v10 SAML2 Groups configuration

[BrianBuchanan]

I'm struggling to get Veeam 10 EM to do External Group authentication via SAML2.

I've gotten to the point where I can add individual users to Veeam EM Roles and then they can login, but not if I just specify the Role they've been assigned in Azure AD Enterprise Applications.

My App Registration, Manifest includes

Code: Select all

"appRoles": [
	{
		"allowedMemberTypes": [
			"User"
		],
		"description": "Portal Administrator",
		"displayName": "Portal Administrator",
		"id": "c8332f62-684a-4a6f-96f6-0a9dc7dc402b",
		"isEnabled": true,
		"lang": null,
		"origin": "Application",
		"value": "PortalAdministrator"
	},

The User has been assigned that role and I've added the External Group PortalAdministrator (the value field in the manifest) with no success. I've also tried PortalAdministrator@{domain alias} (not the .onmicrosoft.com tenant name)

my Svc.VeeamBES.log includes:

Code: Select all

[06.03.2020 12:16:50] <48> Info     [Web] Opening session with id [03cb211e-c3be-4b84-xxxx-xxxxxxxxxxxx]
[06.03.2020 12:16:50] <48> Info     Opening session with id [03cb211e-c3be-4b84-xxxx-68550b99039d]
[06.03.2020 12:16:50] <48> Info     Application url: https://veeam.{fqdn}/
[06.03.2020 12:16:50] <48> Info     [SAML] EntityId: https://veeam.{fqdn}/Saml2, Return url: https://veeam.{fqdn}/
[06.03.2020 12:16:50] <48> Info     Validating SAML token
[06.03.2020 12:16:50] <48> Info     Token is valid
[06.03.2020 12:16:50] <48> Info     Logon as new user {my-email}. Session [s22]
[06.03.2020 12:16:50] <48> Info     No associated user accounts found. User: {my-email}
[06.03.2020 12:16:50] <48> Error    User '{my-email}' does not have any roles assigned (System.UnauthorizedAccessException)
[06.03.2020 12:16:50] <48> Error       at Veeam.Backup.Enterprise.Core.CAuthorizationManager.CreateUserContextForExternalSession(CSecurityConfig securityHive, CExternalUserInfo externalUser)
[06.03.2020 12:16:50] <48> Error       at Veeam.Backup.EnterpriseService.CExternalClientSession..ctor(Guid sessionId, CSessionName sessionName, CEnterpriseRegistryOptions options, CEnterpriseSvcManagers svcMngrs, CExternalUserInfo externalUserInfo)
[06.03.2020 12:16:50] <48> Error       at Veeam.Backup.EnterpriseServices.CReportingService.OpenExternalSession(CExternalUserInfo userInfo, CSessionReConnectInfo sessionInfo)
[06.03.2020 12:16:50] <48> Error    Error opening session. SessionId: [03cb211e-c3be-4b84-xxxx-xxxxxxxxxxxx]
[06.03.2020 12:16:50] <48> Error    User '{my-email}' does not have any roles assigned (System.UnauthorizedAccessException)
[06.03.2020 12:16:50] <48> Error       at Veeam.Backup.Enterprise.Core.CAuthorizationManager.CreateUserContextForExternalSession(CSecurityConfig securityHive, CExternalUserInfo externalUser)
[06.03.2020 12:16:50] <48> Error       at Veeam.Backup.EnterpriseService.CExternalClientSession..ctor(Guid sessionId, CSessionName sessionName, CEnterpriseRegistryOptions options, CEnterpriseSvcManagers svcMngrs, CExternalUserInfo externalUserInfo)
[06.03.2020 12:16:50] <48> Error       at Veeam.Backup.EnterpriseServices.CReportingService.OpenExternalSession(CExternalUserInfo userInfo, CSessionReConnectInfo sessionInfo)
[06.03.2020 12:16:50] <48> Error       at Veeam.Backup.EnterpriseServices.CEnterpriseWebService.OpenExternalSession(CExternalUserInfo userInfo, CSessionReConnectInfo sessionInfo)

From the above it looks like it's only checking the name and not checking my SAML2 roles?

[Gostev]

That is correct. Their role is defined in the Veeam Enteprise Manager configuration. I'm not sure I understand how would we use their role that is specified in Azure AD Enterprise Applications?

[BrianBuchanan]

Just going to change the names just a little bit for clarification.

I would like to allow access to EM for all users who are a member of the Azure AD group "M-IT Enterprise System Engineers". Members of that group should be assigned the Role "Portal Administrators".

I added the Group in Enterprise Applications, giving it the Manifest role "Veeam Admin"


I have added this stanza to "appRoles" in the App Manifest to create "Veeam Admin"

Code: Select all

		{
			"allowedMemberTypes": [
				"User"
			],
			"description": "Veeam Admin",
			"displayName": "Veeam Admin",
			"id": "b84bc4ad-b9bb-4b44-a8b6-b12e173b5be2",
			"isEnabled": true,
			"lang": null,
			"origin": "Application",
			"value": "VeeamAdmin"
		},

Then I added both "M-IT Enterprise System Engineers" and "VeeamAdmin" as External Groups in enterprise Manager (In other apps we've had to specify the "value" field from the Manifest.


My thinking is that any member of the Azure AD Group "M-IT Enterprise System Engineers" will be able to log into Enterprise Manager, as they are assigned the role "Veeam Admin" (with the value VeeamAdmin in the manifest) and VeeamAdmin is granted Portal Administrator in EM. However, I'm getting "Access is denied."

Obviously I'm mixed up somewhere. I'm hoping I don't have to add each individual user to EM.

[BrianBuchanan]

Tech Support (Case #04048777) pointed me to https://helpcenter.veeam.com/docs/backu ... ml?ver=100 where I found this statement under "How it works"

The user accesses Veeam Backup Enterprise Manager web UI under an account of the External type. The account must be registered in advance in Enterprise Manager by the Enterprise Manager administrator.

"...account must be registered in advance...". I was really hoping to grant access by group without registering each admin in advance, but that does match the behaviour I'm seeing. I suppose I could make a feature request?

[Gostev]

You need to configure Azure AD to make "Veeam Admin" role land in the Group claim of SAML token. I don't know how it's done in Azure AD Enterprise Applications, but devs say normally there is a way to create attribute transformation rule for SAML tokens. Here are the Veeam requirements for external groups to work > Step 4. Thanks!

[EDIT] Just saw your other post... this quote is about external accounts, not about external groups. So, it's not relevant to what you're trying to do.

[BrianBuchanan]

Quick follow-up with a new caveat. If I launch Veeam Enterprise Manager via the icon on https://myapps.microsoft.com/ everything works great.

However If I enter my e-mail address to the EM login prompt, which triggers the SSO, it fails with this:

AADSTS75011: Authentication method 'MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password'. Contact the Veeam Enterprise Manager application owner.

Could Veeam support "MultiFactor" SAML authentication method? (perhaps in addition to 'Password'?)

[Gostev]

Veeam merely consumes the user authentication result from an identity provider (IdP). Actual authentication happens on the IdP side, where I assume you can implement as many additional factors as required... heck, you can even require at least 10000 daily steps on your Fitbit as one of the factors

[Gostev]

Oh, I think I misunderstood you. Let me check with the devs, as it's not expected for me that we require certain specific authentication type.

[Gostev]

Looks like this is the default setting for the SAML library we're using. Perhaps we should make it an option. As a workaround, please try switching the "Authentication context comparison" setting to "Minimum" in the SAML Advanced Settings dialog in Veeam, and see if that helps. Thanks!

[BrianBuchanan]

Group Login is working! The AD FS docs you linked, and my coworker pointing me to the Single sign-on configuration in Azure Enterprise Applications got me going in the right direction.

Enterprise Application, Single sign-on, "User Attributes & Claims", edit.
1. Add new claim
a. Name: http://schemas.xmlsoap.org/claims/Group
b. Source: Attribute
c. Source attribute: user.assignedroles

This works with "VeeamAdmin" setup as an external group, with that value set in the role defined in the Manifest for the App Registration.

The login still only works when launched from https://myApps.microsoft.com/ with the "Multifactor" authentication method error when entering my e-mail address into the EM login.

[BrianBuchanan]

I changed the Authentication Context Comparison to Minimum (and maximum and better) and I immediately get this error, before even seeing the login prompt.

AADSTS900235: SAML authentication request's RequestedAuthenticationContext Comparison value must be 'exact'. Received value: 'Minimum'.

[Gostev]

I've checked with the QC folks behind this feature. Apparently, they did test our SAML integration with standard Azure MFA (Password + Authenticator), and this was working fine for them. By the way, this is what we're using internally here at Veeam anyway

So at this point, your issue will need to follow the usual support process. If necessary, support will escalate it to R&D for the hotfix.

Thanks!

[olafurh]

Did someone manage to get this fixed or has a case number to refer to?

Testing MFA from a logged-in console (AzureAD Enterprise application test function) works 100% but signing in with a username (user@azureaddomain.biz+mfa) in EA results in Access denied just as @BrianBuchanan describes. I see the groups claim is being passed correctly via Veeam.WebApp.log and the groups is defined as an External Group...

[S_Matasic]

This helped me resolve an issue we were having with Group SAML authentication with our IdP. We are a CSP with our own IdP solution, so it was a little tricky to get it to work. What I found was under the VEM SAML settings, under Advanced Settings, you can change the Group claim type. By default it is "http://schemas.xmlsoap.org/claims/Group" as indicated by Brian.

I changed it to just "Group". Then, in our IdP App Connector config set the following:
ValueID: The users UPN / Email

Then created a new Attribute called "Group" and had to set a filter rule that basically ran a check to see if the user is a member of an AD group, for example "VEM-Admins". If they were a member of the AD group "VEM-Admins" then it returned the value "VEM-Admins". I looked at the WebApp log on the VEM Server and could see that value getting returned as an addition attribute. Once we added an external group called "VEM-Admins" we were able to log in via SAML, both SP and IdP initiated.

This thread was a life saver, thanks!

Group Login is working! The AD FS docs you linked, and my coworker pointing me to the Single sign-on configuration in Azure Enterprise Applications got me going in the right direction.

Enterprise Application, Single sign-on, "User Attributes & Claims", edit.
1. Add new claim
a. Name: http://schemas.xmlsoap.org/claims/Group
b. Source: Attribute
c. Source attribute: user.assignedroles

This works with "VeeamAdmin" setup as an external group, with that value set in the role defined in the Manifest for the App Registration.

The login still only works when launched from https://myApps.microsoft.com/ with the "Multifactor" authentication method error when entering my e-mail address into the EM login.

[krayzenvy]

@S_Matasic

Currently working on getting this to work and everything you mentioned makes sense but no go so far.
I must be missing something.

I have configured Group in the Enterprise application with claim condition to bring back the value of the name of the group.

Where can i find the WebApp logs to confirm the value is coming back on the VEM server? I checked in IIS log but nothing like the value is mentioned so must be looking in the wrong place.
I also noticed you mentioned configuring ValueID? Is that the same as Name ID for required claims?

Im missing something and just dont immediately see it. In the VEM portal the groups used match the value set and under advanced setting I have "Group" which matched what is in the claim: Group as name and namespace blank. I also am using external group in VEM roles pane.

SSO logs me in but the role is not getting assigned essentially.

Any help would be appreciated, thank you.