Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup and NetBackup Appliances Hardening Guide
  3. Steps to protect NetBackup Flex Scale
  4. About single sign-on (SSO) configuration
  5. Configuring SSO on a NetBackup Flex Scale cluster on which both primary and media servers are deployed
NetBackup and NetBackup Appliances Hardening Guide

Configuring SSO on a NetBackup Flex Scale cluster on which both primary and media servers are deployed

Configuring SSO on NetBackup Flex Scale cluster on which both primary and media servers are deployed involves the following steps:

Table:

Task

Description

Configuring SSO on an NetBackup Flex Scale cluster

See To configure SSO on a cluster on which both primary and media servers are deployed

Adding users/group

See To add users/group in RBAC

Configuring an identity provider

See To configure an identity provider

Logging into NetBackup Flex Scale with SSO

See Login with SSO

Configuring SSO on an NetBackup Flex Scale cluster

To configure SSO on a cluster on which both primary and media servers are deployed

  1. Go to Settings > Security management > Single sign-on (SSO). Click Add.
  2. Give the IDP name and upload the IDP metadata xml and optionally provide the custom user field and group field values. The user field and group field values should be same as configured on the IDP. Click Save.

    The UI displays a message that confirms that the add identity provider task is triggered. You can click View Details to see the progress of the task. Alternatively, you can also click the Recent Activity icon from the top right of the UI to see the status of the most recent operations.

  3. Once the configuration is complete, the SSO identify provider details are displayed on the screen. Click Download service provider xml to download the details and upload it on IDP server, if required.
Adding users/group in RBAC

To add users/group in RBAC

  1. Login to the NetBackup web UI. Go to Security > RBAC.
  2. Select the Appliance Administrator role and select the Users tab.
  3. Add the user/group name with domain and select the user as SAML user or SAML group. Click Add to list.
Configuring an identity provider

To configure an identity provider

  • Login with SSO works only if the configuration on the IDP side is done. Each IDP has different steps for configuration.

    Refer to the following links for the configuration steps for each identity provider.

    • ADFS: Enrolling NetBackup Flex Scale primary server as a service provider to ADFS

    • Azure: Enrolling NetBackup Flex Scale primary server as a service provider to Azure

    • Okta: Enrolling NetBackup Flex Scale primary server as a service provider to Okta

    • PingFederate: Enrolling NetBackup Flex Scale primary server as a service provider to PingFederate

Logging into NetBackup Flex Scale with SSO

Login with SSO

  1. Navigate to infrastructure GUI login page. Click Sign-in with single sign-on (SSO).
  2. Enter SSO credentials and click Sign in.
Limitations

There are some limitations when you configure SSO on a NetBackup Flex Scale cluster on which both primary and media servers are deployed.

  • Identity provider cannot be edited. It can be removed and added again.

  • If the same identity provider is removed and added again with a different name, then all the existing SAML users for that IDP will not be able to login. In such cases, either the admin has to remove and add the SAML users and groups in RBAC again or keep the same name when adding the identity provider.

  • Single logout is not implemented. If SAML users log out of the application, and try to login with SSO again, the user is not asked for their login credentials unless the SSO session has expired. This applies to any other application using the same IDP.

  • If after identity provider configuration, External certificate authority (ECA) is configured, then login with SSO does not work until the identity provider is updated with the latest service provider metadata xml from the NetBackup Flex Scale. This can be done by downloading the service provider metadata xml from Settings > Security > Single-Sign on > Download service provider metadata. This metadata needs to be updated on the IDP side.

  • AD/IDP server date, time, and time zone should be the same as the NetBackup Flex Scale cluster. Else, the SSO login fails.

  • SAML users or the SAML group users cannot login using the NetBackup Flex Scale login screen for a cluster on which both primary and media servers are deployed.

  • SAML users or SAML group users cannot configure multifactor authentication option available in the Security > Multifactor authentication section.

  • If disaster recovery or primary service replication is configured after the SSO is configured on both the primary and secondary clusters, then the identity provider configured on the secondary cluster ceases to exist and the SAML users in its RBAC cannot login using SSO. Only the primary cluster SAML users can login using SSO on both the clusters.

  • If disaster recovery or primary service replication is configured after the SSO is configured on only the secondary cluster, then SSO is unconfigured as its NetBackup primary cluster points to the primary cluster.

  • If SSO is configured after disaster recovery configuration from either the primary or secondary cluster, then it is configured for both the clusters and users can login with SSO for both clusters.

Log location

The logs can be found by logging into the NetBackup Flex Scale CLISH, elevating to root and accessing the logs at:

  • /log/VRTSnas/ nbu_sso_config.log

  • /log/VRTSnas/ isagui_webserver.log

  • /log/VRTSnas/ isagui_sso_config.log

The Table: Common error messages lists the common error messages.

Table: Common error messages

Error message

Description

You are not authorized to access 
this application

User is a valid AD/LDAP and IDP user but does not have the Appliance administrator role in NBU RBAC or the Identity provider was deleted and added again with a different name after adding the SAML users in NetBackup RBAC.

Authentication failed, 
userPrincipalName field not found 
in response

SAML response from the IDP does not contain the user field. This can be due to userPrincipalName field attribute mapping not being created on the IDP side or the custom attribute name is different on the IDP side as provided in the NetBackup Flex Scale.

Unable to get response from 
identity provider

Date and time of Identity provider does not match with NetBackup Flex Scale cluster, Identity provider certificate is not updated with latest NetBackup primary certificate, or the certificate revocation check is not disabled on the identity provider.

Feedback

Was this page helpful?
Previous

About single sign-on (SSO) configuration

Next

Configuring SSO on a NetBackup Flex Scale cluster on which only media servers are deployed

Feedback

Was this page helpful?