SEAGATE Lyve Cloud Service User Guide

Lyve Cloud Service

Specifications:

• Model: Federated Login
• Authentication Protocol: SAML 2.0

Product Information:

Federated Login provides authentication without revealing user
login credentials to the Lyve Cloud service. It enables users to
use a single authentication method through their organization’s
Identity Provider (IdP) for Lyve Cloud access. Users who sign in
with access to the organization’s domain can directly access the
Lyve Cloud console without a separate login process.

Usage Instructions:

Configuring Federated Login:

To configure Federated Login, follow these steps:

1. Ensure your organization has an authentication system using the
   SAML 2.0 protocol.

2. Access the settings within your Lyve Cloud account.

3. Locate the Federated Login section and enter the required
   information from your organization’s Identity Provider.

4. Save the settings and test the Federated Login functionality by
   signing in with a user account associated with your
   organization.

Troubleshooting:

If you encounter any issues with the Federated Login
configuration, refer to the Troubleshooting section in the user
manual for guidance on resolving common problems.

FAQ:

Q: What if my organization does not use the SAML 2.0 protocol

for authentication?

A: Federated Login requires an authentication system that
supports the SAML 2.0 protocol. If your organization does not
currently use this protocol, you may need to implement a compatible
system or consider alternative authentication methods for Lyve
Cloud access.

Q: Can multiple Identity Providers be configured for Federated

Login?

A: The Federated Login feature is designed to work with a single
Identity Provider per organization. If you require multiple
Identity Providers, additional configurations may be needed to
support this setup.

Configuring Federated Login
Model:
Click here to access an up-to-date online version of this document. You will also find the most recent content as well as expandable illustrations, easier navigation, and search capability.

Contents
1 .O.v. e. r.v. i.e.w. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3. . . . . . .
2 .S.e.c.u.r.it.y. .A.s.s.e.r.t.io. n. .M. .a.r.k.u.p. .L.a.n.g.u. a. g. e. .(.S.A. M. . L. ). P. .ro. .to. .c.o.l. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. . . . . . .
3 .C.o.n. f.i.g.u.r.in. g. .L.y.v.e. .C.l.o.u.d. .a.s. a. .S.A. M. . L. .S.e.r.v.i.c.e. P. .ro. v. .id. e. r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5. . . . . . .
.O.b. t.a.i.n.m. .e.t.a.d.a.t.a.a.n. d. .c.e.r.ti.f.ic.a.t.e. f.r.o.m. .y. o. u. .r .Id. P. . A. .d.m. i.n.i.st.r.a.t.o.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5. . . . . . . . . .C.o.n.f.ig. u. .re. .L.y.v.e. .C.lo. .u.d. a. s. .a. s. e. r.v.i.c.e.p. r.o. v. i.d.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5. . . . . . . . . .A.d.d. .s.e.rv. i.c.e. p. .ro. .v.id. e. r. .m. e. t.a.d.a.t.a. t.o. .t.h.e. i.d.e.n.t.it.y. .p.r.o.v.id. e. r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7. . . . . . . . . .C.o.n.f.ig. u. .re. .t.h.e. i.d.e.n.t.it.y. .p.r.o.v.id. e. r. .to. .s.e.n. d. .e.m. .a.il.a.t.t.ri.b.u.t.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8. . . . . . . . .
.O.k.t.a. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8. . . . . . . . .U.p.d. a. t.e. .th. e. .m. .e.t.a.d.a.ta. .f.il.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9. . . . . . . . . .D.e.l.e.te. .a.n. .e.x.is.t.in. g. .I.d.P. .co. .n.fi.g.u.r.a.t.io. n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9. . . . . . . . .
4 .T.r.o.u.b.l.e.s.h.o.o.t.i.n.g. F. e. .d.e.r.a.te. .d. L. o. .g.in. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. .0. . . . . . .
5 .G.e.n. e. r.a. t.i.n.g. X. .M. .L. m. .e.t.a.d.a. t.a. .fi.le. s. .f.o.r.I.d.P. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. .1. . . . . . .
.O.k.t.a. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. 1. . . . . . . . . .P.re. .re. q. u. .is.it. e. s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. .1. . . . . . . . .G.e.n. e. r.a.t.e. a. n. .X. M. . L. .f.ile. .f.o.r. O. .k.t.a. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. .1. . . . . . . .
.R.e.t.ri.e.v.e. .th. e. .X. M. . L. .m. e. .ta. d. a. t.a. .fi.le. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. 4. . . . . . . . .
6 .L.o.g.g.i.n.g. I.n. .to. .L.y. v. e. .C. l.o.u. d. .a.s. a. n. .O. .k.t.a. U. .s.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. .5. . . . . . .
.A.d.d. .u.s.e.r.s.t.o. O. .k.t.a. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. 5. . . . . . . . . .L.o.g. i.n. t.o. .L.y.v.e. .C.lo. .u.d. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. 5. . . . . . . . .
.O.k.t.a. h. .o.m. e. .p.a.g. e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. .5. . . . . . . . .E.m. b. e. .d.d.e.d. .li.n.k. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1. .6. . . . . . . .

Overview
Federated Login provides authentication without revealing user login credentials to the Lyve Cloud service. Federated Login enables your users to use a single authentication method with the help of your organization’s Identity Provider (or IdP) for Lyve Cloud.
Once a Lyve Cloud user signs in and has access to your organization’s domain, they have direct access to the Lyve Cloud console. The user does not need to perform a separate login process. To use Federated Login feature, your organization must have an authentication system which uses the SAML 2.0 protocol.
To configure Federated Login, contact your organization’s IdP administrator to obtain the metadata file in XML format. Upload this file to configure Federated Login.

Overview

8/13/24

3

Security Asser on Markup Language (SAML) Protocol
The Security Assertion Markup Language (SAML) protocol is an open-standard, XML-based framework for authentication and authorization between two entities without a password:
A Service Provider (SP) agrees to trust the identity provider to authenticate users. An Identity Provider (IdP) authenticates users and provides service providers an authentication assertion that indicates a user has been authenticated.
In this scenario, Lyve Cloud is a Service Provider that will connect with your organization’s Identity Provider to establish a Single Sign-On (SSO) access to your users.

Security Assertion Markup Language (SAML)

8/13/24

4

Configuring Lyve Cloud as a SAML Service Provider
To configure Lyve Cloud as a SAML service provider: 1. Obtain metadata from your IdP administrator. 2. Configure Lyve Cloud as a service provider. 3. Add service provider metadata to the identity provider. 4. Configure the identity provider to send email attribute. 5. Update the metadata file.
Obtain metadata and cer ficate from your IdP Administrator
Contact your organizations IdP administrator and obtain the metadata file in XML format to upload and configure Federated Login.
For more information on generating a metadata file for Okta, seeGenerating XML Metadata files for IdP.
Configure Lyve Cloud as a service provider
1. Log in to the Lyve Console either as Root or an Admin user. From the top menu, select thFeederated Login tab.
2. On the Federated Login page, selectConfigure.

Configuring Lyve Cloud as a SAML Service

8/13/24

5

3. Select Update Metadata file.
4. Navigate to the location of the XML file and select it. SelectOpen. 5. After the Metadata file is uploaded successfully, the configuration data is displayed with its status
(‘Configured’), the name of the identity provider, and the metadata file expiry date. Example:

Configuring Lyve Cloud as a SAML Service

8/13/24

6

In addition, the identity provider configuration details are provided. The following attributes are used to configure the IdP:
Provider URL Entity ID
Add service provider metadata to the iden ty provider
1. Add some information to the IdP that allows it to receive and respond to SAML-based authentication requests from the Lyve Cloud service provider. The following instructions are generic. You will need to find the appropriate screens and fields on the identity provider.
2. Locate the screens from the Identity Provider that allow you to configure SAML.
The IdP must know where to send the SAML assertions after it has authenticated a user. This is the Provider URL in Lyve Cloud. The IdP might call this Assertion Consumer Service URL or Application Callback URL.
https://authenticate.lyve.seagate.com/login/callback?connection=-saml
The connection URL parameter is required for identity provider-initiated flow.

Configuring Lyve Cloud as a SAML Service

8/13/24

7

Note–If you have custom domains set up, use the custom domain-based URL rather than your Lyve Cloud domain in the following format:
https://authenticate.lyve.seagate.com/login/callback?connection=–saml
3. Enter the entity ID in the Audience or Entity ID field from Lyve Cloud:urn:lyvecloud: --saml
4. If IdP provides a choice for bindings, selectHTTP-Redirect from the Authentication Requests dropdown.
5. The Single Logout Service URLfield contains the destination for SAML logout requests and/or responses from the identity provider. Enterhttps://LYVECLOUD_CONSOLE_URL/signout
Signing Logout Requests–When configuring the IdP, make sure that SAML Logout Requests sent to the service provider are signed.
Configure the iden ty provider to send email a ribute
Lyve Cloud reads an “email” attribute from the identity profile. Some IdPs send “email” by default, while some require you to configure it to send “email”.
Okta
Okta must be configured to send an email attribute.
1. Select Applications from the sidebar, and then selectApplications. 2. Select an application to edit, and then selectGeneral. 3. Select Edit in ‘SAML settings’. 4. Leave the ‘General Settings’ as they are and selectNext. 5. In the ‘Attribute Statements (optional)’ section, select Add Another. Update the attributes as follows:
Name = email Value = user.email

Update the metadata file

Configuring Lyve Cloud as a SAML Service

8/13/24

8

Update the metadata file
You will need to update the metadata file before the certificate expires. Contact your IdP administrator to get the updated XML file. If you make any updates and regenerate metadata.xml, you must delete the old metadata file before uploading the updated file. If you upload the file without first deleting the old file, it may not update the old file. 1. From the top menu, select theFederated Login tab. 2. On the Federated Login page, selectUpdate Metadata file. 3. Navigate to the location of the updated XML file. Select the file, and then selecOt pen. After the metadata file is uploaded successfully, the configuration data is displayed along with its status (‘Configured’), the name of the identity provider, and the metadata file expiry date.
Delete an exis ng IdP configura on
To delete an IdP configuration: 1. From the top menu, select theFederated Login tab. 2. On the Federated Login page, selectDelete IdP.
3. In the Delete IdP dialog, selectDelete.

Configuring Lyve Cloud as a SAML Service

8/13/24

9

Troubleshoo ng Federated Login
If your application doesn’t work the first time, clear your browser history and cookies before you test again. If you don’t, the browser may not pick up the latest version of your HTML page, or it may have outdated cookies that impact execution.
To troubleshoot Federated Login:
Capture an HTTP trace of the interaction: Use any of the available tools to capture the HTTP traffic from your browser for analysis.
Search for HTTP Trace. Capture the login sequence from start to finish, and analyze the sequence of GETs to determine how much of the sequence was successful. See a redirect from your original site to the service provider and then to the identity provider.
A post of credentials if you had to log in. A redirect back to the callback URL or the service provider. Finally, a redirect to the callback URL specified in your application. Ensure the cookies and JavaScript are enabled for your browser. Check to make sure that the callback URL specified by your application in its authentication request is listed in the Allowed Callback URLs field. The http://samltool.io tool can decode a SAML assertion and is a useful debugging tool.

Troubleshooting Federated

8/13/24

10

Genera ng XML metadata files for IdP
Different types of IdP products have their own way of generating XML metadata files.
Okta
Prerequisites
Create an Okta account and add a user as an administrator for configuration. Lyve Cloud reseller name, account name (tenant name), and administrators account in the console.
Reseller name can be found using the console URL, for examplec: onsole.