Guide: Configure Azure Group Based SSO to VBEM

[quinnvanorder_cariad]

This was a hoot to figure out, there are multiple articles floating around that indicate such a thing is possible, but it took quite some time working with support to get this nailed down. Documenting here for posterity.

In short, we have non domain joined Veeam servers, and want to allow administrative users to SSO via Azure Entra identities into VBEM without needing to setup each admin within VBEM prior. The goal here is to simply assign a user a group membership in Azure, and have SSO work into VBEM.

Create Enterprise Application

• Within the Azure Portal, search for 'Enterprise Applications'

• Search for Veeam to make sure you are not creating something that already exists

• Click 'New Application' > 'Create your own application'

• Name your application, and leave it on the default value of 'Integrate any other application you don't find in the gallery (Non-gallery)'

• Within 'Properties', add an icon file if you wish, leave all other values as default. Click 'Save'

• Within 'Users and groups' click 'Add user/group' and assign to your SSO control group

Configure VBEM for SAML

• Log into the VBEM console with the local admin user

• Navigate to 'Configuration' > 'Settings' > 'SAML Authentication'

• At the bottom of this page, take note of the 'SP Entity ID / Issuer' field. It MUST contain the FQDN of your server or this will fail. The next section covers how to address this

• Navigate to 'Configuration' > 'Roles' and add your SSO control group as an account type of 'External Group' and a role of 'Portal Administrator'. The name must match the Azure group exactly.

Fix FQDN

• If the 'SP Entity ID / Issuer' field does not contain your FQDN, Make a copy of the file C:\Program Files\Veeam\Backup and Replication\Enterprise Manager\WebApp\Web.config

• Then edit the original, remove the comments from the line: <!--<add key="applicationUrl" value=https://localhost:9443//>--> And replace with your FQDN

• Save the file, go to IIS and restart 'VeeamBackup'

Configure Metadata

• Within the VBEM console in 'Configuration' > 'Settings' > 'SAML Authentication', having confirmed your FQDN is present in the 'SP Entity ID / Issuer', click 'Download' next to the 'Veeam Backup Enterprise Manager' value midway down.

• Within the Azure 'Enterprise Application' window, navigate to 'Single sign-on' and select 'SAML'

• At the top of the SAML page, click 'Upload metadata file' and provide the file that was just downloaded from VBEM and click 'Save'. Note how this fills in the FQDN for VBEM in the 'Identifier (Entity ID) field.

• Within the Azure 'Enterprise Applications' page on the SAML configuration page, click 'Download' for the 'Federation Metadata XML'

• Within the VBEM Console on the 'SAML Authentication' page, click 'Import from File' and load this metadata file pulled from Azure. Click 'Save'.

Configure Claims

• In the Azure 'Enterprise Applications' SAML configuration page, click edit on the 'Attributes & Claims' section and click on the 'Unique User Identifier (Name ID)'. Change the 'Name identifier format' to 'Persistent'

• In the Azure 'Enterprise Applications' SAML configuration page, click edit on the 'Attributes & Claims' section and click 'Add a group claim'. Select 'Groups assigned to the application' and set the 'Source attribute' to 'Cloud-only group display name'. Click 'Save'.

• Once saved, copy the URL for 'Claim name' associated with the 'user.groups' claim.

• Switching back to the VBEM SAML configuration page, click 'Advanced Settings', and replace the default URL value for 'Group claim type' with the URL copied from Azure. Click 'Apply'. Click 'Save'.

Stumbling Blocks

• Every time you update Veeam, it will flatten the contents of C:\Program Files\Veeam\Backup and Replication\Enterprise Manager\WebApp\Web.config, requiring that to be fixed per update or the FQDN will be incorrect

• Every time you update Veeam, it will drop cert bindings in IIS for VBEM if you arent running their self signed certs.

@VeeamDevs, please look into the 2 above stumbling blocks, they are super annoying.

[dgyarr]

I will 2nd that this was a HOOT to figure out. I opened a support case but have not received a response yet. Oddly enough, I just got my configuration working but slightly different than what you have here/I pieced together multiple forum articles to get it working. I'm not trying to muddy the waters of your post (believe me, I wish I had found it days ago/it would have saved me a lot of time) but I do want to point out the difference in our configs.


My configuration differs on your "Configure Claims" 2nd bullet:
Instead of "Add a group claim" I used "Add new claim" with the claim name "Group" (i.e. the default http://schemas.xmlsoap.org/claims/Group) / source=Attribute / attribute value "user.assignedroles".
*I did not need to change the default URL in VBEM > SAML Configuration>Advanced settings.

On the VBEM 'App Registration' in Entra, I created a new role under 'App Roles' with an 'Allowed member types' of 'Users/Groups' and the 'Value' matching my exact 'External Group/SSO control group' name. I then assigned that new 'App Role' to my 'SSO control group' on the 'Enterprise application' 'Users and groups' page.


Prior to making the 'App registration/App role' change, my group claim was not being passed in the SAML token. After this change I observed the group claim in the 'Veeam.WebApp.log' and my group members are now able to SSO/Auth from both the VBEM web portal as well as the M365 published app.

I'm curious, did your support case ever have you looking at the 'App registration/App Roles' config as I've mentioned here?