Set SAML attributes for SSO in CrashPlan

This article applies to CrashPlan Professional, Enterprise, and MSPs.png

You can integrate any SAML 2.0-compliant identity provider with CrashPlan. By default, you map an identity provider's username and email attributes to CrashPlan. For added security and flexibility, you can use SAML attributes in the Authentication tab of Identity Management to set the SAML 2.0 context and class references in your identity provider's SSO requests, as well as the digest and signature algorithms to use. 

For valid values to enter, see Valid values for SAML attributes below.

 Test SAML settings changes

Changes you make to SAML settings using the procedures in this article are made directly to the authentication provider settings in CrashPlan. Ensure you verify that they work properly in a test organization first before using the SAML settings in production.

Default SAML settings

When you create a new authentication provider in CrashPlan, the default SAML request configuration settings are:

  • Authentication context class reference: urn:oasis:names:tc:SAML:2.0:ac:classes:Password
  • Authentication context comparison: EXACT
  • Authentication digest method: http://www.w3.org/2001/04/xmlenc#sha256
  • Authentication signature method: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 

For information on these settings, see Valid values for SAML attributes

Edit SAML attributes

  1. Sign in to the CrashPlan console.
  2. Navigate to Administration > Integrations > Identity Management.
  3. Select an authentication provider in the Authentication tab.
  4. Click the Edit icon 7.0_console_edit_icon.png to the right of SAML attributes.
    The Edit SAML attributes drawer appears.
  5. Enter values as described in the Valid values for SAML attributes section below, or as used by your identity provider. 
    edit SAML attributes window.png

Valid values for SAML attributes

Use the following fields in the Edit SAML attributes drawer to update SAML settings used by the CrashPlan authentication provider:

Authentication context class reference

This field maps to the authnContextClassRef attribute. It sets the context class reference to authenticate users. If this parameter is omitted, the AuthN Request will have no Context tag.

You can use any of the SAML 2.0 authentication context classes to authenticate users. The values listed in the table below are the most commonly used in the SAML 2.0 specification. (Because some identity providers have created their own authentication classes which aren't listed in the SAML 2.0 specification, such as for multi-factor authentication, you can still specify any valid authentication class reference as long as it has a correctly formatted URN.)

The value supplied should have one of the following prefixes:

  • urn:oasis:names:tc:SAML:2.0:ac:classes (SAML 2.0) or
  • urn:oasis:names:tc:SAML:1.2:ac:classes (SAML 1.2)

For example, to use the Password value for SAML 2.0, enter: urn:oasis:names:tc:SAML:2.0:ac:classes:Password

For more information about SAML 2.0 authentication context classes, see the SAML 2.0 specification.  

Valid values Description
InternetProtocol Provide an IP address.
InternetProtocolPassword Provide an IP address in addition to a username/password combination.
Kerberos Use a password to acquire a Kerberos ticket.
MobileOneFactorUnregistered Authenticate mobile devices without requiring explicit end-user interaction.
MobileTwoFactorUnregistered Authenticate mobile devices with two-factor based authentication.
MobileOneFactorContract Authenticate mobile devices through contract customer registration and single factor authentication.
MobileTwoFactorContract Authenticate mobile devices through contract customer registration and two-factor authentication.
Password (Default) Provide a password over an unprotected HTTP session.
PasswordProtectedTransport Provide a password over a protected HTTPS session.
PreviousSession Authenticate using a previously-used authentication context.
X509 Use a digital signature where the key was validated as part of an X.509 PKI.
PGP Use a digital signature where the key was validated as part of a PGP PKI.
SPKI Use a digital signature where the key was validated via an SPKI.
XMLDSig Use a digital signature according to the XML Digital Signature specification.
Smartcard Authenticate using a smartcard.
SmartcardPKI Authenticate using a smartcard with enclosed private key and a PIN.
SoftwarePKI Authenticate with an X.509 certificate stored in software.
Telephony Authenticate using a telephone number.
NomadTelephony Authenticate using a roaming telephone number such as a phone card.
PersonalTelephony Authenticate using a telephone number and a user suffix.
AuthenticatedTelephony Authenticate using a telephone number, a user suffix, and a password.
SecureRemotePassword Provide a Secure Remote Password.
TLSClient Provide a client certificate secured with the SSL/TLS protocol.
TimeSyncToken Provide a time synchronization token.
Unspecified Authenticate by using unspecified means. The server does not expect a particular authentication method. Instead the server will attempt to authenticate the user via its configured authn options. 


Authentication context comparison

This field maps to the authnContextComparison attribute. It specifies the comparison method used to evaluate the requested context class (AuthnContextClassRef). If this parameter is omitted, its value defaults to EXACT. When the parameter is specified, it must be populated with any of the Valid values listed in the table below.

For more information about the AuthnContextComparison method, see the SAML 2.0 specification.

Valid values Description
EXACT (Default) Must be the exact match of at least one of the authentication contexts specified.
MINIMUM Must be at least as strong (as deemed by the responder) as one of the authentication contexts specified.
MAXIMUM Must be as strong as possible (as deemed by the responder) without exceeding the strength of at least one of the authentication contexts specified.
BETTER Must be stronger (as deemed by the responder) than any one of the authentication contexts specified.
Not Specified Uses the default value EXACT.


Authentication digest method

This field maps to the requestAuthnDigestMethod attribute. It performs a checksum of the contents of the SAML request to ensure it was not edited in transit. If this parameter is omitted, its value defaults to http://www.w3.org/2001/04/xmlenc#sha256. When the parameter is specified, it must be populated with any of the Valid values listed in the table below.

For more information about digest algorithms, see the W3 XML Security Algorithm Cross-Reference.

Valid values Description
http://www.w3.org/2000/09/xmldsig#sha1 SHA-1 digest algorithm
http://www.w3.org/2001/04/xmlenc#sha256 (Default) SHA-256 digest algorithm
http://www.w3.org/2001/04/xmldsig-more#sha384 SHA-384 digest algorithm
http://www.w3.org/2001/04/xmlenc#sha512 SHA-512 digest algorithm


Authentication signature method

This field maps to the requestAuthnSignatureMethod attribute. It is a cryptographic signature algorithm for the checksum of the contents of the SAML request. The signature algorithm should match the digest algorithm with a variety of pre-pended private key generation indicators. If this parameter is omitted, its value defaults to http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. When the parameter is specified, it must be populated with any of the Valid values listed in the table below.

For more information about signature algorithms, see the W3 XML Security Algorithm Cross-Reference.

Valid values Description
http://www.w3.org/2000/09/xmldsig#rsa-sha1 RSA-SHA1 signature algorithm
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256  (Default) RSA-SHA256 signature algorithm
http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 RSA-SHA384 signature algorithm
http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 RSA-SHA512 signature algorithm


Troubleshooting

AADSTS75011 error in Azure

When signing in to CrashPlan using Azure for SSO, you may receive the following error message:

Error - AADSTS75011 Authentication method by which the user authenticated with the service doesn't match requested authentication method AuthnContextClassRef. 

This error occurs when the authentication method by which the user authenticated with the Azure instance doesn't match the requested authentication method set in CrashPlan in the authentication context class reference field (AuthnContextClassRef). For example, this can occur when the "Password" value is set in CrashPlan, and the Azure instance uses the "Multifactor" value. For more information about the error, see the Microsoft documentation.

To resolve the issue, edit the SAML attributes to delete the value in the Authentication context class reference field. A blank string in the field allows Azure to use the authentication method it is already configured to use.

External resources

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more