You can integrate any SAML 2.0-compliant identity provider with CrashPlan. By default, you map an identity provider's username and email attributes to CrashPlan. For added security and flexibility, you can use SAML attributes in the Authentication tab of Identity Management to set the SAML 2.0 context and class references in your identity provider's SSO requests, as well as the digest and signature algorithms to use.
For valid values to enter, see Valid values for SAML attributes below.
Test SAML settings changes
Changes you make to SAML settings using the procedures in this article are made directly to the authentication provider settings in CrashPlan. Ensure you verify that they work properly in a test organization first before using the SAML settings in production.
Default SAML settings
When you create a new authentication provider in CrashPlan, the default SAML request configuration settings are:
- Authentication context class reference: urn:oasis:names:tc:SAML:2.0:ac:classes:Password
- Authentication context comparison: EXACT
- Authentication digest method: http://www.w3.org/2001/04/xmlenc#sha256
- Authentication signature method: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
For information on these settings, see Valid values for SAML attributes.
Edit SAML attributes
- Sign in to the CrashPlan console.
- Navigate to Administration > Integrations > Identity Management.
- Select an authentication provider in the Authentication tab.
- Click the Edit icon to the right of SAML attributes.
The Edit SAML attributes drawer appears. - Enter values as described in the Valid values for SAML attributes section below, or as used by your identity provider.
Valid values for SAML attributes
Use the following fields in the Edit SAML attributes drawer to update SAML settings used by the CrashPlan authentication provider:
- Authentication context class reference
- Authentication context comparison
- Authentication digest method
- Authentication signature method
Authentication context class reference
This field maps to the authnContextClassRef attribute. It sets the context class reference to authenticate users. If this parameter is omitted, the AuthN Request will have no Context tag.
You can use any of the SAML 2.0 authentication context classes to authenticate users. The values listed in the table below are the most commonly used in the SAML 2.0 specification. (Because some identity providers have created their own authentication classes which aren't listed in the SAML 2.0 specification, such as for multi-factor authentication, you can still specify any valid authentication class reference as long as it has a correctly formatted URN.)
The value supplied should have one of the following prefixes:
-
urn:oasis:names:tc:SAML:2.0:ac:classes
(SAML 2.0) or -
urn:oasis:names:tc:SAML:1.2:ac:classes
(SAML 1.2)
For example, to use the Password value for SAML 2.0, enter: urn:oasis:names:tc:SAML:2.0:ac:classes:Password
For more information about SAML 2.0 authentication context classes, see the SAML 2.0 specification.
Valid values | Description |
---|---|
InternetProtocol | Provide an IP address. |
InternetProtocolPassword | Provide an IP address in addition to a username/password combination. |
Kerberos | Use a password to acquire a Kerberos ticket. |
MobileOneFactorUnregistered | Authenticate mobile devices without requiring explicit end-user interaction. |
MobileTwoFactorUnregistered | Authenticate mobile devices with two-factor based authentication. |
MobileOneFactorContract | Authenticate mobile devices through contract customer registration and single factor authentication. |
MobileTwoFactorContract | Authenticate mobile devices through contract customer registration and two-factor authentication. |
Password | (Default) Provide a password over an unprotected HTTP session. |
PasswordProtectedTransport | Provide a password over a protected HTTPS session. |
PreviousSession | Authenticate using a previously-used authentication context. |
X509 | Use a digital signature where the key was validated as part of an X.509 PKI. |
PGP | Use a digital signature where the key was validated as part of a PGP PKI. |
SPKI | Use a digital signature where the key was validated via an SPKI. |
XMLDSig | Use a digital signature according to the XML Digital Signature specification. |
Smartcard | Authenticate using a smartcard. |
SmartcardPKI | Authenticate using a smartcard with enclosed private key and a PIN. |
SoftwarePKI | Authenticate with an X.509 certificate stored in software. |
Telephony | Authenticate using a telephone number. |
NomadTelephony | Authenticate using a roaming telephone number such as a phone card. |
PersonalTelephony | Authenticate using a telephone number and a user suffix. |
AuthenticatedTelephony | Authenticate using a telephone number, a user suffix, and a password. |
SecureRemotePassword | Provide a Secure Remote Password. |
TLSClient | Provide a client certificate secured with the SSL/TLS protocol. |
TimeSyncToken | Provide a time synchronization token. |
Unspecified | Authenticate by using unspecified means. The server does not expect a particular authentication method. Instead the server will attempt to authenticate the user via its configured authn options. |
Authentication context comparison
This field maps to the authnContextComparison attribute. It specifies the comparison method used to evaluate the requested context class (AuthnContextClassRef). If this parameter is omitted, its value defaults to EXACT
. When the parameter is specified, it must be populated with any of the Valid values listed in the table below.
For more information about the AuthnContextComparison method, see the SAML 2.0 specification.
Valid values | Description |
---|---|
EXACT | (Default) Must be the exact match of at least one of the authentication contexts specified. |
MINIMUM | Must be at least as strong (as deemed by the responder) as one of the authentication contexts specified. |
MAXIMUM | Must be as strong as possible (as deemed by the responder) without exceeding the strength of at least one of the authentication contexts specified. |
BETTER | Must be stronger (as deemed by the responder) than any one of the authentication contexts specified. |
Not Specified | Uses the default value EXACT. |
Authentication digest method
This field maps to the requestAuthnDigestMethod attribute. It performs a checksum of the contents of the SAML request to ensure it was not edited in transit. If this parameter is omitted, its value defaults to http://www.w3.org/2001/04/xmlenc#sha256
. When the parameter is specified, it must be populated with any of the Valid values listed in the table below.
For more information about digest algorithms, see the W3 XML Security Algorithm Cross-Reference.
Valid values | Description |
---|---|
http://www.w3.org/2000/09/xmldsig#sha1 | SHA-1 digest algorithm |
http://www.w3.org/2001/04/xmlenc#sha256 | (Default) SHA-256 digest algorithm |
http://www.w3.org/2001/04/xmldsig-more#sha384 | SHA-384 digest algorithm |
http://www.w3.org/2001/04/xmlenc#sha512 | SHA-512 digest algorithm |
Authentication signature method
This field maps to the requestAuthnSignatureMethod attribute. It is a cryptographic signature algorithm for the checksum of the contents of the SAML request. The signature algorithm should match the digest algorithm with a variety of pre-pended private key generation indicators. If this parameter is omitted, its value defaults to http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
. When the parameter is specified, it must be populated with any of the Valid values listed in the table below.
For more information about signature algorithms, see the W3 XML Security Algorithm Cross-Reference.
Valid values | Description |
---|---|
http://www.w3.org/2000/09/xmldsig#rsa-sha1 | RSA-SHA1 signature algorithm |
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 | (Default) RSA-SHA256 signature algorithm |
http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 | RSA-SHA384 signature algorithm |
http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 | RSA-SHA512 signature algorithm |
Troubleshooting
AADSTS75011 error in Azure
When signing in to CrashPlan using Azure for SSO, you may receive the following error message:
Error - AADSTS75011 Authentication method by which the user authenticated with the service doesn't match requested authentication method AuthnContextClassRef.
This error occurs when the authentication method by which the user authenticated with the Azure instance doesn't match the requested authentication method set in CrashPlan in the authentication context class reference field (AuthnContextClassRef). For example, this can occur when the "Password" value is set in CrashPlan, and the Azure instance uses the "Multifactor" value. For more information about the error, see the Microsoft documentation.
To resolve the issue, edit the SAML attributes to delete the value in the Authentication context class reference field. A blank string in the field allows Azure to use the authentication method it is already configured to use.
External resources
- Wikipedia: SAML 2.0
- OASIS (official home of SAML)
- W3 XML Security Algorithm Cross-Reference