Setting up Veeam Enterprise Manager with SSO

[ManS]

Hi everyone,

I'm trying to configure our Veeam Backup Enterprise Manager with SAML Authentication and SSO capabilities.
With the help of the SAML Authentication documentation (https://helpcenter.veeam.com/docs/backu ... ml?ver=120), I was able to set up AD FS and VBEM so that users can successfully log on to the VBEM console.

However, since we have a slightly more special environment, the SSO capabilities won't work. Our environment has the following setup:

ADFS domain joined (mydomain.local)
Veeam Components in local workgroup (mydomain.secure)
UPN name standard: firstname.lastname@mydomain.ch

My question now, are there any custom transform/claim rules for AD FS, so that Single Sign-On works successfully?

Thanks in advance

[david.domask]

Hi Sascha, welcome to the forums.

Can you elaborate a bit more on what doesn't work specifically with SSO? Have you already opened a Support Case for the issue? If so, please share the case number.

There are some changes to the config addressing a lot of SSO configurations, but I think starting with what's not working and the specific errors in a Support case are the best first step.

[ManS]

Hi David,

Thanks for the response. Sorry for the late reply.
As of now, no Case was opened about that issue.


We are not getting any error messages, neither on the Veeam Enterprise Manager nor on the AD FS server.
When I start the login process by clicking the "Use Single Sign-On" button, I get the login page of our AD FS. After entering the correct login information, I am successfully redirected to the Enterprise Manager.
So the basic configuration on both the Enterprise Manager and the AD FS side should be correct.

The problem is that our domain does not match the domain in the UPN. Our UPN is as follows: firstname.lastname@mydomain.ch. Our domain, however, is mydomain.local.
Is there a way to adjust the rules on the AD FS so that the email address is used as the login attribute instead of the UPN?

Cheers,
Sascha

[quinnvanorder_cariad]

The domain mismatch will break SAML, however you can change what VBEM passes as its domain to resolve this.

• Make a copy of the file C:\Program Files\Veeam\Backup and Replication\Enterprise Manager\WebApp\Web.config

• Then edit the original, remove the comments from the line: <!--<add key="applicationUrl" value=https://localhost:9443//>-->

• Replace with your FQDN, making sure to keep the relevant port at the end

• Save the file, go to IIS and restart “VeeamBackup”

After having done so, within the VBEM Configuration > Settings > SAML Authentication page, you should see the domain reflect at the bottom in the 'SP Entity ID / Issuer' section.

Note: Every time you update Veeam, it will flatten this, and you will need to remember to fix this! @Veeam Devs, please make it so updates dont blast this!

[ManS]

Hi Quinn

Thank you for the instructions.

I have already made this setting and tested it. Generally, the SAML authentication works, but not the Single Sign-On.

As I understand SSO correctly, my Windows login data is used and forwarded to VBEM / AD FS.
However, our UPN contains a different domain suffix than our domain, so the authentication cannot be performed with SSO and I am redirected to the AD FS login page.

Cheers,
Sascha