SAML 2.0 Authentication
ServiceDesk Plus Cloud offers support for SAML 2.0, which facilitates integration with federated identity management solutions for user authentication. ServiceDesk Plus Cloud acts as the SAML Service Provider (SP) and it integrates with SAML Identity Providers (IdP). The integration involves supplying details about SP to IdP and vice-versa. Once you integrate ServiceDesk Plus with an IdP, users can log in to ServiceDesk Plus Cloud from the respective identity providers GUI without supplying credentials. For example, you can set up Active Directory Federation Service (ADFS) as the IdP to allow your users to log in to ServiceDesk Plus Cloud with their Active Directory credentials.
How does SAML for ServiceDesk Plus cloud help you?
1) Facilitate easy and secure access for users to their IT help desk using Active Directory integration/LDAP Authentication
2) Help IT authenticate users and control application access centrally
3) Reduce password maintenance and security overheads for managing help desk users
How to enable SAML Authentication in ManageEngine ServiceDesk Plus cloud?
Organization Admins can enable SAML Authentication for their organizations. The following are the steps to enable SAML Authentication :
-
Domain verification
-
Subdomain or Custom domain configuration
-
Identity Provider installation
-
SAML Configuration
1. Domain Verification
Your organization could be using multiple domain names for various URLs and email addresses, depending on business needs.
For example, the ACME company could own and use acmebuilders.com, acmeproperties.com, acmesecurities.com, etc. all belonging to the same organization. You can configure all such domains used by your business and also verify that you indeed own those domains with ServiceDesk Plus. Once verified, users with email ids from those domains can be added to ServiceDesk Plus without invitation and verification.
You can add and verify your domains in ESM Directory>>Verified Domains
2. Subdomain (Default URL) or Custom domain (Custom URL) Configuration
You can access ServiceDesk Plus cloud using your own customized domain URL (e.g., helpdesk.zylker.com) or a subdomain to sdpondemand.manageengine.com
To perform SAML Authentication, you must have configured a subdomain or a custom domain. This can be done from ESM Directory>>ESM Portal. When you configure a custom domain, make sure you add a CName alias and it points to customer-sdpondemand.manageengine.com
Configure the Default URL/Custom URL by accessing ESM Directory>>ESM Portal.
We recommend using a custom domain [custom service URL] rather than a subdomain over global service URL [eg support.sdpondemand.manageengine.com] for scenarios like third-party integrations, bookmarks, or email notification links.
3. Identity Provider Installation
You can install SAML 2.0 compliant identity provider on your network. All authentication requests will be forwarded to this Identity Provider. The Identity Provider can perform Active Directory/LDAP/custom Authentication and once the user is authenticated, the Identity Provider will redirect the browser with a response to accounts.zoho.com
We have tested SAML Authentication with AD FS 2.0 and AD FS 3.0 as Identity Provider.
The following pages contain steps for installing & configuring Active Directory Federation Services.
Click here to view the steps for installing and configuring AD FS 3.0.
If you are using any other SAML 2.0 compliant Identity Provider :
The authentication request sent from Zoho can be found here
The expected assertion response can be found here
4. SAML Configuration
For SAML Authentication, the login and logout requests will be redirected to the Identity Provider installed in your network. You need to specify the identity provider's login URL & logout URL so that requests will be redirected accordingly. You also need to give the algorithm and the public key certificate of the Identity Provider so that Zoho / ManageEngine will decrypt the SAML responses sent by the identity provider.
SAML can be configured at Organization Directory --> SAML Authentication.
Once all the above steps are done, when your organization users access ServiceDesk Plus cloud using your configured subdomain or a custom domain (e.g., http://helpdesk.zylker.com), they will be redirected to the Identity provider installed inside your network for authentication. Once the Authentication succeeds, they will then be redirected to ServiceDesk Plus cloud website and logged in.
Once you have configured SAML authentication, your organization users must access ServiceDesk Plus cloud through the sub-domain or customized domain only.
SAML Authentication Request
Assuming zylker.com is the verified domain and idp-w2k8 is the system where the Identity Provider is installed.
<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_abe4735eceae4bd49afdb3f254dc5ea01359616"
Version="2.0"
IssueInstant="2013-01-31T07:18:15.281Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="Zoho"
IsPassive="false"
Destination="https://idp-w2k8/adfs/ls"
AssertionConsumerServiceURL="https://accounts.zoho.com/signin/samlsp/<orgid>"
<saml:Issuer>zoho.com</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" />
</samlp:AuthnRequest>
|
Expected SAML Response
Assuming zylker.com is the verified domain,
The Assertion Consumer Service URL is : https://accounts.zoho.com/signin/samlsp/<orgid>
e.g., https://accounts.zoho.com/signin/samlsp/90000000000
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response ID="_38563ef5-2341-4826-94f2-290fca589a51"
Version="2.0"
IssueInstant="2013-01-31T07:19:18.219Z"
Destination="https://accounts.zoho.com/signin/samlsp/<orgid>"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="_abe4735eceae4bd49afdb3f254dc5ea01359616"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://idp-w2k8/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_c42ed101-0051-48ad-a678-8cb58dee03f6"
IssueInstant="2013-01-31T07:19:18.219Z"
Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >
<Issuer>http://idp-w2k8/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_c42ed101-0051-48ad-a678-8cb58dee03f6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>wlE4Jf0Z8Z+2OyWE69RRH81atZ8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Y3izuExs6/EDebT9Q4U3qbL6Q==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC7jCCAdagAwIBAgIQVsvKLeIHJYVEYQONFS3p3zANBgkqhkiG9w0BAQUFADAgMR4+zaLeWShiGw==</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user1@zylker.com</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_abe4735eceae4bd49afdb3f254dc5ea01359616"
NotOnOrAfter="2013-01-31T07:24:18.219Z"
Recipient=""https://accounts.zoho.com/signin/samlsp/<orgid>" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2013-01-31T07:17:18.203Z"
NotOnOrAfter="2013-01-31T07:17:19.203Z" >
<AudienceRestriction>
<Audience>zoho.com</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2013-01-31T07:19:18.110Z"
SessionIndex="_c42ed101-0051-48ad-a678-8cb58dee03f6" >
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
|