Installing and Configuring ADFS 3.0 for ServiceDesk Plus Cloud

Contents

1. Installing and Configuring AD FS 3.0
2. Configure SAML Settings in SDP Cloud
3. Initiate SSO / SAML Authentication
4. Troubleshoot Login issues
5. Disable SAML Authentication
6. Authenticate external users

Installing and Configuring

Go to Server Manager > Add Roles and Features Wizard

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In the above screenshot, click "Configure the federation service on this server". You will get the below screen
 

 

 

 

 

 

 

Create a Self-Signed Certificate

Self-signed certificate can be generated using Windows SDK or OpenSSL

** Important Note ** :

• Please generate a certificate with correct Common Name / Subject

• For example, if you are going to expose AD FS to the internet and going to use a Login URL "https://adfs.zillum.com/adfs/ls", then generate a certificate with Common Name/Subject as "adfs.zillum.com"

Windows SDK Steps

After installing the Windows SDK :

1.  Open a command prompt
2.  cd "C:Program FilesWindows SDKbin" (Please cd to actual installation folder)
3.  Run the following commands :

• makecert -r -pe -n "CN=adfs.yourdomain.com" -b 01/01/2016 -e 01/01/2026 -sky exchange Server.cer -sv Server.pvk
  • Instead of "adfs.yourdomain.com" give the fully qualified name of the AD FS system in the above command
  • If you are going to expose the AD FS externally to the internet, use the FQDN that you are going to expose (e.g., adfs.zillum.com)
• pvk2pfx.exe -pvk Server.pvk -spc Server.cer -pfx Server.pfx
• Certificate (Server.pfx) will be generated in the same folder where you ran the commands ( e.g., C:Program FilesWindows SDKbin )
   

Assuming Open SSL is installed in C:OpenSSL-Win64 directory, open a command prompt and go to OpenSSL installation directory and follow these steps.
 

• cd C:OpenSSL-Win64bin
• set OPENSSL_CONF=C:OpenSSL-Win64binopenssl.cfg
  • If you encounter an error, download this openssl.zip file.
  • Unzip the file and extract the openssl.cfg file.
  • Paste the file in C:/OpenSSL-Win64/bin path.
  • Restart the process from step 1.

Error in Command Prompt

• OpenSSL req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
  • Fill the input details the command asks like Country, City, Org Name
  • For Common Name or Subject, give the FQDN of AD FS machine e.g., adfs.yourdomain.com
  • If you are going to expose the AD FS externally to the internet, use the FQDN that you are going to expose (e.g., adfs.zillum.com)
• OpenSSL pkcs12 -export -out Server.pfx -inkey privateKey.key -in certificate.crt
• Certificate (Server.pfx) will be generated in the same folder where you ran the commands ( e.g., C:OpenSSL-Win64bin )

Click Import and select Server.pfx file  created using above commands.
 

 

 

 

 

 

 

 

 

 

 

Running the Powershell Script

1. Download the adfsscript_2012_r2.txt and save it in C drive (C:) in the ADFS installation system.
2. Unzip the folder.
3. Open a "Command Prompt"  ("Run as Administrator")
4. Run the following command to rename the script as adfsscript_2012_r2.ps1
   1. move C:adfsscript_2012_r2.txt  C:adfsscript_2012_r2.ps1
5. Type the following commands :
   1. PowerShell
   2. Set-ExecutionPolicy Unrestricted
   3. C:adfsscript_2012_r2.ps1  <Your Organization ID>
6. Make sure the PowerShell script ran successfully. Any errors encountered while running the script will be printed in red color in the console.
7. If you are unable to set the execution policy to Unrestricted because of domain policy, you might need to set the same policy in your Domain Controller. Refer here on how to set the execution policy in Domain controller or bypass it :

• http://www.techrepublic.com/blog/datacenter/set-the-powePrshell-execution-policy-via-group-policy/3305
• https://blogs.technet.microsoft.com/ken_brumfield/2014/01/19/simple-way-to-temporarily-bypass-powershell-execution-policy/

Configure SAML in SDP Cloud

1. Go to ESM Directory --> SAML Authentication page in SDP Cloud
2. Configure Login URL as https://adfs.yourdomain.com/adfs/ls    [ Use the fqdn which you used to generate the certificate ]
3. Logout URL as https://adfs.yourdomain.com/adfs/ls/idpinitiatedsignon?SingleSignOut=SingleSignOut
4. A certificate will be saved at C:certificate.cer. Browse and select it
5. The algorithm will be RSA
6. Save the settings

Initiating AD / SAML Authentication

To initiate SAML Authentication, you must use your custom domain or subdomain that you have configured in ESM Directory --> ESM Portal settings in SDP Cloud ( e.g., helpdesk.zillum.com (or) zillum.sdpondemand.manageengine.com )

Users will be redirected to AD FS Authentication page.

Logging out

SAML Logout is currently not supported in SDP Cloud. Please close your browser or open a new incognito browser for a new session

Troubleshooting Login Issues

For AD FS 3.0, make sure that "servicePrincipalName" attribute for the AD FS service's Logon account has the correct value.

Check the following

1. In AD FS machine, go to Administrative Tools ---> Windows Services
2. Right-click on Active Directory Federation Services (AD FS) Service and go to Login tab
3. Note down the Account that is configured here in the Login tab
4. Now, go to Active Directory machine
5. Run "adsiedit.msc". (If the AD objects are not shown, click on Action --> Connect and connect to AD)
6. Locate the Account that you saw in step 3 (AD FS service's Logon account)
7. Right click on the Account and go to Properties
8. In the Attributes list, make sure the "servicePrincipalName" attribute has the value HTTP/ADFS_Service_Name. For example, if your Federation Service name is adfs.zillum.com, then please make sure the value http/adfs.zillum.com is present in "servicePrincipalName" attribute
9. Restart AD FS service and then try authentication

The things you must make sure for a successful Login are as follows

1. The Active Directory must contain the email address for the user. To check this, go to Active Directory Users & Computers. Right click on the user and click Properties. The email address of the user must be present in the EMail field.
2. Users must have been imported as Requesters in SDP Cloud
3. The email address in Zoho / SDP Cloud for that user and in the Active Directory must be the same
4. The Organization ID must have been given correctly while running the adfsscript PowerShell script. The Organization ID is listed under ESM Directory >> Organization Details.
5. Make sure the following 4 things have the same FQDN : (1) "Federation Service Name" present in the AD FS management console  (2) Login / Logout URLs configured in SDP Cloud (3) SSL Certificate's Common Name/Subject (4) servicePrincipalName in Active Directory for the AD FS Service's Login account
   • For e.g., if the Login URL is "https://adfs.zillum.com/adfs/ls", then
   • the Federation Service Name must be: adfs.zillum.com
   • the SSL Certificate's Common Name/Subject must be: adfs.zillum.com
   • the servicePrincipalName attribute value must contain: http/adfs.zillum.com
   • If you change the federation service name, a restart of AD FS 2.0 Windows Service is needed
6. Make sure the PowerShell script ran successfully. Any errors encountered while running the script will be printed in "red" color in the console.

Further Troubleshooting
For further troubleshooting information, please refer here: http://help.sdpondemand.com/ad-integration-single-sign-on-issues

Disabling SAML Authentication

1) Organization Admin (usually the user who first signed-up for SDP Cloud) can log in to our service by visiting sdpondemand.manageengine.com instead of the customized domain. In the login page, instead of AD credentials, the usual SDP Cloud credentials can be used. After logging in, go to ESM Directory --> SAML Authentication page and delete the configuration. This will disable SAML Authentication.

2) When you import users using the Provisioning App, the application will not import any password from the AD. So the imported users will not have any password associated with them in SDP Cloud. In case you are planning to disable SAML Authentication and use SDP Cloud authentication, they will need their password to log in. So they have to click the "Forgot Password" link in the login page to receive a mail to generate a new password.

Authenticating external users

For SAML authentication to work anywhere from the internet, you need to do the following 2 steps :

1) Allow AD FS machine's port 443 to be accessible from the internet, by following any one of the below steps

• Install AD FS Proxy: You can install the AD FS Proxy through which you can allow AD FS machine's port 443 to be accessed. AD FS Proxy needs to be installed in your DMZ and must be accessible to the internet. An entry needs to be put in your external DNS (e.g., adfs.zillum.com) which points to this AD FS proxy's external IP.  For more details about installing and configuring AD FS Proxy, refer here: https://nolabnoparty.com/en/adfs-3-0-install-wap-server-pt-4/
• Alternatively, allow AD FS machine's port 443 to be accessible from the internet (by adding a NAT entry or otherwise). You need to put an entry in your external DNS Server for this (e.g., adfs.zillum.com). Note that, AD FS need not be installed on a Domain Controller. You can install AD FS on any Windows 2008 system and need to just join the AD FS system to the domain. By this way, your Domain Controller system will not be exposed to the internet. Allow access to port 443 alone.

2) Change the Federation Service Name in AD FS Management

• After allowing port 443 access to the ADFS to internet, Go to ESM Directory > SAML Authentication page. Change the Login and Logout URLs by giving the fully qualified domain name of the system that you have given access to internet  (e.g., https://adfs.zillum.com/adfs/ls)
• In the AD FS system, go to AD FS management, right-click on the service and click "Edit Federation Service Properties". Give the same fqdn for Federation Service name
• Restart the AD FS 2.0 Windows Service from the services console. Now try to login again.
• For examlpe, if "https://adfs.zillum.com/adfs/ls" is the Login URL, then the Federation Service Name must be "adfs.zillum.com"