-
- Novice
- Posts: 3
- Liked: 1 time
- Joined: Feb 28, 2025 3:18 pm
- Full Name: Sascha Manzo
- Contact:
Setting up Veeam Enterprise Manager with SSO
Hi everyone,
I'm trying to configure our Veeam Backup Enterprise Manager with SAML Authentication and SSO capabilities.
With the help of the SAML Authentication documentation (https://helpcenter.veeam.com/docs/backu ... ml?ver=120), I was able to set up AD FS and VBEM so that users can successfully log on to the VBEM console.
However, since we have a slightly more special environment, the SSO capabilities won't work. Our environment has the following setup:
ADFS domain joined (mydomain.local)
Veeam Components in local workgroup (mydomain.secure)
UPN name standard: firstname.lastname@mydomain.ch
My question now, are there any custom transform/claim rules for AD FS, so that Single Sign-On works successfully?
Thanks in advance
I'm trying to configure our Veeam Backup Enterprise Manager with SAML Authentication and SSO capabilities.
With the help of the SAML Authentication documentation (https://helpcenter.veeam.com/docs/backu ... ml?ver=120), I was able to set up AD FS and VBEM so that users can successfully log on to the VBEM console.
However, since we have a slightly more special environment, the SSO capabilities won't work. Our environment has the following setup:
ADFS domain joined (mydomain.local)
Veeam Components in local workgroup (mydomain.secure)
UPN name standard: firstname.lastname@mydomain.ch
My question now, are there any custom transform/claim rules for AD FS, so that Single Sign-On works successfully?
Thanks in advance
-
- Veeam Software
- Posts: 2813
- Liked: 641 times
- Joined: Jun 28, 2016 12:12 pm
- Contact:
Re: Setting up Veeam Enterprise Manager with SSO
Hi Sascha, welcome to the forums.
Can you elaborate a bit more on what doesn't work specifically with SSO? Have you already opened a Support Case for the issue? If so, please share the case number.
There are some changes to the config addressing a lot of SSO configurations, but I think starting with what's not working and the specific errors in a Support case are the best first step.
Can you elaborate a bit more on what doesn't work specifically with SSO? Have you already opened a Support Case for the issue? If so, please share the case number.
There are some changes to the config addressing a lot of SSO configurations, but I think starting with what's not working and the specific errors in a Support case are the best first step.
David Domask | Product Management: Principal Analyst
-
- Novice
- Posts: 3
- Liked: 1 time
- Joined: Feb 28, 2025 3:18 pm
- Full Name: Sascha Manzo
- Contact:
Re: Setting up Veeam Enterprise Manager with SSO
Hi David,
Thanks for the response. Sorry for the late reply.
As of now, no Case was opened about that issue.
We are not getting any error messages, neither on the Veeam Enterprise Manager nor on the AD FS server.
When I start the login process by clicking the "Use Single Sign-On" button, I get the login page of our AD FS. After entering the correct login information, I am successfully redirected to the Enterprise Manager.
So the basic configuration on both the Enterprise Manager and the AD FS side should be correct.
The problem is that our domain does not match the domain in the UPN. Our UPN is as follows: firstname.lastname@mydomain.ch. Our domain, however, is mydomain.local.
Is there a way to adjust the rules on the AD FS so that the email address is used as the login attribute instead of the UPN?
Cheers,
Sascha
Thanks for the response. Sorry for the late reply.
As of now, no Case was opened about that issue.
We are not getting any error messages, neither on the Veeam Enterprise Manager nor on the AD FS server.
When I start the login process by clicking the "Use Single Sign-On" button, I get the login page of our AD FS. After entering the correct login information, I am successfully redirected to the Enterprise Manager.
So the basic configuration on both the Enterprise Manager and the AD FS side should be correct.
The problem is that our domain does not match the domain in the UPN. Our UPN is as follows: firstname.lastname@mydomain.ch. Our domain, however, is mydomain.local.
Is there a way to adjust the rules on the AD FS so that the email address is used as the login attribute instead of the UPN?
Cheers,
Sascha
-
- Lurker
- Posts: 2
- Liked: 2 times
- Joined: Mar 06, 2025 5:06 pm
- Full Name: Quinn Van Order
- Contact:
Re: Setting up Veeam Enterprise Manager with SSO
The domain mismatch will break SAML, however you can change what VBEM passes as its domain to resolve this.
Note: Every time you update Veeam, it will flatten this, and you will need to remember to fix this! @Veeam Devs, please make it so updates dont blast this!
- Make a copy of the file C:\Program Files\Veeam\Backup and Replication\Enterprise Manager\WebApp\Web.config
- Then edit the original, remove the comments from the line: <!--<add key="applicationUrl" value=https://localhost:9443//>-->
- Replace with your FQDN, making sure to keep the relevant port at the end
- Save the file, go to IIS and restart “VeeamBackup”
Note: Every time you update Veeam, it will flatten this, and you will need to remember to fix this! @Veeam Devs, please make it so updates dont blast this!
-
- Novice
- Posts: 3
- Liked: 1 time
- Joined: Feb 28, 2025 3:18 pm
- Full Name: Sascha Manzo
- Contact:
Re: Setting up Veeam Enterprise Manager with SSO
Hi Quinn
Thank you for the instructions.
I have already made this setting and tested it. Generally, the SAML authentication works, but not the Single Sign-On.
As I understand SSO correctly, my Windows login data is used and forwarded to VBEM / AD FS.
However, our UPN contains a different domain suffix than our domain, so the authentication cannot be performed with SSO and I am redirected to the AD FS login page.
Cheers,
Sascha
Thank you for the instructions.
I have already made this setting and tested it. Generally, the SAML authentication works, but not the Single Sign-On.
As I understand SSO correctly, my Windows login data is used and forwarded to VBEM / AD FS.
However, our UPN contains a different domain suffix than our domain, so the authentication cannot be performed with SSO and I am redirected to the AD FS login page.
Cheers,
Sascha
Who is online
Users browsing this forum: Bing [Bot], Google [Bot], pybfr and 54 guests