Enterprise Manager SAML - FQDN issue

[JonJR]

Just setup SAML (using a Duo DAG) for Veeam Enterprise manager. When it was installed Veeam EM has decided that it's URL is the "domainless" version eg https://veeam-em:9433 rather than https://veeam-em.company.com:9443. This has no effect on normal use of the EM website, except when logging on using SAML as it is a lot more sensitive to this.

The login flow is:
https://veeam-em.company.com:9443 - enter the email/upn of the remote account
Get forwarded to the SAML SSO page
https://duodag.company.com - enter username and password
Get redirect back to Veeam EM
https://veeam-em:9443
Veeam EM doesn't log you in as it wasn't expecting the incoming SAML request.

Logging in using https://veeam-em:9443 works fine.

I didn't have the domain suffix set for it's NIC when I installed Veeam EM, which may have given the result I'm after. But can you change the name of Veeam EM without installing?

[HannesK]

Hello,

When it was installed Veeam EM has decided that it's URL is the "domainless"

hmm, where did you do that? I just manually clicked through the installation wizard and had no chance to do it.

Just to clarify... you don't have the domain name in settings -> SAML authentication -> Enterprise manager configuration (screenshot below)?


Best regards,
Hannes

[JonJR]

Hi Hannes,

Thanks for you reply.

hmm, where did you do that? I just manually clicked through the installation wizard and had no chance to do it.

Sorry I just meant I didn't get choose what the name was - I had the same experience as you



As you can see it's got the non FQDN path.

[HannesK]

ah sorry, I did not read properly...

as you mention that you did not set the DNS suffix... does that mean that your enterprise manager machine is not joined to a Windows active directory domain?

[JonJR]

as you mention that you did not set the DNS suffix... does that mean that your enterprise manager machine is not joined to a Windows active directory domain?

The machine isn't domain joined, but actually the DNS suffix is set on its NIC - either Puppet or Foreman does that for us.

[HannesK]

Hello,
ok, I reproduced it without domain and even with configured DNS suffix I have the same result like you. So re-installing will not help.

But there is a configuration option for that... C:\Program Files\Veeam\Backup and Replication\Enterprise Manager\WebApp\Web.config

In block <appSettings> you can add key:

Code: Select all

	<add key="applicationUrl" value="https://hk-em-no-domain.lab.intern:9443" />

The value must be the fqdn

Best regards,
Hannes

[vipthomps]

I just wanted to add that this fixed our SAML issue when authenticating externally without being able to resolve and access the internal name of the server