Overview
This article explains how to provision users from PingOne to CrashPlan. Once configured, CrashPlan automatically adds, updates, and removes users when PingOne syncs to CrashPlan.
This article assumes you are familiar with the concept of provisioning. To learn more, see our Introduction to SCIM provisioning .
The CrashPlan application in Ping is intended for single sign-on (SSO) as well as provisioning. This article describes only how to set up provisioning. To learn how to set up SSO, see Configure PingOne for SSO in your CrashPlan cloud environment .
Considerations
-
To use this functionality, you must be assigned the Identity Management Administrator role.
- Before you begin, configure your private network, Internet, and VPN settings to allow client devices to communicate with PingOne on port 443. Test client connectivity to PingOne before you proceed.
- To provision existing users to CrashPlan, don't add existing users to a provisioning group until after you have assigned the group in the Group Access page during configuration.
- Local users in CrashPlan cannot be created, updated, or deleted from PingOne. These users can only be managed in the CrashPlan console.
Deactivate users
Deactivation delay
When PingOne sends an update to deactivate a user, CrashPlan waits 15 minutes before deactivating that user. This delay applies only when you use provisioning to deactivate users. When you manually deactivate users in the CrashPlan console, there is no delay.
The deactivation delay helps protect against moving users' backup archives into cold storage if users are accidentally deactivated in PingOne. Although CrashPlan waits before deactivating users, CrashPlan immediately blocks users once they receive a deactivation update from PingOne. Blocked users can no longer sign in to the CrashPlan app, but their devices continue to back up.
To learn more about user deactivation, see Deactivate and reactivate users and devices in CrashPlan.
Users on legal hold cannot be deactivated
If you place users on legal hold, PingOne can't deactivate them. Their data is retained for the legal hold process. Users are blocked instead of deactivated. Once you release users from legal hold, they are automatically deactivated.
Supported products, attributes, and features
Supported PingOne products
The CrashPlan application for PingOne supports PingOne Directory and PingOne AD Connect.
If you're not sure whether you use PingOne Directory or PingOne AD Connect, in the PingOne cloud dashboard, check Settings > Identity Repository.
Supported attributes
The following PingOne attributes are automatically updated in CrashPlan:
PingOne Directory
- First name
- Last name
- Job title
PingOne AD Connect
- First name
- Last name
- Job title
- Division
- Department
- Employee type
- City, state, and country code
Supported user provisioning features
Supported
The following user provisioning features are available in the CrashPlan PingOne application:
- Create users: New users created in PingOne are also created in CrashPlan.
- Deactivate users: Deactivating a user in PingOne deactivates the user in CrashPlan.
- Update user attributes: PingOne updates users' attributes. These updates overwrite any changes made in CrashPlan.
Not supported
- Import users from CrashPlan to PingOne
- Password sync
- Role mapping
- SCIM groups
Because the CrashPlan application for PingOne does not support group provisioning, you must manage roles and organizations for provisioned users manually in CrashPlan.
Step 1: Create CrashPlan organizations
Create the CrashPlan organization where users from PingOne are added during provisioning. (You will set the organization that receives provisioned users in step 3 below.) If you want to want to move users to other CrashPlan organizations after they've been provisioned to CrashPlan, create those organizations, too.
- Sign in to the CrashPlan console.
- Click Administration > Environment > Organizations.
- Select the Add an organization icon and enter a name.
This method adds the organization under the default organization. - To add a child organization
- Select the organization.
- Click the action menu in the upper-right corner.
- Choose Add a child organization.
- Repeat until you have added all of your organizations.
Step 2: Add a provisioning provider in the CrashPlan console
Create the provisioning provider configuration that PingOne uses to connect to CrashPlan.
- In the CrashPlan console, navigate to Administration > Integrations > Identity Management.
- Select the Provisioning tab.
- Click Add Provisioning Provider > Add SCIM Provider.
- Enter a display name and select the Authentication Credential Type:
- API credentials (default): Generates a password.
- OAuth token: Generates a token for use with SCIM providers who accept OAuth tokens for credentials.
- Click Next.
- The SCIM Provider Created message appears. Leave this message open. You'll need this information for Step 5 in the provisioning provider setup.
After you have used the information here for provisioning provider setup, click Done.
Step 3: Edit the provisioning provider settings
- In the CrashPlan console, view the provisioning provider details.
- (Optional) Edit the Deactivation Delay to adjust how long CrashPlan waits to deactivate a user after syncing with the provisioning provider.
- Edit Organization Mapping to select the organization in CrashPlan to which new users are provisioned from PingOne.
- Click Edit next to Organization Mapping.
The Edit Organization Mapping Method dialog appears. - Select Create new users in the organization below.
Do not select the other options. PingOne does not support them. - Under Select an organization, choose the organization where users from PingOne are provisioned.
After users are added to this organization by PingOne provisioning, you can move these users to different organizations in CrashPlan. - Click Save.
- Click Edit next to Organization Mapping.
- Edit Role Mapping to specify that role assignment is done manually in CrashPlan.
- Click Edit next to Role Mapping.
The Edit Role Mapping dialog appears. - Choose Manually.
Do not select the other option. PingOne does not send group membership information to CrashPlan. - Click Save.
- Click Edit next to Role Mapping.
Step 4: Add the PingOne application for CrashPlan
- Sign in to the PingOne cloud dashboard.
- Navigate to Applications > Application Catalog.
- Search for CrashPlan.
- Select the CrashPlan application whose Type is SAML with Provisioning (API).
Do not select the CrashPlan application whose Type is simply SAML. This is an older application that does not support provisioning.
Step 5: Configure PingOne provisioning
Use the PingOne console to configure provisioning for the CrashPlan application. For more information, see the PingOne documentation.
- In the PingOne cloud dashboard, navigate to Applications > My Applications.
- Select the CrashPlan application whose Type is SAML with Provisioning (API).
- Click Setup.
The configuration screen appears. - Click Edit at the bottom of the configuration screen.
Use the default configuration values unless otherwise specified below. - In SSO Instructions, click Continue to Next Step.
- In Connection Configuration, perform the following steps:
- In the provided connection fields, replace ${yourserver} with the domain name of your CrashPlan console,
(console.us1.crashplan.com
,console.us2.crashplan.com
, orconsole.eu5.cpg.crashplan.com
) .
For example:-
ACS URL:
https://console.us1.crashplan.com/api/SsoAuthLoginResponse
-
Entity ID:
https://console.us1.crashplan.com
-
Target Resource:
https://console.us1.crashplan.com
-
ACS URL:
- Ensure that the Set Up Provisioning box is checked.
Leave the rest of the settings on the page unchanged. - Click Continue to Next Step.
- In the provided connection fields, replace ${yourserver} with the domain name of your CrashPlan console,
- In Provisioning Instructions, review the directions and click Continue to Next Step.
- In Application Configuration, perform the following steps using the information from the SCIM Provider Created dialog in CrashPlan in Step 2.
- In SCIM_URL, enter the Base URL.
- In AUTHENTICATION METHOD, select whether the method is basic authentication (the default) or an OAuth 2.0 bearer token.
- In BASIC_AUTH_USER, enter the Username.
- If you used basic authentication, enter the password in BASIC_AUTH_PASSWORD.
If you used a token, enter it in OAUTH_ACCESS_TOKEN. - Click Continue to Next Step.
- In Attribute Mapping, map attributes from PingOne to CrashPlan. Click Continue to Next Step when you finish.
Following are suggested values. Change the mapping as needed for your situation.Application Attribute Identity Bridge Attribute or Literal Value Notes uid Email, mail, or userPrincipalName
(when using PingOne Directory)SAML_SUBJECT
(when using PingOne AD Connect)
SSO mail Email, mail, or userPrincipalName SSO givenName First Name SSO sn Last Name SSO userName Username Provisioning (PingOne Directory or AD Connect) givenName First Name Provisioning (PingOne Directory or AD Connect) familyName Last Name Provisioning (PingOne Directory or AD Connect) workEmail Email (Work) Provisioning (PingOne Directory or AD Connect) title Job Title Provisioning (PingOne Directory or AD Connect) externalId externalId Provisioning (AD Connect only) userType User Type Provisioning (AD Connect only) roles — Leave the value empty. You cannot map roles to CrashPlan using PingOne. workCity Locality (Work) Provisioning (AD Connect only) workState Region (Work) Provisioning (AD Connect only) workCountry Country (Work) Provisioning (AD Connect only) division Division Provisioning (AD Connect only) department Department Provisioning (AD Connect only) manager — Leave the value empty. The manager attribute is not currently supported for mapping from PingOne to CrashPlan. - In PingOne App Customization, customize your app display and click Continue to Next Step.
- In Group Access, select the groups that have access to the CrashPlan application.
Users added to these groups are provisioned to CrashPlan. Users removed from these groups are deactivated in CrashPlan. First add a group with no members and add a test user to that group as described in Step 6. After verifying that the test user is successfully provisioned, edit the configuration to add additional groups.- Click Add by the groups to have access.
- Click Continue to Next Step.
- In Review Setup, ensure the settings are correct.
- If you need to change any settings, click Back at the bottom of the page.
- When you're sure the settings are correct, click Finish.
After configuration is complete, the CrashPlan application appears on the My Applications tab with its status shown as Active.
Step 6: Add users to groups in PingOne
Once you add users to the groups you enabled in the Group Access panel, PingOne syncs and provisions the users to CrashPlan. Users removed from the groups are automatically deactivated in CrashPlan.
Create a test user in PingOne and add that user to a group before adding all users to groups. Once you've verified that the user is automatically provisioned into the expected organization in CrashPlan (as set in Step 3 above), add the rest of the users to groups.
For more information on adding users to groups, see PingOne's documentation.
Syncing
- To view information about provisioning changes and logs, see the Sync Log in the CrashPlan console. It contains details of all of the users that have been created, updated, or deleted due to provisioning.
- Once provisioning is configured in CrashPlan, make all user changes in Ping. CrashPlan does not sync changes back to Ping, so any changes you make to user values on the CrashPlan side causes the two apps to become out-of-sync.
- Updating the CrashPlan console does not start a sync between PingOne and CrashPlan. Only adding or removing a user from a group in PingOne starts a sync.
Troubleshooting
- To troubleshoot why users or attributes aren't being sent to CrashPlan, run a "Provisioning" report in PingOne to review provisioning errors.
- If everything is configured properly but users aren't being provisioned, assign an empty group to the CrashPlan application in Ping, then add users to that group. This initiates new provisioning calls for those users.
External resources
- PingOne documentation
- SCIM: Core schema