Overview
This article describes identity management settings. You can use identity management to control authentication and authorization in your CrashPlan environment. These settings are only available in CrashPlan cloud environments.
Considerations
-
To use this functionality, you must be assigned the Identity Management Administrator role.
Definitions
authentication: The process of identifying and verifying users in a system. Methods for authentication include:
- Local CrashPlan directory
- Single sign-on (SSO)
- Multi-factor authentication (MFA)
authentication provider: Allows access to CrashPlan. When enabled, users sign in using the authentication provider instead of CrashPlan. Examples of authentication providers include Okta, Google SSO, Ping, Entra ID, OneLogin, and Microsoft AD FS.
CrashPlan User Directory Sync Tool: Uses LDAP to automate user management between your directory service and your CrashPlan environment. This differs from other provisioning providers because it uses LDAP rather than SCIM.
identity management: An IT administrative area or market that deals with users in a IT system and gives them access to the right resources within the system.
identity provider (IdP): A general term to refer to a system that contains user identities. Identity provider can refer to a system performing authentication, provisioning, or both. Examples of identity providers include Okta, Google SSO, Ping, Entra ID, and OneLogin.
SCIM provisioning: An open standard protocol for automating user management.
provisioning provider: Automates user management. Applications like CrashPlan sync with a provisioning provider and then create, update, or deactivate users based on the provisioning provider's user profile. Examples of provisioning providers include Okta, Ping, and Entra ID.
single sign-on (SSO): SSO is one type of authentication method. It allows a user to use the same credentials to sign in to multiple applications.
Authentication
Authentication provider settings enable you to use a third-party application to authenticate users in the CrashPlan environment. For example, use these settings to configure a provider for single sign-on authentication.
To view the authentication provider settings:
- Sign in to the CrashPlan console.
- Go to Administration > Integrations > Identity Management.
- Select Authentication.
Add authentication provider
From the Authentication tab, click Add authentication provider.
Item | Description | |
---|---|---|
a | Display Name | Sets the name of your organization's authentication provider. This is a descriptive label and the text entered here is displayed to the user on the sign-in screen of the CrashPlan app and CrashPlan console. |
b | Provider's Metadata |
Sets the format for the authentication provider's metadata. Choose either to enter a URL or upload an XML file. |
c | Enter URL or Upload XML File |
Enter URL: Sets the URL for the standalone identity provider or identity federation metadata file. The CrashPlan cloud must be able to access this URL. Upload XML File: Uploads the XML file. Use metadata URL for federationsCrashPlan cloud environments do not support uploading an XML file for federations. Use the metadata URL to configure the federation instead. Custom domains are not supported When entering the URL for the XML metadata file, custom domains are not supported. You must use the standard domain of your identity provider.
|
Authentication provider
The following screen appears when you configure a standalone identity provider.
Item | Description | |
---|---|---|
a | Display name | Displays the name of your authentication provider. |
b | Actions |
Menu with the following actions:
|
c | CrashPlan Service Provider Metadata URL |
Displays the URL for the SAML 2.0 metadata file. This file is used by the authentication provider(s).
To view the contents of the metadata XML file, open the link in a web browser. The file contains CrashPlan URLs needed by your service provider to connect to CrashPlan, including URLs to the server, entity ID, and Assertion Consumer Service (ACS). |
d | Attribute mapping |
Maps CrashPlan usernames to the provider's name identifier or a custom attribute.
|
e | Organizations in Use |
Displays the number of organizations that use this provider as the authentication method.
You can also manage the organizations that use this authentication provider from organization settings. |
f | SAML attributes | Displays the SAML context and class references in your identity provider's SSO requests, as well as the digest and signature algorithms to use. |
g | Local users |
Displays users who are set to use local authentication only. These users are meant for troubleshooting issues with your authentication provider.
Local users cannot be managed with provisioning. |
Federation
A federation is a group of organizations that have formed trusts. With federations, the identity provider simply shares a token with the service provider to authenticate a user instead of supplying the user's credentials. When you enter the metadata URL, CrashPlan automatically detects if the metadata belongs to a federation or a single provider. If it is a federation, you are automatically directed to the federation details configuration page.
Item | Description | |
---|---|---|
a | Display name | Displays the name of your authentication provider. |
b | Actions |
Menu with the following actions:
|
c | Attribute mapping |
Maps CrashPlan usernames to the provider's name identifier or a custom attribute.
|
d | Edit |
Edits the attribute mappings.
In the resulting Attribute Mapping dialog, select the Use default mapping check box to use the default attribute mappings. Deselect the check box to enter your own values. |
e | Federated Identity Providers | Lists all of the Federated Identity Providers that have been added for this federation. Click the name of the provider to view the details. |
f | Add | Adds a new federated identity provider. |
g | Local users |
Displays users who are set to use local authentication only. These users are meant for troubleshooting issues with your authentication provider.
Local users cannot be managed with provisioning. |
Add an identity provider to this federation
Item | Description | |
---|---|---|
a | Select a Provider URL | Selects an identity provider from the list of available providers. Begin typing to search for the correct provider. |
b | Display Name | Sets the display name for the identity provider |
Federated identity provider details
To view the identity provider details, click the identity provider's name under the Federation details.
Item | Description | |
---|---|---|
a | Display name | Displays the name of your authentication provider. |
b | Actions |
Menu with the following actions:
|
c | CrashPlan Service Provider Metadata URL | Displays the URL for the SAML 2.0 metadata file. This file is used by the authentication provider(s). |
d | Attribute Mapping |
Maps CrashPlan usernames to the provider's name identifier or a custom attribute.
|
e | Edit |
Edits attribute mappings.
In the resulting Attribute Mapping dialog, select the Inherit from federation check box to inherit the attribute mappings from the federated authentication provider. Deselect the check box to enter your own values. |
f | Organizations in Use | Displays the number of organizations that use this provider as the authentication method. |
g | SAML attributes | Displays the SAML context and class references in your identity provider's SSO requests, as well as the digest and signature algorithms to use. Click the edit button to set the SAML attributes. |
h | Local Users |
Displays users who are set to use local authentication only. These users are meant for troubleshooting issues with your authentication provider.
Local users cannot be managed with provisioning. |
Provisioning
Provisioning provider settings allow you to connect to a third-party application where your users are stored, and automatically add them to CrashPlan. To view the provisioning provider settings:
- Sign in to the CrashPlan console.
- Select Administration > Integrations > Identity Management.
- Select Provisioning.
Add Provisioning Provider
To view, go to Provisioning, then click Add Provisioning Provider. Choose either Add SCIM Provider or Add CrashPlan User Directory Sync.
The following dialog appears when you select Add SCIM Provider.
Item | Description | |
---|---|---|
a | Display Name | Sets the name for the SCIM provider or CrashPlan User Directory Sync. |
b | Authentication Credential Type |
Sets the type of credential authentication to use:
|
Credentials
After you enter a username for the provisioning provider, the credentials appear. Your provider may require some or all of these credentials to create a service account for syncing between your directory and CrashPlan.
Item | Description | |
---|---|---|
a | Base URL | The URL for interacting with the CrashPlan provisioning API. |
b | Username | Username for the service account. |
c |
Password or Token |
Password or token for the service account. Which appears appears depends on whether you selected API Credentials or OAuth token in the Add SCIM Provisioing Provider dialog box.
This password or token appears only once, so save it in a secure location. |
SCIM provisioning provider
Appears when configuring a SCIM provisioning provider.
Item | Description | |
---|---|---|
a | Name | Displays the name of your provisioning provider. |
b | Actions |
Menu with the following actions:
|
c | Provider Credentials |
Displays user credentials. This user performs directory sync between your provider and CrashPlan. These credentials are used by the provisioning provider.
|
d | Regenerate Credentials |
Regenerates credentials, either API credentials or an OAuth token. The regenerated password or token appears on the SCIM Provider Updated dialog. Copy the newly-generated password or token to the SCIM provisioning provider.
Credentials were originally generated when you added the SCIM provisioning provider. You may need to regenerate credentials in certain circumstances, such as when a new administrator takes over management of the SCIM provisioning provider in CrashPlan. |
e | Deactivation Delay |
Displays the amount of time CrashPlan waits to deactivate a user once the provider has sent the update. The maximum deactivation delay is 90 days. Deactivation of users on legal holdIf users who are custodians under a legal hold are subsequently selected for deactivation (for example, from the CrashPlan console, a provisioning provider, or API), they are not deactivated immediately because their data must be retained for legal hold purposes. Instead, they are blocked. Once these blocked users are released from legal hold, they are deactivated automatically. |
f |
Edit |
Edits the deactivation delay setting. |
g |
Organization Mapping
|
Displays how CrashPlan assigns organizations to users who are added from the provisioning provider.
Only configurable for SCIM provisioning providers. |
h |
Edit |
Change how CrashPlan maps provisioned users. Choose between the following mapping methods:
|
i |
Organization name |
Displays a CrashPlan organization or the Add Mapping button. |
j | Role Mapping | Displays how roles are mapped from the provisioning provider to CrashPlan. |
k | Edit |
Change now roles are mapped from the provisioniong provider to CrashPlan. Choose:
|
l |
Edit mapped roles
or
Add Role Mapping SCIM provisioning providers only |
Maps CrashPlan roles and permissions to groups.
|
Select Roles
CrashPlan User Directory Sync only |
Select roles to be managed by the CrashPlan User Directory Sync Tool. This means only roles checked in this list will be automatically updated by the tool. Roles that aren't checked here must be manually updated in the CrashPlan console.
See the Roles reference for more information on each role. |
View a list of roles within your CrashPlan environment |
Edit Organization Mapping Method for SCIM provider
To view organization mapping methods, select the edit icon next to Organization Mapping.
Single organization
Assigns all users to the same CrashPlan organization. If you choose this option, create organizations in the CrashPlan console before you begin.
Example use case
Use this option if you manage users in the CrashPlan console. For example, all users that are provisioned from the provisioning provider are added to the same organization. You can then move the users from that single organization to additional organizations in the CrashPlan console.
Item | Description | |
---|---|---|
a | Create new users in the organization below | CrashPlan assigns new users to the selected organization. |
b | Select an organization | Select the organization where you want to place new users. |
"C42OrgName" attribute
The "c42OrgName" attribute creates new organizations or assigns users to existing organizations based on the value for the user attribute c42OrgName. This value becomes the name for the CrashPlan organization. This attribute is managed on the provisioning provider.
Example use case
Use this method if you want to manage users in the provisioning provider (and not in the CrashPlan console). The value for this attribute becomes the name for the CrashPlan organization. CrashPlan creates new organizations or assigns users to existing organizations based on the value.
Item | Description | |
---|---|---|
a | Map users to organizations based on the provider's "c42OrgName" attribute | CrashPlan assigns users to the selected organization using the "c42OrgName" attribute. |
b | Select an organization | Select the organization where you want to place unmapped users. |
SCIM group
Assigns users to CrashPlan organizations based on their SCIM group. If you choose this option, create organizations in the CrashPlan console before you begin.
Example use case
Use this mapping method if your users are already assigned to SCIM groups. For example, a user is part of a two different SCIM groups: an executive group and a UK group. You want this user's backup policies to match the other executives in your company, so this user should be assigned to the same CrashPlan organization as the other executives. In the CrashPlan console, you can choose the executive group to take priority over the UK group. This way you can place all of the executives in your company in the same organization and ensure they have the same backup policies.
Item | Description | |
---|---|---|
a | Map users to organizations using SCIM groups. |
CrashPlan assigns users to the selected organization based on SCIM groups. To use this option, SCIM groups must first be sent to CrashPlan (for example, using the
After you click Save, click Add Mapping to map roles to CrashPlan groups. |
b | Select an organization | Select the organization where you want to place unmapped users. |
Add Mapping
To view, click Add Mapping. Use Add Organization Mapping to map SCIM groups to CrashPlan organizations. To use this option, SCIM groups must first be sent to CrashPlan (for example, using the /Groups
API resource in the SCIM protocol).
Item | Description | |
---|---|---|
a | Select a SCIM group | Displays all the SCIM groups that your provider has sent to the CrashPlan console. Only groups that have not been mapped appear in this list. |
b | Select a CrashPlan organization | Displays the organization tree for your CrashPlan console. |
Edit Role Mapping
To view, select the edit icon next to Role Mapping.
Item | Description | |
---|---|---|
a | Manually | Assign roles manually in CrashPlan. Roles are not mapped from the provisioning provider. |
b | Map SCIM groups to CrashPlan roles |
Map the SCIM groups in the provisioning provider to roles in CrashPlan. To use this option, you must first send SCIM groups to CrashPlan (for example, using the If SCIM group are not sent to CrashPlan, the "There are no SCIM groups available" message displays. After sending the SCIM groups, an Add Role Mapping button displays. |
Add Role Mapping
To view, click Add Role Mapping.
Item | Description | |
---|---|---|
a | Select a SCIM group | Displays all the SCIM groups that have been pushed to your CrashPlan console (for example, using the /Groups API resource in the SCIM protocol). Only groups that have not been mapped appear in this list. |
b | Select a CrashPlan role | Displays a list of all the CrashPlan roles. Learn more about CrashPlan roles and permissions below. |
CrashPlan User Directory Sync
Appears when configuring CrashPlan User Directory Sync.
Item | Description | |
---|---|---|
a | Name | Display name for this User Directory Sync instance |
b | Actions |
Menu with the following actions:
|
c | Provider Credentials |
Displays user credentials. This user performs directory sync between your provider and CrashPlan.
Click Regenerate password to create a new password if needed for the user. If you generate a new password for the user, you must also run the |
d | Deactivation Delay |
Displays the amount of time CrashPlan waits to deactivate a user after a synchronization is run. The maximum deactivation delay is 90 days. Click the edit icon Deactivation of users on legal holdIf users who are custodians under a legal hold are subsequently selected for deactivation (for example, from the CrashPlan console, a provisioning provider, or API), they are not deactivated immediately because their data must be retained for legal hold purposes. Instead, they are blocked. Once these blocked users are released from legal hold, they are deactivated automatically. |
e |
Organization Mapping
|
Disabled within the CrashPlan console. To configure how users are mapped to CrashPlan organizations, use the Org script in the CrashPlan User Directory Sync Tool. |
f | Edit | Change how CrashPlan maps provisioned users to organizations. |
g |
Role Mapping |
Displays which roles the User Directory Sync automatically updates. |
h | Edit |
Enable a method for mapping roles to users. Choose either Manually or Select roles from the CrashPlan User Directory Sync.
|
i | Select Roles |
Select roles to be managed by the CrashPlan User Directory Sync Tool. This means only roles checked in this list will be automatically updated by the tool. Roles that aren't checked here must be manually updated in the CrashPlan console. See the Roles reference for more information on each role. |
Edit Organization Mapping Method for User Directory Sync
To view organization mapping methods, select the edit icon next to Organization Mapping.
Create new users in an existing CrashPlan organization
Assigns new users to the same CrashPlan organization and does not map new users based on the User Directory Sync org script. If you choose this option, create organizations in the CrashPlan console before you begin.
Example use case
Use this option if you want to manage new users in the CrashPlan console. All users that are provisioned from User Directory Sync are added to the same organization. You can then move the users from that single organization to additional organizations in the CrashPlan console.
Item | Description | |
---|---|---|
a | Create new users in the organization below and do not map users based on the User Directory Sync's org script | CrashPlan assigns new users to the selected organization. |
b | Select an organization | Select the organization where to place new users. |
User Directory Sync org script
Assigns users to organizations based on the User Directory Sync org script.
Example use case
Use this method if you want to manage users in the User Directory Sync (and not in the CrashPlan console). CrashPlan creates new organizations or assigns users to existing organizations based on the org script.
Item | Description | |
---|---|---|
a | Map users to organizations based on the User Directory Sync's org script | CrashPlan assigns users to the selected organization using the User Directory Sync org script. |
b | Select an organization | Select the organization where you want to place unmapped users. |
Select roles
To view, go to the Provisioning, and click Select Roles. This is a security measure to prevent users from elevating their privilege within CrashPlan environment.
Item | Description | |
---|---|---|
a | Choose Roles | Displays all of the roles available in your CrashPlan environment. To learn more about what the permissions, limitations, and example use cases for each role, see the |
b | Enable or disable role |
Enable or disable roles from automatic provisioning.
|
Apply organization and role settings
Should you need to change organization and role settings and want them to be applied to all provisioned users in CrashPlan immediately, use the Apply Org and Role Settings option in the action menu of the target provisioning provider.
Use with caution
Applying the organization and role settings to all provisioned users with the Apply Org and Role Settings option could be a destructive action because organization assignment changes may impact your currently provisioned user's archive configurations. Both organization and role settings are applied simultaneously and complete asynchronously.
Steps
To apply organization and role changes to either a SCIM provisioniong provider or a CrashPlan User Directory Sync provisioning provider, complete the following:
- Sign in to the CrashPlan console.
- Go to Administration > Integrations > Identity Management > Provisioning.
- Select a provisioning provider.
- Choose Actions > Apply Org and Role Settings.
- Click Apply.
It may take up to one hour for the changes to be applied to all affected users.
Apply settings for organizations and roles mapped with SCIM groups
In order to map SCIM groups to CrashPlan organizations or roles, you must first push those SCIM groups to CrashPlan so they are available for mapping. You can do this by provisioning the users in their groups (or by using a push method such as the /Groups
API resource in the SCIM protocol). However, this means that initially the users are placed in the default organizations and roles rather than the ones you want to map them to.
To move users to the correct organizations and roles, map your organizations and roles and then apply the mappings:
- Provision users with their groups. Although this places the users in default organizations and assigns default roles, it also pushes the SCIM groups to CrashPlan so they appear in the CrashPlan console.
- Now that the SCIM groups appear in the CrashPlan console, you can use them to configure organization mapping and configure role mapping.
- Run Apply Org and Role Settings to apply the newly configured organizations and role assignments to the already-provisioned users. Users are moved to the correct organizations and roles.
Use cases
See the following sections for situations where applying mappings may be useful.
SCIM provisioning provider
Configure mappings first
Ensure you've configured the organization and role mappings in the provisioning provider details page before applying mappings with the Apply organization and role settings dialog.
Organization mapping
You have configured your identity provider to provision the "c42OrgName" user attribute. Apply mappings when:
- You have recently configured the CrashPlan mapping method to use "C42OrgName" and would like to move all existing provisioned users to their "c42OrgName" organization.
- You have manually moved users into other organizations and would like them moved back to their "c42OrgName" organization.
You have configured your identity provider to provision user group information. Apply mappings when:
- You have recently configured the CrashPlan mapping method to use SCIM groups and would like to move all existing provisioned users in manually assigned organizations to their mapped organization.
- You have manually moved provisioned users into other organizations and would like them moved back to their mapped organization.
- You have updated the SCIM group mappings and would like existing provisioned users to be moved into their newly mapped organizations immediately.
Role mapping
You have configured your identity provider to provision user group information. Apply mappings when:
- You have recently configured the CrashPlan mapping method to use SCIM groups and would like to move all existing provisioned users in manually assigned roles into newly mapped roles.
- You have manually assigned roles to provisioned users and would like them re-assigned to their mapped roles.
- You have updated the SCIM group mappings and would like existing provisioned users to be assigned into their newly mapped roles immediately.
CrashPlan User Directory Sync
Full sync
You should run a full sync to reprovision all users to CrashPlan using the CrashPlan User Directory Sync rather than applying organization and role mappings. However, in some cases, accessing the CrashPlan User Directory Sync or running a full sync may not be an option. In those cases you can apply mappings with the Apply organization and role settings dialog.
Organization mappings
- You had previously configured mapping to use the org script, but recently updated the CrashPlan mapping method to use the "User Directory Sync Org Script". Apply mappings when you would like to move all existing provisioned users in their manually assigned organizations to the scripted organization.
- You have mapping configured to use the "User Directory Sync Org Script", but later manually moved provisioned users into other organizations. Apply mapping changes to move users back to their scripted organization.
Role mappings
You have configured the User Directory Sync role script to provision user's roles information. Apply mappings when you have updated the role allowlist and would like update provisioned users accordingly.
Sync Log
The sync log displays all of the updates made to your CrashPlan environment from the provisioning provider.
To view the Sync Log:
- Sign in to the CrashPlan console.
- Select Administration > Integrations > Identity Management.
- Click Sync Log.
Data in the Sync Log is retained for 90 days
As of September 22, 2021, the Sync Log retains data for only 90 days. If you want to retain Sync Log data older than the last 90 days, you must export the data before September 22, 2021. After that date, to retain Sync Log data older than 90 days, export the data on a regular basis and keep it in your own storage systems. For more information, see Export Sync Log data from CrashPlan.
Item | Description | Click to view | |
---|---|---|---|
a | Date selector | Selects the timeframe for which logs to display. | Click to view a calendar date picker. |
b | Refresh Table | Retrieves the most recent synchronization changes. | Click to view the latest log entries. |
c | Export CSV | Exports all of the sync logs to a .CSV file. Use this option to filter the logs further. | Click to start downloading a CSV file. |
d | Provider | Displays the provider that made the update. | Click to sort. |
e | User Impacted | Displays the CrashPlan username. | Click to sort. |
f | Change type |
Displays how the user was changed. Change types are:
|
Click to sort. |
g | Attribute changed |
Displays what part of the user changed. Attribute changes can be to:
|
Click to sort. |
h | New Value |
Displays the new value for the attribute that was changed.
Note: Organization attribute values include the orgId, and Manager attribute values include the userId. |
Click to sort. |
i | Old value | Displays the old value for the attribute that was changed. | Click to sort. |
j | Date changed | Displays the date the change occurred. | Click to sort. |
Provisioning updates also appear in the Audit Log
In addition to appearing in the Sync Log, updates resulting from provisioning also appear in the Audit Log. For example, newly-provisioned users appear in the Add user event type, users deactivated by provisioning appear in the Deactivate user event type, and provisioned user attributes changes appear in the External attributes change event type.
Whenever the acting user in an Audit Log event is a SCIM provisioning system, the username of the acting user in the event appears as the provisioning provider Username credentials from CrashPlan (for example, "entra_1234@cloud.crashplan.com").
External resources
-
Gartner: Federated Identity Management