How to provision users to CrashPlan from Okta

This article applies to CrashPlan Enterprise and MSPs.png

Overview

Provisioning automatically adds and deactivates users in your CrashPlan environment as well as assigns users roles and permissions. This article explains how to connect Okta provisioning and CrashPlan. Once configured, CrashPlan automatically adds, updates, and removes users based on syncs from Okta to CrashPlan.

This article assumes you are familiar with the concept of provisioning. To learn more, see our introduction to provisioning. If you want to add Okta as an authentication provider, see Configure Okta for SSO in your CrashPlan cloud environment

Considerations

  • You must have a role with Identity Management Administrator permissions or greater to configure this setting for an organization.

  • To enable Okta's provisioning in CrashPlan, your Okta environment must be licensed for the Lifecycle Management feature. If you are not licensed for the feature, you can still use Okta for authentication.  
  • Configure your private network, Internet, and VPN settings to allow client devices to communicate with your provisioning provider on port 443. Test client connectivity to the provisioning provider before you proceed.
  • Local users cannot be created, updated, or deleted from the provisioning provider. These users can only be managed in the CrashPlan console. 

User Provisioning 

The following user provisioning features are available in the CrashPlan Okta application in the cloud. For more information on these provisioning features, see Okta's documentation.

Supported 

  • Create Users: New users created in Okta are also created in CrashPlan
  • Deactivate users:  Deactivating the user in Okta deactivates the user in CrashPlan
    Note: For the CrashPlan application, deactivating a user means removing the user's account and placing the user's data into cold storage. Learn more about deactivating a user. By default, there is a 15 minute delay before CrashPlan deactivates a user. 
  • Push groups: Adds groups and users from Okta to CrashPlan
  • Update user attributes: Okta updates users' profiles. Okta profile values overwrite any changes made in CrashPlan.

Not Supported 

  • Import users from CrashPlan to Okta
  • Password sync

Deactivate users

There are a few special considerations when deactivating users. 

Deactivation delay

When a provisioning provider sends an update to deactivate a user, CrashPlan waits 15 minutes before deactivating the user. This helps protect against moving users backup archives into cold storage if the users are accidently deactivated in the provisioning provider. You can adjust the delay time in the CrashPlan console. Note that the delay only applies when deactivating users using provisioning. When you manually deactivate users in the CrashPlan console, there is no delay.

Okta suspended state

You can suspend users via Okta. Suspended users cannot sign in to the CrashPlan console or CrashPlan apps on their devices. However, suspending users does not deauthorize them (sign them out of the CrashPlan app) if they are currently signed in.

When you suspend users in Okta, you must go to the CrashPlan console and manually block those users. Blocking users signs them out, and prevents them from signing back in to the CrashPlan apps on their devices. 

Users on legal hold cannot be deactivated

If you place users under legal hold, the provisioning provider cannot deactivate them. Their data is retained for the legal hold process. Users are blocked instead of deactivated. Once your release users from legal hold, they are automatically deactivated.

Before you begin

Determine how you want to map users from the provisioning provider to CrashPlan organizations. To learn more, see our introduction to provisioning article. There are several ways to map users to a CrashPlan organization: 

Create new users in a CrashPlan organization

Assigns all users to the same CrashPlan organization. New users are moved to this organization. Users that are subsequently moved outside of this organization remain in their new organization. 

 Example use case

Use this option if you use a single organization to manage users in the CrashPlan console.

Map users to organizations based on the provider's "c42OrgName" attribute  

Creates new organizations or assigns users to existing organizations based on the value for the user attribute c42OrgName. This value becomes the name for the CrashPlan org. This attribute is managed on the provisioning provider. 

 Example use case

Use this method if you wish to manage users in the provisioning provider (and not in the CrashPlan console). Whatever is the value for this attribute becomes the name for the CrashPlan org. CrashPlan creates new organizations or assigns users to existing organizations based on the value. 

Map users to organizations using SCIM groups

Assigns users to CrashPlan organizations based on their SCIM group. If you choose this option, create organizations in the CrashPlan console before you begin.

 Example use case

Use this mapping if your users are already assigned to SCIM groups. For example, a user is part of two different SCIM groups: an executive group and a UK group. You want this user's backup policies to match the other executives in your company, so this user should be assigned to the same CrashPlan organization as the other executives. In the CrashPlan console, you can choose the executive group to take priority over the UK group. This way you can place all of the executives in your company in the same organization and ensure they have the same backup policies.

Compare methods

  Automatically creates organizations in CrashPlan Requires you to create CrashPlan organizations before you begin Requires your provider to send SCIM groups to CrashPlan
Create new users in a CrashPlan organization   x  
Map all users to organizations based on the provider's "c42OrgName" attribute x    
Map users to organizations using SCIM groups   x x


Step 1: Create CrashPlan organizations

This step is only required if you choose to use the Single Organization or Custom SCIM mapping methods. The "c42OrgName" attribute and Custom attribute methods create CrashPlan organizations automatically. 

  1. Sign in to the CrashPlan console
  2. Click Administration > Environment > Organizations. 
    Active_Organizations_Cloud_8.7.png
  3. Select the Add an organization icon Add_an_organization_button.png and enter a name. 
    This method adds the organization under the default organization.
  4. To add a child organization
    1. Select the organization. 
    2. Click the action menu action menu gear.png in the upper-right corner. 
    3. Choose Add a child organization
  5. Repeat until you have added all of your organizations.

Step 2: Add a provisioning provider in the CrashPlan console

  1. In the CrashPlan console, navigate to Administration > Integrations > Identity Management.
  2. Select the Provisioning tab.
    SCIM provisioning.png
  3. Click Add Provisioning Provider and select Add SCIM Provider from the menu.
    The Add SCIM provisioning provider dialog is displayed.
    Add_SCIM_provisioning_provider.png
  4. Enter a display name, and for Authentication credential type select API credentials (default).
    You must select API credentials for use with Okta provisioning.
  5. Click Next
  6. The SCIM Provider Created message appears. Leave this message open. You need this information for the next step in the provisioning provider setup.
    After you have used the information here for provisioning provider setup, click Done.
    Add_scim_provisioning_April_20_2020.png

Step 3: Add the Okta application for CrashPlan

  1. Sign in to your Okta dashboard.
  2. Add the CrashPlan application.
    Note: There are two CrashPlan apps on Okta's website. Add the CrashPlan app, which is used for cloud CrashPlan environments. The CrashPlan Single Tenant app is used in single-tenant cloud environments.
    okta app catalog CrashPlan.png
  3. Configure the general settings, and click Next

 Wait to assign people or groups to Okta’s CrashPlan application

Do not assign people to Okta's CrashPlan application yet. First complete the organization mapping (Step 7) and role mapping (Step 8). If you assign people to the CrashPlan application before you configure mapping, Okta cannot automatically map users to CrashPlan organizations and roles, and you must manually provision the unprovisioned users later.


Step 4: Configure Okta's provisioning tab

  1. In the Okta dashboard, select the Provisioning tab of the CrashPlan app. 
  2. Click Configure API Integration
    Okta CrashPlan Provisioning Tab.png
  3. Select Enable API Integration.
  4. Enter the Base URL, Username, and Password generated from the CrashPlan console (Step 2). 
  5. Click Test API Credentials.
    A success message appears. 
  6. Click Save
  7. Under Settings, click To App. 
  8. Select Edit
  9. Enable the following settings: 
    • Create Users
    • Update User Attributes
    • Deactivate User
  10. Click SaveOkta CrashPlan To App Settings.png
  1. Add additional attributes if needed in the CrashPlan Attribute Mappings section. 
    For example, if you would like to display user information for employees, you must first add the attributes to the CrashPlan app in Okta. For reference information about attribute mapping, see Okta's documentation.
    1. In the Provisioning tab of the CrashPlan app, scroll to the CrashPlan Attribute Mappings section. 
    2. Click Go to Profile Editor.
    3. Click Add Attribute
    4. Add the following supported attributes. After adding each one, click Save and Add Another.
      • Country

        • Data type: country code
          Country codes mapped to CrashPlan must be valid 2-character codes. To convert non-2 character codes to 2-character codes, see Okta's documentation.
        • Display name: Country
        • Variable name: country
        • External name: addresses.^[primary==true].country
        • External namespace: urn:ietf:params:scim:schemas:core:2.0:User
      • Department

        • Display name: Department
        • Variable name: department
        • External name: department
        • External namespace: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
      • Division

        • Display name: Division
        • Variable name: division
        • External name: division
        • External namespace: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
      • Locality

        • Display name: Locality
        • Variable name: locality
        • External name:  addresses.^[primary==true].locality
        • External namespace: urn:ietf:params:scim:schemas:core:2.0:User
      • Region

        • Display name: Region
        • Variable name: region
        • External name: addresses.^[primary==true].region
        • External namespace: urn:ietf:params:scim:schemas:core:2.0:User
      • Title

        • Display name: Title
        • Variable name: title
        • External name: title
        • External namespace: urn:ietf:params:scim:schemas:core:2.0:User
      • UserType

        • Display name: UserType
        • Variable name: usertype
        • External name: usertype
        • External namespace: urn:ietf:params:scim:schemas:core:2.0:User
    5. When finished adding the last attribute, click Save.
    6. While still in the Profile Editor, map an Okta value to each CrashPlan attribute by clicking Mappings and selecting Okta User to CrashPlan. When done, click Save Mappings.
      Note the following:
  • Username should be a syntactically valid email address value. Primary email should be a syntactically valid value identical to Username
  • Some Okta values may not have the same name as the CrashPlan attributes:
    • Map the city value in Okta to the Locality attribute in CrashPlan.
    • Map the state value in Okta to the Region attribute in CrashPlan.
  1. Push attributes for existing users to CrashPlan.
    1. Return to the Provisioning tab of the CrashPlan app.
    2. In the navigation pane on the left, select Settings > To App. 
    3. Under CrashPlan Attribute Mappings, click Force Sync
    4. Check the Identity Management Sync Log for the attributes pushed to CrashPlan.

 Add the Manager attribute

Use of the Manager attribute from Okta requires additional setup. To add the Manager attribute, contact your Customer Success Manager (CSM) to engage our Professional Services team.

(Optional) Step 5: Edit deactivation delay

In the CrashPlan console, view the provisioning provider details and select Deactivation Delay

The deactivation delay determines how long CrashPlan waits to deactivate a user after syncing with the provisioning provider. To learn more about user deactivation, see Deactivate and reactivate users and devices.

Although CrashPlan may be configured to wait, CrashPlan does immediately block a user once they receive deactivation update from the provisioning provider. Blocking a user means they can no longer sign in to CrashPlan apps, but their devices continue to back up. The delay helps prevent accidently deactivating a user and removing their backup archive. If you need to cancel a pending user deactivation during the delay period, unblock the user.

Step 6: Push SCIM groups from Okta to CrashPlan

SCIM groups pushed to CrashPlan are used to map users to organizations and roles. If you are not using groups, continue to the next step.

To push SCIM groups from Okta:

  1. From the Okta dashboard, go to Applications.
  2. Open the CrashPlan application.
  3. Click the Push Groups tab.
  4. Select Push Groups.
    See Okta's documentation for more details.

 Apply changes after mapping SCIM groups

If you want to map SCIM groups to CrashPlan organizations in Step 7 or roles in Step 8, you must first push or provision SCIM groups and their users to CrashPlan so they are available in the CrashPlan console. 

However, this means that initially the users are provisioned in the default organization and are assigned default roles rather than the ones you want to map them to. To move these users to the desired organizations and roles, ensure that you map SCIM groups to organizations (Step 7) and roles (Step 8) and then apply the mappings using the Apply Org and Role Settings action. 

Step 7: Choose an organization mapping method

The mapping method determines how CrashPlan assigns users to organizations. Organizations are used to set backup policies and permissions for users in your CrashPlan environment. To change the method, go to Organization Mapping, and click Add Organization Mapping or the edit icon. 

organization mapping edit.png

The Edit Organization Mapping Method dialog is displayed.
edit organization mapping methods.png

In the Edit Organization Mapping Method dialog, choose one of the following mapping methods:

Create new users in an organization

Assigns all users to the same CrashPlan organization.

  1. In Edit Organization Mapping Method, choose Create new users in the organization below
  2. Select an existing organization to map all users to. 

Map users to organizations based on the provider's "c42OrgName" attribute

Creates new organizations or assigns users to existing organizations based on the value for the user attribute c42OrgName.

  1. In Edit Organization Mapping Method, choose Map users to organization based on the provider's "c42OrgName" attribute
  2. Choose an organization where unmapped users will be assigned. Unmapped users are users who do not have the c42OrgName attribute.  

Map users to organizations using SCIM groups

Assigns users to CrashPlan organizations based on their SCIM group. You can also choose the priority of which organization a user is mapped to if they belong to two or more groups.

  1. In Edit Organization Mapping Method, choose Map users to organizations using SCIM groups.
  2. Choose an organization where unmapped users will be assigned. Unmapped users are users who either do not belong to a group or their group is not mapped. 
  3. Click Save
    The group mapping appears. 
  4. Click Add Mapping.
  5. Select one or more SCIM groups.
    add organization mapping.png
  6. From Select a CrashPlan organization, choose an organization from the menu. 
  7. Click Save
    The mapping appears on the Provisioning Provider details page. 
  8. Repeat until all of your SCIM groups have been mapped to CrashPlan organizations. 
    The message All SCIM groups are mapped appears.
    SCIM organization mapping.png
  9. (Optional) Adjust the priority of each mapping. This is useful for users who belong to more than one SCIM group. 

There are no SCIM groups available

This message appears if SCIM groups have not been synced with the CrashPlan console. Push groups to the CrashPlan console to begin organization mapping. 

 Wait to assign people or groups to the CrashPlan application in the provisioning provider

Do not assign people to the CrashPlan application in the provisioning provider yet. Wait until after you have completed the organization mapping and role mapping. If you assign people to the CrashPlan application before you configure mapping, the users are not automatically mapped to CrashPlan organizations and roles.  

 If you assigned people to the app before you configured mapping, you must manually provision the unprovisioned users later.

Step 8: Configure role mapping

Role mapping allows you to automatically assign CrashPlan roles and permissions to provisioned users based on their SCIM group. Learn more about CrashPlan roles and permissions. Users who are not mapped inherit the default roles for their organization. 

 SCIM Groups

Role Mapping is only available if you are using SCIM groups

  1. Click EditEdit icon to the right of Role Mapping
    The Edit Role Mapping dialog appears.
    edit role mapping.png
  2. To map SCIM groups, select Map SCIM groups to CrashPlan roles.
    If you do not want to manage roles with SCIM groups, select Manually to manage roles in CrashPlan.
  3. Click Save.
    An Add Mapping button appears under Role Mapping.
  4. Click Add Mapping
    The Add Role Mapping dialog appears.
    SCIM add role mapping.png
  5. Select a SCIM group from the dropdown. 
    Only groups that have not been mapped appear in the dropdown.
  6. Choose one or more roles from the list to apply to this SCIM group. Learn more about CrashPlan roles and permissions.

 Basic Roles

Include the roles Desktop User and PROe User for all users who are backing up their computers to CrashPlan. These roles allow users to sign in to CrashPlan apps and the CrashPlan console. If you are giving external groups access to your CrashPlan environment (for example, outside legal council) they do not need these roles.

  1. Click Add
    The role mapping appears under the provisioning provider detail. 
  2. Repeat until all of your SCIM groups have been mapped to CrashPlan organizations. 
    The message All SCIM groups are mapped appears. 

There are no SCIM groups available

This message appears if SCIM groups have not been synced with the CrashPlan console. Push groups to the CrashPlan console to begin role mapping. 

Step 9: Assign the CrashPlan application to users or groups in Okta

Users will not appear in CrashPlan until you assign them the CrashPlan app in Okta. Create a test user in Okta and assign the CrashPlan app to the test user before assigning the app to all users or groups. Once you assign the CrashPlan app to a user or group, Okta immediately syncs with CrashPlan and provisions the users. 

See Okta's documentation for more information on assigning users and groups to applications. 

Troubleshooting

User details in Okta and CrashPlan are out-of-sync

Once provisioning is configured in CrashPlan, you should make all user changes in Okta. CrashPlan does not sync changes back to Okta, so any changes you make on the CrashPlan side causes the two apps to become out-of-sync. Updating the CrashPlan console does not start a sync between Okta and CrashPlan. Only changes made in Okta can start a sync. 

To view information about provisioning changes, see the Sync Log in the CrashPlan console. It gives details of all of the users that have been created, updated, or deleted due to provisioning. 

Attributes do not appear as expected on users in CrashPlan

If you assigned people to the CrashPlan application before you configured attribute mapping, Okta could not automatically map users to CrashPlan organizations and roles, which can result in user attributes not being updated as expected in CrashPlan. To correct the problem, verify the attributes are correctly defined in the Profile Editor and the attribute mapping, then manually provision the unprovisioned users, or perform a Force Sync to update user attributes for all the users assigned to the CrashPlan application.

Synchronization results in a server error

If custom user attributes are not configured correctly, it may result in a server error message similar to the following when Okta attempts to synchronize: 

Automatic profile push of user John Doe to app CrashPlan failed: Error while trying to push profile update for John_Doe@example.com: Server Error. 

To resolve the problem, configure the user attributes to match the documentation in Step 4 and then perform a Force Sync or manually provision users that have failed to provision.

 Need more help?

Contact our Technical Support Engineers​ for CrashPlan Enterprise support

External resources

 

Was this article helpful?
0 out of 0 found this helpful

Articles in this section