Skip to main content

Hello, we recently ran through a Security Health Review, with a third-party, and it was advised that we turn on MFA for Commvault.  I worked with our Infosec team and got Okta setup on our Commvault Command Center.

However, I was wondering how do I get the Commcell to automatically redirect to Okta when someone is logging into the Commcell, while inside the server, or using the Jar file?

I know there is the ‘Login with Command Center’ link, however, I can put my username and password in, and I get in fine (without an Okta prompt).  Is there a way to force the ‘Login’ link?

We are on version 11.32.63.

Thanks!

Not sure if this is the documentation you have followed, but you will need to add OKTA as an IdP

 

https://documentation.commvault.com/2023e/essential/using_okta_as_your_identity_provider_03.html

 

Login request should be handled by OKTA for any user based on that IdP

Hello @Brent Atwood,

 

Commvault has never supported identity providers (SAML or others) that need a redirect in java gui. As it is going away this will never be implemented.

 

We disabled java gui access for anyone except Commcell admins and they have two-factor enabled (google auth).

Thank you @Javier , that was the documentation that we used when setting up Okta.

@mikevg , is it possible to have two-factor enabled on specific accounts and still have Okta enabled for those accounts when they use the Command Center?

 

Thanks!

I am not sure, maybe try it out on a test account?

 

Our Commcell (platform) admins require TFA and all other (regular/tenant) users come from an identity provider. So we do not have that scenario you mention.

Actually the CommCell console does support SAML, so OKTA should work as well. You should of course take into account to implement a breaking glass procedure to make sure you can still access the environment in case the SAML provider is not reachable.

Some links: https://documentation.commvault.com/2024e/expert/configuring_provider_metadata_for_saml_integration.html

Also on the community: 

Unfortunately mentioned setting appears to be a hidden setting: forcemodernauthentication

Thank you @Onno van den Berg .  That worked perfectly!

For those in need, here is the Additional Setting:

Name: forceModernAuthentication

Category: CommServDB.Console

Type: Boolean

Value: true

I applied this setting to user groups, that way I could keep my break glass account separate from this setting.

 

Reply


Terms & ConditionsCookie settings