Solved

How to enforce SAML login for CommCell Console

  • 27 September 2022
  • 6 replies
  • 795 views

Badge +2
  • Commvault Certified Expert
  • 1 reply

I have a customer who has configured SAML within their environment that’s currently on 11.28 (2022E). If they login via the Web Console/Command Center, the SAML authentication is required. Local users are unable to access the environment. However, when logging in via the CommCell Console, users are able to authenticate using either local accounts or SAML and access the environment.

Is there anyway to enforce the use of only SAML on the CommCell Console and not allow local users to authenticate successfully?

icon

Best answer by Amey Karandikar 28 September 2022, 23:51

View original

6 replies

Userlevel 6
Badge +12

@DMCVault 

Userlevel 2
Badge +7

@BSircy - Please take a look at the following additional setting.

 

https://documentation.commvault.com/additionalsetting/details?name=forceSAMLLogin

 

 

Userlevel 3
Badge +6

You can try this setting

Userlevel 5
Badge +8

@BSircy - Please take a look at the following additional setting.

 

https://documentation.commvault.com/additionalsetting/details?name=forceSAMLLogin

 

 

This setting is only for command center and webconsole not java gui.  The correct answer is from Amey above.  We will look to document the correct key for this use case.

Badge +2

@Amey Karandikar that key worked. The only potential issue there is if SAML or AD is broken, there is no way to access the environment. Is there a way to either remove the additional setting outside of the GUI or allow a local admin account (not domain accounts) access?

Userlevel 5
Badge +8

@Amey Karandikar that key worked. The only potential issue there is if SAML or AD is broken, there is no way to access the environment. Is there a way to either remove the additional setting outside of the GUI or allow a local admin account (not domain accounts) access?

This key can be applied at multiple entities:  It can be set at user, user group, company , or commcell level

My suggested approach would be to apply this at a group level - and have a secured local “break glass” account not a part of the group.  So in your scenario you would always have a backup account you can login with.

Reply