**Server Settings**.
2. In the left panel, select the **Identity Provider** tab and then select the **Settings** tab.
3. Select **Identity Provider**. The configuration parameters appear.
4. Complete the following parameters.
5. Once all the parameters have been entered, select **Save.**
6. Optionally, you can **Download CPM’s Certificate** and **Metadata.**
7. Select **Test Connection** to test the connection between N2W and the IdP.
* **CPM IP or DNS** – The IP Address or DNS name of the N2W server.
{% hint style="info" %}
N2W accepts either the IP address or DNS name in many fields. However, some IdPs require that N2W be configured using the format used when configuring N2W as an application in the IdP system. If the IdP uses DNS names, use DNS names in N2W, and if the IdP uses IP address, use IP addresses in N2W.
{% endhint %}
* **Entity ID** – The Identity Provider Identifier’s URI provided by the IdP system. Consult the IdP system’s documentation.
* **Sign In UR**L – **The authentication request target** is the URL, provided by the IdP system, to which N2W will redirect users after entering their IdP credentials. Consult the IdP system’s documentation.
* **Sign Out URL** – The logout request target is the URL, provided by the IdP system, to which N2W will redirect users once they logout of N2W. Consult the IdP system’s documentation.
* **NameID format** – The format of the SAML **NameID** element.
* **X509 Certificate** – Select **Choose file** to upload the IdP’s X509 certificate. Consult the IdP system’s documentation about obtaining their x509 certificate.
## 19.2 Configuring Groups and Group Permissions on the N2W Side
Groups and the permissions assigned to groups are configured in N2W. When an IdP user logs into N2W, the information about the user’s group membership is received from the IdP and that group’s permissions are assigned to the user.
{% hint style="info" %}
Every IdP user must belong to an N2W group. IdP users who do not belong to a group, even if they have user-specific permissions as detailed below, cannot log on to N2W. Logon by IdP users who do not belong to a group will be failed with an appropriate error message.
Default groups do not appear until **Identity Provider** is enabled in the **Settings** tab.
{% endhint %}
N2W comes with pre-defined groups named with the prefix **`default`**:
* `default_managed_users`
* `default_independent_users`
* `default_root_delegates`
* `default_root_delegates_readonly`
{% hint style="info" %}
The default groups cannot be modified or deleted. To see the permission settings assigned to the default groups, select the group name.
{% endhint %}
Additional groups can be created and removed easily in the **Identity Provider** tab of the N2W **Server Settings** screen.
**To add a group:**
{% hint style="info" %}
The group permission settings essentially mirror the user permissions detailed in section [18](https://docs.n2ws.com/user-guide/18-user-management).
{% endhint %}
1. In the **Identity Provider** tab, select the **Groups** tab and then select  **New**. The New IDP Group screen will appear.
2. Complete the fields as needed, and then select **Save**.
* **Name** – Name of the group.
* **User Type** – For details, see section [18](https://docs.n2ws.com/user-guide/18-user-management). Parameters depend on the **User Type** selected.
* Managed
* Independent
* Delegate
* **Enabled** – When disabled, group users will not be able to log on to N2W.
* For User Type **Managed:**
* **File Level Recovery** **Allowed**– When selected**,** members of the group can use the file-level recovery feature.
* **Allow Cost Explorer** – When selected, members of the group can see cost data. For Cost Explorer information, see section [25](https://docs.n2ws.com/user-guide/25-monitoring-costs-and-savings).
* **Max Number of Accounts** – The maximum number of AWS accounts users belonging to this group can manage.
* **Max Number of Instances** – The maximum number of instances users belonging to this group can manage.
* **Max Non-Instance EBS** **(GiB)** – The maximum number of Gigabytes of EBS storage that is not attached to EC2 instances that users belonging to this group can manage.
* **Max RDS (GiB**) – The maximum number of Gigabytes of RDS databases that users belonging to this group can manage.
* **Max Redshift Clusters** **(GiB)** – The maximum number of Gigabytes of Redshift clusters that users belonging to this group can manage.
* **Max DynamoDB Tables (GiB)** – The maximum number of Gigabytes of DynamoDB tables that users belonging to this group can manage.
* **Max Controlled Entities** – The maximum number of allowed entities for Resource Control.
* For User Type **Delegate**:
* **Original Username** – Username of delegate. The **Original Username** to which this group is a delegate is required although the **Original Username** does not yet need to exist in N2W. After creation, the **Original Username** *cannot* be modified.
* **Allow to Perform Recovery** – Whether the delegate can initiate a recovery.
* **Allow to Change Accounts** – Whether the delegate can make changes to an account.
* **Allow to Change Backup** – Whether the delegate can make changes to a backup.
## 19.3 Configuring Groups on the IdP Side
IdPs indicate a user’s group membership to N2W using IdP claims. Specifically, the IdP must configure an **Outgoing Claim Type** of `cpm_user_groups` whose value is set to all the groups the user is a member of, both N2W related groups and non-N2W related groups.
{% hint style="info" %}
Group names on the IdP side no longer need the ‘`cpm`’ prefix. In cases where the names of the group users are assigned to in the IdP is of the form `cpm_| Attribute Name | Mandatory | Meaning | Valid Values |
|---|---|---|---|
| Attribute Name | Mandatory | Meaning | Valid Values |
user_type | N | Type of user. |
|
user_name | N | Username in N2W. | Alphanumeric string |
user_email | N | User’s email address. | Valid email address |
| Attribute Name | Mandatory | Valid Values | |
|---|---|---|---|
| Attribute Name | Mandatory | Meaning | Valid Values |
allow_file_level_ recovery | N | Whether the user is allowed to use the N2W file-level restore feature. | yes, no |
max_accounts | N | Number of AWS accounts the user can manage in N2W. Varies by N2W license type. | Number between 1 and max licensed |
max_instances | N | Number of instances the user can backup. Varies by N2W license type. | Number between 1 and max licensed |
max_independent_ebs_gib | N | Total size of EBS independent volumes being backed up in GiB (i.e., volumes not attached to a backed-up instance). | Number between 1 and max licensed |
max_rds_gib | N | Total size of AWS RDS data being backed up in GiB | Number between 1 and max licensed |
max_redshift_gib | N | Total size of AWS Redshift data being backed up in GiB | Number between 1 and max licensed |
max_dynamodb_gib | N | Total size of AWS DynamoDB data being backed up in GiB. | Number between 1 and max licensed |
max_controlled_entities | N | Total number of AWS resources under N2W Resource Control. | Number between 1 and max licensed. |
| Attribute Name | Mandatory | Meaning | Valid Values |
|---|---|---|---|
| Attribute Name | Mandatory | Meaning | Valid Values |
original_username | Y | Name of the user for whom user_name is a delegate. | Alphanumeric string |
allow_recovery_changes | N | Whether the user can perform N2W restore operations. | yes, no |
allow_account_changes | N | Whether the user can manage N2W user accounts. | yes, no |
allow_backup_changes | N | Whether the user can modify backup policies. | yes, no |
allow_settings | N | Whether the user can modify S3 Repository settings. | yes, no |
**Server Settings**.
2. Select the **Identity Provider** tab.
3. In the **Groups** tab, select an Identity Provider.
4. In the **Settings** tab, select **Test Connection.**
5. Type a valid AD username and password on the logon page.
6. Select **Sign in**.
## **19.5 Configuring N2W to Work with Active Directory/AD FS**
**To configure N2W to work with the organization’s AD server:**
1. Go to the N2W **Server Settings**.
2. Select the **Identity Provider** tab.
3. In the Identity Provider list, select a **Group.**
4. To enable the group, select the **Settings** tab, and then select **Identity Provider.** Several IdP related parameters are presented.
5. In the **Entity ID** box, type the AD FS **Federation Service Identifier**, as configured in AD FS. See section [19.5.1](#19-5-1-federation-service-properties) to locate this parameter in AD FS.
6. In the **Sign in URL** box, type the URL to which N2W will redirect users for entering their AD credentials. This parameter is configured as part of AD FS. The AD FS server’s DNS name, or IP address, must be prepended to the URL Path listed in AD FS. See the AD FS Endpoints screen ([19.5.2](#19-5-2-ad-fs-endpoints)) to locate this information.
7. In the **NameID Format** list, select the format of the SAML **NameID** element.
8. In the **x509 cert** box, upload the X509 certificate of the AD FS server. The certificate file can be retrieved from the AD FS management console under **Service -> Certificates**, as shown in section [19.5.3](#19-5-3-exporting-the-idp-certificate).
9. Once all the parameters for N2W have been entered, select **Save** and then select **Test Connection** to verify the connection between N2W and the IdP.
### 19.5.1 Federation Service Properties
### 19.5.2 AD FS Endpoints
### 19.5.3 Exporting the IdP Certificate
The certificate file can be retrieved from the AD FS management console under **Service -> Certificates**:
**To export the IdP’s certificate:**
1. Double select the **Token signing** field to open the **Certificate** screen.
2. Select the **Details** tab and then select **Copy to File . . .** on the bottom right.
3. Select **Next** to continue with the Certificate Export Wizard.
4. Select the Base-64 Encoded X.509 (`.crt`) option and then select **Next**.
5. Type a name for the exported file and select **Next**.
6. Select **Finish**.
## 19.6 Configuring an AD FS User Claim
Once a user attribute has been configured with the correct permissions, an ADFS claim rule with **Outgoing Claim Type** `cpm_user_permissions` must be created before the user-level permissions can take effect.
**To create the claim rule:**
1. Open the AD FS management console.
2. In the main page of the management console, in the left pane, select **Relying Party Trusts.**
3. Select the N2W party (e.g., N2W) in the middle pane, and in the right pane, select **Edit Claim Rules**.
4. In the **Edit Claim Rules** screen, select **Add Rule.**
5. In the **Add Transform Claim Rule Wizard** screen (section [19.6.1](#19-6-1-add-transform-claim-rule-wizard)), select **Send LDAP Attributes as Claims** in the **Claim rule template** list, and then select **Next**.
6. The **Claim Rule Wizard** opens the **Edit Rule** screen (section [19.6.2](#19-6-2-edit-rule)). Complete as follows:
1. In the **Claim rule name** box, type a name for the rule you are creating.
2. In the **Attribute store** list, select **Active Directory**.
3. In the **Mapping of LDAP attributes to outgoing claim types** table:
1. In the left column (**LDAP Attribute**), type the name of the user attribute containing the user permissions (e.g., `msDS-cloudExtensionAttribute1`).
2. In the right column (**Outgoing Claim Type**), type `cpm_user_permissions`.
7. Select **OK** to create the rule.
Once the user-level claim is enabled, the user will be able to log on to N2W with permissions that are different from the group’s permissions.
### **19.6.1 Add Transform Claim Rule Wizard**
### 19.6.2 Edit Rule
## 19.7 Configuring Azure AD and N2W IdP Settings
This section describes how to configure Microsoft Azure Active Directory and N2W IdP settings to communicate and enable logging.
### 19.7.1 Azure AD Configuration
For complete details on how to configure the Azure AD, see 
**To configure the N2W Azure AD IdP settings:**
1. In the N2W UI, go to **Server Settings** > **Identity Provider**.
2. Select the provider, and then select 
**Edit**.
3. In the **Settings** tab, complete the following:
1. **Entity ID -** Copy Azure AD Identifier.
2. **Sign In URL** - Copy Login URL.
3. **Sign out URL** - Copy Logout URL.
4. **NameID Format** - Select **Unspecified.**
5. **x509 cert** - Upload the certificate exported in section [19.5](#19-5-configuring-n-2-ws-to-work-with-active-directory-ad-fs)**.**
4. Add a new group with the name of the group you added in the Azure Active Directory, *without* the **`cpm`** prefix. Select the **Groups** tab and then select 
**New** and add a name for the group.
5. Select **Save**.
6. Return to the **Settings** tab and select **Test Connection.**
