This documentation will help you integrate your identity services with CrashPlan offered by Code42 through Internet2's NET+ program. Associated portions of the NET+ Identity Guidance for Services are noted by section.
|Table of Contents|
Discovery and Authentication
The CrashPlan client is configured to communicate with a backup server per a configuration file, and the backup server is in turn configured to point to the IdP. This configuration file can be distributed by an organization to its users by including it as part of a package. Session initiation is performed by accessing the SP, which then issues a SAML 2.0 AuthnRequest to the user to be delivered to the IdP(1.1.2).
Users must select upon initial application invocation that they would like to use an "Existing Account". Users must then select a checkbox labeled "Login with Single-Sign-On" and enter credentials for authentication. The client acts as a web browser and performs the actual authentication transaction, delivering the assertion to the organization's CrashPlan server.
Each CrashPlan PROe server can only use a single identity provider at this time.
CrashPlan expects to receive a username similar to
uid. The below are the default SAML attribute mappings to attributes as understood by CrashPlan.
Recommended SAML Attribute Name
The server administrator can customize the mappings of SAML attribute name to CrashPlan attribute.
Any user that can authenticate to the IdP is considered eligible for backup service through CrashPlan. Organizational membership can be configured in the administrative interface, but not mapped by user attribute.
Authentication to the administrative portions of the CrashPlan server and its web interface can be performed using single sign-on or direct authentication, either independently configured of authentication for backup clients.
Provisioning of users to the CrashPlan server can happen dynamically in the front channel during the installation of CrashPlan client software or can be done in bulk using an administrative interface or by use of bulk export formats such as CSV's.
Users must be manually deprovisioned by administrators using the CrashPlan application.
The application portion of CrashPlan, because it is a continuously running backup system, doesn't support logout. The web interface for CrashPlan does allow users to log out of the web interface itself.
The PROe server has a native SAML SP implementation. Shibboleth was the reference implementation used for the development of this SP.
The PROe server publishes automatically generated metadata about itself at a URL that the identity provider can use, though manual editing of that metadata file may be required in some instances. The SP will load identity provider metadata from a URL configured by the PROe server administrator.
Most of the CrashPlan service is a native application running on users' machines, and this service is authenticated by emulating a web browser for the login flow.
Example Configuration for SAML Implementations
Interoperability has been demonstrated against Shibboleth, PingFederate, and Okta.