[V13] SAML Configuration quirks

[ashleyw]

hi, I've just set up the VSA to be dialed into our Entra organisation and its working!
I've noticed the following quirks;
- There is no SAML SSO on the VSA console (port 10443). Is it expected that this should only be used for break glass access? I assume that the same for all the JeOS instances (like the JeOS appliances we've deployed as proxies).
- The SAML configuration with Entra was straight forward, but within the configuration we configured the IdP information via a meta file, but it wouldn't let me move past this screen until I specified a certifcate service provider. I wasn't sure what to do here so the only cert I was able to select was by hitting on the install button and selecting the "select an existing certificate form the certificate store" ,then selecting the cert with he name "Veeam Backup Server Certificate" . Is this correct? Im not sure I understand why this needs to be selected if we aren't using verification certificates in the Entra configuration. - I might be misunderstanding things here though as I don't work with SSO very often.
- Are we able to configure the security officer role to use SAML? Reason why its hard in a large organisation to use local accounts for anything- especially when it requires MFA which generally isn't shared - and especially as everyone is operating within the context of a role rather than as an individual. Perhaps a simple guide for configuring VSA with an Entra app might help noobs like me.
- To make things more straightforward in out environment and to utilise our Lets encrypt architecture, I've reverse proxied the veeamsa appliance as veeamsa.<domain-name> and veeamsa-console.<domainname> with the later going to port 10443. This appears to work fine for the web based clients, but the windows client now fails to connect see image below. I see from our haproxy configuration that we are proxing using the http 1.1 protocol over http2 for backwards compatibility with other sites. Is there a setting on the windows client to use http1.1 instead of http2 otherwise our topology becomes more complex or could this be exposed as a configuration option on the appliance (ie. HTTP Protocol: 1.1 or 2). I don't appear to easily be able to change haproxy as this requires the protocol to be tied to a unique IP (in the haproxy frontend) and I don't have access to any addition IPs without having to beg the security teams for permission. Alterntively How do we progratically change certs so that we can remotely push cert to the appliance and restart the webservices on the appliance to be able to change them when the rest of our cert automation happens about once every 60 days?
- Once SAML was set up though, All I needed to do was to add the user to the the enterprise app, and then also add that user as an "external" user to the Veeam users - easy as.

[tm67]

Hi Ashley

I also tried a few things with SAML and also Entra ID as one of my test IDP. I had the same question as you about this certificate I had to choose.
In my understanding, this certificate is only relevant if you want to verify incoming requests from SP (in this case: Veeam)
I tried this and uploaded the public key of my selected SP certificate into Entra ID. Login was possible. (btw you can extract the public certificate from the "Download" button in Veeam Console -> Identity Provider -> Service Provider (SP) Information, the cert is in there: X509Certificate)



I am not sure if this is true, but maybe someone with a little more SAML experience or someone from Veeam can verify this?
Does Veeam support SAML request verification by certificate? And what needs to be configured on Veeam?

I have also a different IDP set up as a test-idp and there I am not able to get it to work yet with signing verification enabled on IDP side.

In enterprise manager, we also have a SAML implementation, and this has a few more options to configure. (In EM we have the option advanced -> "Sign AuthnRequests to IdP")
In the screenshot above (in VBR) there is an option "AuthnRequestsSigned=false". Maybe this would be the one to set to true?

In general, I think this UI could get some improvements, like adjusting the certificate manually and not uploading the entire xml file.
Or downloading the SP certificate if we need to upload it to the IDP. (like it is already possible in EM)

Timo

[ashleyw]

Hi Timo, thanks for the clarification, Hopefully Veeam will be able to provide better example documentation around SSO over the next few weeks as more us go through similar pains!

In terms of the HTTP1.1 issue around the Windows client, I found the issue.
We were running haproxy on Rocky8 for our reverse publishing. Rocky8 includes haproxy 1.8x which has a bunch of know issues with HTTP2, so I checked the package libraries for Rocky9 and that includes haproxy 2.x.
So the solution for me was to do an in-place upgrade of our haproxy architecture from Rocky8 to Rocky9 and then just tweaked the haproxy frontend binds to be "h2,http/1.1" and then everything worked as expected and I was able to reverse publish the windows Veeam client and all windows client functionality seems to work fine on HTTP2.

thanks
Ashley

[Egor Yakovlev]

Hi all,
Great feedback—thank you for sharing your experiences!

Let me address some of the points mentioned above:
- Host Management (:10443) is a completely isolated component, running alongside other Veeam services present on the machine. Currently, it does not support SAML authentication, nor does it share the configuration set in Veeam Backup & Replication settings. This is definitely a possibility for future enhancement.
- The Service Provider (SP) Certificate is required to validate connections from the backup server to the identity provider. Selecting the Veeam backup server certificate should be sufficient to establish trust, and we could likely simplify the user experience here by selecting it by default for you.
- Certificate validation is considered a general best practice today, and I strongly suggest considering it for the future. It is a mandatory option when configuring in the settings, however it can be ignored by the identity provider.
- The certificate option "AuthnRequestsSigned" is currently under investigation; it may have an incorrect value set. Thank you for pointing this out!
- Certificate [and only it] change UX — this is definitely an area for improvement, and we already have it on track.
- Certificate management is also a tracked feature request that we are paying close attention to.

Hope that clears things up, and please keep the feedback coming!