Using Single Sign-on (SSO)

Skytap supports federated authentication via SAML 2.0 single sign-on (SSO). When SSO is enabled for your account, users can automatically sign into Skytap after being authenticated by an Identity Provider (IdP), such as Active Directory or LDAP.

This document describes how to enable SSO for your account, how to create SSO users, and the sign-in and authentication process.

You must be an account administrator to perform most of these actions.

Contents

Managing account-wide SSO settings

One-time setup: Enabling SSO for your customer account

To enable SSO for your Skytap Cloud account
  1. Email support@skytap.com with the following information:

    Setting or file Description
    Entity ID The unique string used to identify your IdP to Skytap. Provided by your Identity Provider.
    Signing Certificate The certificate that lets Skytap verify that information sent by your IdP is genuine and originated from your IdP.
    SAML Metadata Your SSO configuration details. This can be uploaded as a file, or sent as a URL that links to a file.
    IdP Login URL The URL that users are redirected to for authentication.
    IdP Logout URL The URL users are directed to when they click Sign Out.
    IdP Error URL The URL that users are redirected to if authentication fails after the IdP is identified by Skytap
    Claim Rule If you are using Windows Active Directory, you must configure a claim rule with Microsoft Active Directory Federation Services (ADFS). This must map the user-principal-name to the NameID outgoing claim type. For instructions, see Configuring an ADFS claim rule for SSO.
  2. Skytap Support enables SSO for your account and gives you an Entity ID, Authentication Certificate, and SAML metadata to enter in your IdP. Configure your IdP with these files so that Skytap Cloud is recognized as a service provider.
  3. Work with Skytap Support to test and verify the SSO configuration. During this testing, we recommend that you:
    • Create and use a separate user account that is enabled for SSO, rather than enable SSO on your primary administrative account. This way, if the SSO test fails, you will not be locked out of your administrative account.
    • Test the account sign in from a new incognito browser session to eliminate issues caused by browser cookies or the browser cache.

    Troubleshooting tip

    For help troubleshooting the negotiation between the Skytap SSO service provider and your identity provider:

    • Use a browser-based tool to trace the network requests associated with the SSO connection. For example, use a tool like SSO Tracer or SAML Tracer.
    • Check the logs from your Identity Provider for errors or other messages.
  4. After SSO is properly configured, enable your Skytap Cloud user accounts to use SSO authentication rather than password-based authentication.

Editing SSO settings or disabling SSO for the customer account

To edit your account SSO settings
  1. Navigate to Admin > Security Policies.
  2. Click the Sign-on policy tab.

    sso

    From this tab, administrators can:

    • Disable Single Sign-on for the entire account. This prevents SSO-enabled users from logging in, and it deactivates sharing portals that use single sign-on.
    • Edit the Login path, Logout redirect URL, and Error redirect URL set up during the initial account configuration. SeeEnabling SSO for your customer account above.
    • Download Skytap Cloud service provider metadata and signing certificates.

Managing SSO-enabled user accounts

Users who are enabled for SSO don’t have Skytap passwords.

Enabling SSO on an existing user account

To switch an existing user’s account from password-based authentication to SSO authentication
  1. Navigate to the Edit User page for the user.

    admin edit users

  2. In the user details, check Enable Single Sign-on. New User Single Sign-On
  3. Verify that the user’s login name is a valid email address.
  4. Click Save.
  5. The user must validate the account change:
    1. Skytap Cloud sends a user activation email to the user. The user must click the activation button to activate the account.
    2. Skytap sends a second email to the user, with the Skytap sign in link for your account. The user clicks this link to initiate an SSO connection and sign into Skytap Cloud with his or her SSO credentials. Users can bookmark this URL for future access. For more information, see Signing into Skytap Cloud with SSO.

Creating new SSO-enabled user accounts

To create an SSO-enabled user

Create a user, following the instructions at Creating user accounts. During the account configuration step, select Enable Single Sign-on, and verify that the user’s login name is a valid email address.

New User Single Sign-On

The user must validate the account during a two-step process:

  1. Skytap Cloud sends a user activation email to the user. The user must click the activation button to activate the account.
  2. Skytap sends a second email to the user, with the Skytap sign in link for your account. The user clicks this link to initiate an SSO connection and sign into Skytap Cloud with his or her SSO credentials. Users can bookmark this URL for future access. For more information, see Signing into Skytap Cloud with SSO.

Disabling SSO on a user account

To disable SSO for a user account
  1. Navigate to the Edit User page for the user.

    admin edit users

  2. In the user details, uncheck Enable Single Sign-on.New User Single Sign-On
  3. Click Save.
  4. The user must validate the account change. Skytap Cloud sends the user a new activation email. The user must click the activation button to activate the account. After this, the user can use the sign-in page at https://cloud.skytap.com.

Signing into Skytap Cloud with SSO

After your account is enabled for SSO, Skytap Cloud generates a custom login path for your organization’s SSO-enabled users (for example: https://cloud.skytap.com/sso/yourcompanyname). The first time an SSO-enabled user signs into Skytap Cloud, he or she must sign in using this custom path.

This URL can be bookmarked or placed on an internal company portal for future access. It can also be changed using the instructions for Editing your account SSO settings.

When a user signs in using the custom path, Skytap Cloud places a local cookie on the user’s machine that associates the user with the correct IdP. The next time the user logs in, he or she can use the standard login path at https://cloud.skytap.com. Skytap Cloud uses the browser cookie to associate the user to the correct IdP and then validates the user’s credentials using that IdP.

If the user clears the browser cookies or uses a different browser, he or she must sign in using the custom login path (example: https://cloud.skytap.com/sso/companyname).

Accessing sharing portals with SSO

After your account is enabled for SSO, sharing portals can be configured to be accessible via SSO sign in (in the Security section of the sharing portal configuration options).