Skip to main content
Solved

Okta and Commcell Access

  • 23 September 2024
  • 6 replies
  • 70 views

Forum|alt.badge.img+3

Hello, we recently ran through a Security Health Review, with a third-party, and it was advised that we turn on MFA for Commvault.  I worked with our Infosec team and got Okta setup on our Commvault Command Center.

However, I was wondering how do I get the Commcell to automatically redirect to Okta when someone is logging into the Commcell, while inside the server, or using the Jar file?

I know there is the ‘Login with Command Center’ link, however, I can put my username and password in, and I get in fine (without an Okta prompt).  Is there a way to force the ‘Login’ link?

We are on version 11.32.63.

Thanks!

Best answer by Onno van den Berg

Actually the CommCell console does support SAML, so OKTA should work as well. You should of course take into account to implement a breaking glass procedure to make sure you can still access the environment in case the SAML provider is not reachable.

Some links: https://documentation.commvault.com/2024e/expert/configuring_provider_metadata_for_saml_integration.html

Also on the community: 

Unfortunately mentioned setting appears to be a hidden setting: forcemodernauthentication

View original
Did this answer your question?

6 replies

Forum|alt.badge.img+11
  • Vaulter
  • 232 replies
  • September 25, 2024

Not sure if this is the documentation you have followed, but you will need to add OKTA as an IdP

 

https://documentation.commvault.com/2023e/essential/using_okta_as_your_identity_provider_03.html

 

Login request should be handled by OKTA for any user based on that IdP


Forum|alt.badge.img+8
  • Byte
  • 55 replies
  • September 27, 2024

Hello @Brent Atwood,

 

Commvault has never supported identity providers (SAML or others) that need a redirect in java gui. As it is going away this will never be implemented.

 

We disabled java gui access for anyone except Commcell admins and they have two-factor enabled (google auth).


Forum|alt.badge.img+3
  • Author
  • Byte
  • 7 replies
  • September 27, 2024

Thank you @Javier , that was the documentation that we used when setting up Okta.

@mikevg , is it possible to have two-factor enabled on specific accounts and still have Okta enabled for those accounts when they use the Command Center?

 

Thanks!


Forum|alt.badge.img+8
  • Byte
  • 55 replies
  • September 27, 2024

I am not sure, maybe try it out on a test account?

 

Our Commcell (platform) admins require TFA and all other (regular/tenant) users come from an identity provider. So we do not have that scenario you mention.


Onno van den Berg
Commvault Certified Expert
Forum|alt.badge.img+19
  • Commvault Certified Expert
  • 1193 replies
  • Answer
  • September 28, 2024

Actually the CommCell console does support SAML, so OKTA should work as well. You should of course take into account to implement a breaking glass procedure to make sure you can still access the environment in case the SAML provider is not reachable.

Some links: https://documentation.commvault.com/2024e/expert/configuring_provider_metadata_for_saml_integration.html

Also on the community: 

Unfortunately mentioned setting appears to be a hidden setting: forcemodernauthentication


Forum|alt.badge.img+3
  • Author
  • Byte
  • 7 replies
  • September 30, 2024

Thank you @Onno van den Berg .  That worked perfectly!

For those in need, here is the Additional Setting:

Name: forceModernAuthentication

Category: CommServDB.Console

Type: Boolean

Value: true

I applied this setting to user groups, that way I could keep my break glass account separate from this setting.

 


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings