Summary
A large majority of Rubrik implementations have Active Directory configured for authentication via LDAP. This is a simple and easy way to configure Single Sign On (SSO) into Rubrik, allows for Role Based Access (RBAC), and leverages Active Directory which pretty much every org on the planet has deployed.
But all is not perfect in AD-land. It relies on Kerberos for authentication and can be difficult to add MFA for additional security during the login process. The modern way to authenticate users across modern (read- web based) apps like Rubrik is to instead configure authentication to an external Identity Provider (IdP) that support SAML 2.0. As more orgs move to cloud IdP as part of their IAM strategy it makes sense to start using the cloud IdP for application access. It also is much simpler and cleaner to enable MFA using cloud IdPs and we all know how important it is to secure access to the Rubrik cluster.
The purpose of the article is to document the process of configuring single sign on into Rubrik using Microsoft’s Azure Active Directory. Once configured, organizations can use Conditional Access policies in AAD to enable MFA for Rubrik authentication, thus securing login attempts and keeping out bad actors.
These steps are not currently documented by Rubrik as their CDM User Guide only covers Okta and ADFS integration. So, we decided to create this guide and share it for others to use. Please send over any comments and let us know if this was helpful!
Requirements
- Functioning Rubrik cluster running 5.x code
- Azure Active Directory
- This guide!
Pre Steps
- Make sure you have admin login access to Rubrik via a different account. This can either be a local account or an Active Directory account. Please note, you CAN have both Active Directory and Azure AD configured as functioning IdP’s in Rubrik simultaneously. Really just make sure you have a way to login in case this all blows up on us.
- Create a Security Group in Azure AD for role-based access to Rubrik. We’ll start with an Administrators group. You can create the group in AD and synch to Azure AD or (my preference) create the account natively in Azure AD and manage assignment there. Everyone has a different naming convention but our recommended approach would look something like this- “SG-Users-Rubrik Administrators”. Add a few users to test with
Steps
Rubrik UI
- Login to Rubrik and click the Gear Icon and choose Users.
- Select Identity Providers and choose Add Identity Provider
- Provide a name such as “Azure AD” or “My Company’s Azure AD”. The default Service Provider address will be a floating IP in Rubrik. This is the IP address used to communicate with Azure AD. You have the option, if you untick “Use default service provider” to change the address used. I see very few reasons to not use the default but the option is there.
- Download the Rubrik Metadata. Only download once you have completed the items in the previous step as this info