Delphix Products

The following post outlines how Data Control Tower (DCT) SaaS customers can migrate off and to an engine-managed model. This is in preparation for DCT SaaS's end-of-life on May 23rd, 2023. Read the full announcement here.

Initial state

The customer’s Delphix engines are connected with DCT SaaS which provides monitoring, reporting, and access management. In addition, the customer configured an “application” in their identity provider (IdP) that integrates with DCT SaaS (i.e. https://dataservices.delphix.com). DCT SaaS configures each engine with a DCT SaaS-managed SSO configuration, providing seamless integration across DCT and engines. 

End state

All Delphix engines are disconnected from DCT SaaS. This means DCT SaaS's monitoring, reporting, and access management are no longer available. Each engine is reconfigured with its own IdP authentication method and managed individually without Access Group or Permission synchronization. 

Migration process

1. Disconnect DCT Agent and remove the engines from DCT SaaS (Directions) (If the link fails, see the shorthand directions below.)

1. If engines are connected to DCT SaaS, customers cannot modify the engine’s authentication configuration. Therefore, you must first disconnect each agent and engine from DCT SaaS. 

2. All existing Users, Access Groups, and Permissions that exist within the engine at the time of disconnect will be maintained.

3. Once disconnected, only the sysadmin can authenticate because this action breaks the authentication mechanism.

2. Configure engine-based SSO (Directions) or LDAP (Directions)

1. Configure one application in the SSO’s IdP for each engine.

3. [Recommended] Disable the Data Control Tower SaaS Agent (Directions)

If the customer migrates to the new DCT (multi-cloud), they can optionally configure the new DCT instance with SSO following a similar procedure. (Directions)

Frequently Asked Questions

• Who can configure SSO/LDAP on an engine?

  • System (sysadmin) users. 

• What happens if the DCT SaaS-connected engine is not disconnected before its end of life?

  • Initially, users can still log in via SSO into their engines. However, once Delphix’s Okta account is deactivated, the engine’s SSO login will fail. Sysadmin (username/password) logins will keep working.

• How long does it take to configure an engine’s IdP?

  • Typically, the configuration takes a few minutes with the correct details available. However, multiple IT requests might be required beforehand.

• Can you configure more than one SSO provider on an engine?

  • No

• Can you share an IdP configuration with more than one engine?

  • No

• Does the engine support managing permissions based on IdP attributes, like DCT SaaS and DCT (multi-cloud)?

  • No, SSO on the engine only provides authentication, but user creation and permission management are separate from SSO. In particular, an admin must create a user account on the engine before the user can log in via SSO.

• After configuring our SSO/SAML, we are receiving the following error: 

  SAML protocol response cannot be sent via bindings other than HTTP POST. Requested binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
  

  • View KBA9738 for a workaround.

Disconnecting an Engine from DCT SaaS

To disconnect the Delphix Engine version 6.0.5 and greater, perform the following steps:

1. Navigate to https://<enginename>/agent/login and login to Delphix Connect.

2. In Delphix Connect, provide your Delphix system administrator credentials. 

3. Click Disconnect Engine. This will disconnect your Delphix Engine from Data Control Tower. 

To disconnect the Delphix Engine versions 6.0.4 and below, perform the following steps:

1. Login to the Delphix Setup  on the Delphix Engine as a system administrator. 

2. In the Data Control Tower Dashboard panel, click Modify. This will open the Delphix Connect panel. 

3. Click Disconnect Engine. This will disconnect your Delphix Engine from Data Control Tower.