Contents x
    Enable and Disable Single Sign-On (SSO) for a Group
      • Print
      • Dark
        Light
      Contents

      Enable and Disable Single Sign-On (SSO) for a Group

        • Print
        • Dark
          Light
        Article summary

        Single sign-on (SSO) is a popular solution to maintain security for Admins while providing ease-of-use to end users. SSO allows a user to log in once and access services without re-entering authentication factors.

        Backblaze Support for SSO

        Backblaze currently allows SSO for the following authentication domains:

        • Google GSuite
        • Microsoft Office 365
        • Open ID (Enterprise Control only)

        These providers can also allow SSO, accepting a credential from another trusted provider. Popular options include Okta and OneLogin. Therefore, an SSO credential that works with the providers above can also enable access to Backblaze.

        As an example, GSuite can accept SSO credentials from third parties. A GSuite SSO domain accepts credentials from Okta or OneLogin. Although Backblaze does not accept Okta or OneLogin's credentials directly, Backblaze SSO does accept GSuite’s credentials. When a user signs in to Backblaze, Backblaze requests a credential from GSuite, and then GSuite (because it accepts Okta or OneLogin's credentials) sends the requested authorization. The user has an SSO from Okta or OneLogin indirectly.

        Limitations

        Be aware of the following limitations:

        • Third-party authentication directly works with only the authentication domains listed above.
        • All users in the SSO-enabled group must use SSO to sign on.
        • All of the users in the group must have an email address from the same provider that works with SSO. For example, if a group uses GSuite, all of the users within the group must authenticate with GSuite (although multiple GSuite domains are acceptable).
        • SSO should be turned on only if all existing users in the group have an account in the authentication domain. If an existing user has an email address that is unable to provide the correct credential, that user will be unable to sign in.
        • After SSO is turned on, user emails that are not in the authentication domain cannot be added to the group because they would be unable to sign in.

        Backblaze invites administrators to begin with a small test group to ensure that everything goes smoothly.

        Enable SSO for a Group

        1. Sign in to the Backblaze web console.
        2. In the left navigation menu under Business Groups, click Group Management.
        3. For the appropriate group, click Edit Group.
        4. In the dialog, scroll to the Group Single Sign-On field and select a provider.
        5. In the Domains text field, enter the provider’s domain(s) that the group should support and click Add Domain.
        6. Click Update Group.

        Enable OpenID SSO for Enterprise Control Groups

        You must complete the following steps to configure OIDC for your Enterprise Control-enabled Group.

        Configure Okta

        1. Sign in to Okta.
        2. In the left navigation pane under Applications, select Applications.
        3. Click Create App Integration.
        4. Select OIDC - OpenID Connect, select Web Application, and click Next.
          This option creates an application for the Backblaze web console and the Backblaze Backup Client.
        5. Enter and select web app integration details.
          1. Enter an App integration name.
          2. In the Sign-in redirect URIs section, click x to clear the default value.
          3. Click Add URI, and enter each of the following URIs:
            • https://secure.backblaze.com/api/bz_oauth_sso_callback (standard login route)
            • https://secure.backblaze.com/api/bz_oauth_sso_verifier (non-login SSO verification)
          4. If you are a Backblaze Computer Backup customer, you must also add the following URIs:
            • Urn:ietf:wg:oauth:2.0:oob (handles "unknown" values to avoid unintended errors)
            • http://localhost
            • http://localhost:63631
            • http://localhost:63632
            • http://localhost:63633
            • http://localhost:63634
            • http://localhost:63635
            • http://localhost:63636
            • http://localhost:63637
            • http://localhost:63638
            • http://localhost:63639
            • http://localhost:63640
            • http://localhost:63641
            • http://localhost:63642
            • http://localhost:63643
            • http://localhost:63644
            • http://localhost:63645
            • http://localhost:63646
            • http://localhost:63647
            • http://localhost:63648
            • http://localhost:63649
            • http://localhost:63650
          5. In the Sign-out redirect URIs section, click x to clear the default value.
          6. Optionally, in the Assignments section, select Allow everyone in your organization to access.
          7. Click Save.
        6. In the General tab, copy the values Client ID and Client Secret and paste them into a text file for use in another step.
          If you do not use the Mobile App, you do not have to complete the rest of this procedure.
        7. In the left navigation pane under Applications, select Applications.
        8. Click Create App Integration.
        9. Select OIDC - OpenID Connect, select Native Application, and click Next.
        10. Enter and select native app integration details.
          1. Enter an App integration name.
          2. In the Sign-in redirect URIs section, click x to clear the default value.
          3. Click Add URI, and enter each of the following URIs:
            • com.backblaze.ios://oauth/redirect (iOS configuration)
            • com.backblaze.android://oauth2redirect (Android configuration)
            • urn:ietf:wg:oauth:2.0:oob (handles "unknown" values)
          4. In the Sign-out redirect URIs section, click x to clear the default value.
          5. Optionally, in the Assignments section, select Allow everyone in your organization to access.
          6. Click Save.
        11. In the General tab, copy the Client ID value and paste it into a text file for use in another step.

        Configure OpenID SSO in the Backblaze web console

        1. In the left navigation menu under Business Groups, select Group Management.
        2. On the Group Management page, locate the group that you want to edit and click Edit Group.
        3. Under Group Single Sign-On, select OpenID Connect as the Provider.
        4. Enter the URL of the OpenID Connect issuer or the metadata document (for example, https://{tenant-id}.okta.com).
        5. Click Auto-discover Endpoints.
        6. Enter the following SSO IDs that you copied in a previous step:
          • Web Client ID
          • Web Client Secret
          • Native Client ID (If you do not use the Mobile App, you can provide a dummy value.)
        7. Click Add Domain, and enter all of your organization's SSO domains.
        8. Click Update Group.

        All of the members of the Group can now sign in using OIDC after they enter their email address in the Backblaze web console.

        If the admin who configured the Group is already a member, they must verify their ability to sign in using the OIDC provider. They may be redirected to the OIDC sign-in process before they can make updates to the Group.

        If the admin is not a member of the Group, they continue to sign in with their original password.

        Disable SSO for a Group

        1. Sign in to the Backblaze web console.
        2. In the left navigation menu under Business Groups, click Group Management.
        3. For the appropriate group, click Edit Group.
        4. In the dialog, scroll to the Group Single Sign-On field and disable the SSO provider.
        5. Click Update Group.

        Members of the group are reverted to their previous credentials. Users who enabled two-factor authentication are returned to two-factor authentication. Members who were added after SSO was enabled may not have an account password, and must reset their password using the Forgot Password? link on the sign on screen before they can log in.

        Change an Email Address in an SSO Group

        1. Remove the email address from the group using one of the following options:
        2. Ask the member to sign in to their Backblaze account and change their email address.
          1. In the user menu in the upper-right corner of the page, select My Settings.
          2. Click Change Email Address.
          3. Enter the current password, enter and confirm the new email address, and click Change Email.
        3. Re-invite the user to the group using the new email address.
        Was this article helpful?
        Related articles
        What's Next