VSPC - SSO with Azure AD

  • 10 December 2021
  • 8 comments
  • 1525 views

Userlevel 5
Badge

Does anyone have a blog/step-by-step guide for setting up VSPC with SSO Azure AD?


8 comments

Userlevel 7
Badge +13

Of course, official documentation: https://helpcenter.veeam.com/docs/vac/provider_admin/sso.html?ver=60

Userlevel 5
Badge

Yeah, I already showed that to the customer, but he was wondering if there was a simpler guide, and specific documented with screenshot for the Azure AD.

 

I guess if there is no such blog I can create the documentation too him (but it’s a cheap customer…...)

Userlevel 7
Badge +13

I don’t think there’s somewhere a simpler guide than that, idk.

Userlevel 7
Badge +13

But there’s a deep dive fresh video!
 

 

I found a Veeam Service Provider Console Easily Configure SSO with Azure AD but one of the steps has you download the SAML Signing Certificate but the VSPC wants a PKCS#12 format which Azure AD doesn’t provide an option.  Just raw and cer formats.  Has anyone got VSPC working with Azure AD as the iDP?

 

https://www.veeam.com/wp-veeam-service-provider-console-configure-sso-with-azure-ad.html?wpty

Have you find a solution to export good certificat in AzureAD for import in VCSP  ? 

Thank you 

Nope, I ended up using our wildcard third-party cert from Godaddy.  I installed in Azure and used the same cert for VCSP.

You can get Veeam’s official guide from https://www.veeam.com/wp-veeam-service-provider-console-configure-sso-with-azure-ad.html but there are a few things worth noting.

  1. If your server hostname does not match your FQDN, set the Portal Web Address (under Configuration > Company Info > Portal Branding) to match your externally accessible FQDN. Otherwise, the generated URLs for 'SP Entity ID URL' and 'Assertion Consumer URL’ end up with the NETBIOS name which is not publicly accessible.
  2. Under ‘security configuration’ you can use a self-signed certificate even though the PDF states to download the Azure AD Enterprise App cert. You can’t use the Azure AD Enterprise App cert as the wizard requires a PFX file, which needs a private key.
  3. Users who will SSO must have the ‘company’ attribute populated in Azure AD (or in AD if using AD Connect). The ‘company’ attribute must match your company name as configured in the Veeam Service Provider console.
  4. The PDF guides you through using various attributes (ie. department) to configure permissions in the Provider Console. This is fine, but you can also do this using AD Groups and group claims.

Comment