Configure SAML Authentication
Security Assertion Markup Language (SAML) is an sign-in method that enables users to bypass passwords during login. ServiceDesk Plus MSP Cloud offers support for SAML 2.0, which authenticates and authorizes login by integrating with federated identity management solutions. For example, you can allow your users to log in to ServiceDesk Plus MSP Cloud with their Active Directory credentials.
SAML authentication consists of two entities: A Service Provider or SP (ServiceDesk Plus MSP Cloud) and an Identity Provider or IdP (ADFS, Okta).
Use Case: Users often forget their login passwords which increases workload on the technicians since they have to reset login. Sometimes passwords are stored by users in unsecure location, which poses a security risk. SAML allows you to bypass this authenticating users without using a password.
How does SAML for ServiceDesk Plus MSP Cloud help you?
- Facilitate easy and secure access for users to their IT help desk using Active Directory integration/LDAP Authentication
- Enable IT teams to authenticate users and control application access centrally.
- Reduce password maintenance and security overheads for managing help desk users.
Enable SAML Authentication
SAML configured in the ESM directory is intended for default customer users only.
Role Required: Organization Admin
Step 1: Domain Verification
Verify domains used by your organization.
Step 2: Subdomain or Custom Domain Configuration
Set up customized domain URL or subdomains. Ensure you add a CName alias that points to customer-sdpondemand.manageengine.com
Step 3: Identity Provider Installation
Install SAML 2.0 compliant identity provider on your network. All authentication requests will be forwarded to this Identity Provider. The Identity Provider can perform Active Directory/LDAP/custom authentication to validate user.
We have tested SAML Authentication with AD FS 2.0 and AD FS 3.0 as Identity Provider.
If you are using other SAML 2.0 compliant Identity Provider :
- The authentication request sent from Zoho can be found here
- The expected assertion response can be found here
Step 4: SAML Configuration
- Specify the identity provider's login URL & logout URL so that login and logout requests will be redirected accordingly.
- Provide the Identity Provider certificate to allow ManageEngine to decrypt the SAML responses sent by the identity provider.
- Click Save.
SDAdmin/SDAccountManager can configure SAML for MSP customer users under the Directory tab in the customer details page.
When organization users access ServiceDesk Plus MSP Cloud using the configured subdomain or a custom domain, they will be redirected to the Identity provider installed inside your network for authentication. After the authentication succeeds, users will be redirected to ServiceDesk Plus MSP Cloud and logged in.
SAML Authentication Request
Assuming zylker.com is the verified domain and idp-w2k8 is the system where the Identity Provider is installed.
<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_abe4735eceae4bd49afdb3f254dc5ea01359616" Version="2.0" IssueInstant="2013-01-31T07:18:15.281Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="Zoho" IsPassive="false" Destination="https://idp-w2k8/adfs/ls" AssertionConsumerServiceURL="https://accounts.zoho.com/signin/samlsp/<orgid>" <saml:Issuer>zoho.com</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" /> </samlp:AuthnRequest> |
Expected SAML Response
Assuming zylker.com is the verified domain,
The Assertion Consumer Service URL is : https://accounts.zoho.com/signin/samlsp/<orgid>
e.g., https://accounts.zoho.com/signin/samlsp/90000000000
The Assertion Consumer Service URL is : https://accounts.zoho.com/signin/samlsp/<orgid>
e.g., https://accounts.zoho.com/signin/samlsp/90000000000
<?xml version="1.0" encoding="UTF-8"?> <samlp:Response ID="_38563ef5-2341-4826-94f2-290fca589a51" Version="2.0" IssueInstant="2013-01-31T07:19:18.219Z" Destination="https://accounts.zoho.com/signin/samlsp/<orgid>" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_abe4735eceae4bd49afdb3f254dc5ea01359616" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://idp-w2k8/adfs/services/trust</Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <Assertion ID="_c42ed101-0051-48ad-a678-8cb58dee03f6" IssueInstant="2013-01-31T07:19:18.219Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" > <Issuer>http://idp-w2k8/adfs/services/trust</Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#_c42ed101-0051-48ad-a678-8cb58dee03f6"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>wlE4Jf0Z8Z+2OyWE69RRH81atZ8=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>Y3izuExs6/EDebT9Q4U3qbL6Q==</ds:SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MIIC7jCCAdagAwIBAgIQVsvKLeIHJYVEYQONFS3p3zANBgkqhkiG9w0BAQUFADAgMR4+zaLeWShiGw==</ds:X509Certificate> </ds:X509Data> </KeyInfo> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user1@zylker.com</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="_abe4735eceae4bd49afdb3f254dc5ea01359616" NotOnOrAfter="2013-01-31T07:24:18.219Z" Recipient=""https://accounts.zoho.com/signin/samlsp/<orgid>" /> </SubjectConfirmation> </Subject> <Conditions NotBefore="2013-01-31T07:17:18.203Z" NotOnOrAfter="2013-01-31T07:17:19.203Z" > <AudienceRestriction> <Audience>zoho.com</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2013-01-31T07:19:18.110Z" SessionIndex="_c42ed101-0051-48ad-a678-8cb58dee03f6" > <AuthnContext> <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion> </samlp:Response> |
Related Articles
Configure Active Directory
You can import users from active directory to a centralized ESM directory and keep them periodically synced. Imported users are displayed under ESM Directory > Active Directory Settings. Use Case: An organization which manages its user data in Active ...Configure Custom Domains
Add and verify the validity of all domains associated with your organization. You can add users from verified domains easily. Domain verification is also necessary to confirm your ownership of the domain and customize the domain per your ...AD Integration & Single Sign On Issues
1. Can we connect more than one ADFS to Service Desk Plus MSP Cloud? In SDP MSP Cloud only one Login URL can be configured for SAML Authentication which means only one AD FS Server URL can be used. If you have multiple domains, you can have the AD FS ...Directory
The Directory tab in the customer details page allows you to configure Multi-Factor Authentication, service URL custom domain for the customer. Contents: SAML Authentication Multi-Factor Authentication Configure Service URL for Requester Portal Add ...Active Directory Login Issues
This document provides you resolutions or workarounds for common error messages and issues you might encounter when configuring Active Directory (AD) authentication. Signature Validation Failed If you are using AD FS 2.0 as your identity provider, a ...