!
Backups are like pizza, I love them. | Linkedin: @marco-fabbri-it
I found a Veeam Service Provider Console Easily Configure SSO with Azure AD but one of the steps has you download the SAML Signing Certificate but the VSPC wants a PKCS#12 format which Azure AD doesn’t provide an option. Just raw and cer formats. Has anyone got VSPC working with Azure AD as the iDP?
https://www.veeam.com/wp-veeam-service-provider-console-configure-sso-with-azure-ad.html?wpty
Nope, I ended up using our wildcard third-party cert from Godaddy. I installed in Azure and used the same cert for VCSP.
You can get Veeam’s official guide from https://www.veeam.com/wp-veeam-service-provider-console-configure-sso-with-azure-ad.html but there are a few things worth noting.
- If your server hostname does not match your FQDN, set the Portal Web Address (under Configuration > Company Info > Portal Branding) to match your externally accessible FQDN. Otherwise, the generated URLs for 'SP Entity ID URL' and 'Assertion Consumer URL’ end up with the NETBIOS name which is not publicly accessible.
- Under ‘security configuration’ you can use a self-signed certificate even though the PDF states to download the Azure AD Enterprise App cert. You can’t use the Azure AD Enterprise App cert as the wizard requires a PFX file, which needs a private key.
- Users who will SSO must have the ‘company’ attribute populated in Azure AD (or in AD if using AD Connect). The ‘company’ attribute must match your company name as configured in the Veeam Service Provider console.
- The PDF guides you through using various attributes (ie. department) to configure permissions in the Provider Console. This is fine, but you can also do this using AD Groups and group claims.
I know this is a really old thread but I'm having difficulty using group claims. Other claims work fine. It seems that only the first group claim is evaluated. So when I have an authorization rule that uses a group id that is not the first in the list, it doesn't work...
Comment
Rich Text Editor, editor1
Editor toolbars
Press ALT 0 for help
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.