Single Sign-On

You can set up single sign-on to AD360 and the products integrated with it through NTLM or SAML authentication.

NTLM authentication

To enable NTLM-based single sign-on, follow the steps listed below:

  1. Navigate to Admin → Administration → Logon Settings.
  2. Put a check against the Enable Single Sign-On box.
  3. Select the products for which you wish to enable single sign-on from the Select Components drop-down box.
    Note: The product will be displayed only if it supports single sign-on.
  4. Select the domains from the Select Domains drop-down box. These are the domains that contain the user accounts used to access AD360 and the components.
  5. Click Save Settings.
  6. Note:

    If AD360 is installed as a service, configure the service account with administrator privileges by following the steps listed below.

    • Click Start → Run → services.msc.
    • Locate the Manageengine AD360 service.
    • Right-click the service and select Properties, then Log On.
    • Select This account and provide the credentials.

To modify existing single sign-on settings,

  1. Navigate to Admin → Administration → Logon Settings.
  2. Click the [edit-icon] icon in the status column against the domain that you wish to modify the settings.
  3. Enter the Computer Name and Password in the respective fields.
  4. Click on the Create this computer account in the domain check-box to create a computer with the entered credentials if it is already not present in the domain.
  5. Click Advanced. If the DNS Servers and DNS Site are not filled automatically after entering the computer name and password, enter them manually.
  6. Click Save.

To identify the DNS Server IP address:

  1. Open Command Prompt from a machine belonging to the domain that you have selected.
  2. Type ipconfig /all and press enter.
  3. Use the first IP address displayed under DNS Server.

To identify the DNS Site:

  1. Open Active Directory Sites and Services in Active Directory.
  2. Expand the Sites and identify the Site in which the Domain Controller configured under the selected domain appear.
  3. Use the Site name for DNS Site.

Troubleshooting steps for NTLM-based SSO:

I. Change browser settings to allow Single Sign-On

Trusted sites are the sites with which NTLM authentication can occur seamlessly. If SSO has failed, then the most probable cause is that the AD360 or its integrated component’s URL isn't a part of your browser's trusted sites. Please add the URLs of AD360 and the selected components in the trusted sites list. Follow the steps given below:

Internet Explorer:

  1. Open Internet Explorer and click the Tools button.
  2. Click Internet options.
  3. In the Internet options dialog box that opens, click the Security tab.
  4. Under Select a zone to view or change security settings box, select Local Intranet.
  5. Now click the Sites button.
  6. If you are using IE 11, click on the advanced button and add the URLs of AD360 and the components to the list of intranet site.
  7. If you are using versions lower than IE 11, add the URLs of AD360 and the components to the list of intranet sites.
  8. Click Close, and then click OK.
  9. Close all browser sessions and reopen the browser.

Google Chrome

  1. Open Chrome and click the Customize and control Google Chrome icon (3 horizontal lines icon on the far right of the Address bar).
  2. Click Settings, scroll to the bottom and click the Show advanced settings link.
  3. Under the System section click Open proxy settings.
  4. In the Internet Properties dialog box that opens, navigate to the Security tabLocal Intranet, and then click Sites.
  5. Click Advanced and add the URLs of AD360 and the components to the list of intranet sites.
  6. Click Close, and then OK.
  7. Close all browser sessions and reopen the browser.

Mozilla Firefox

  1. Open Firefox web browser and type about:config in the address bar.
  2. Click I accept the risk in the warning window.
  3. In the Search field, type: network.automatic-ntlm-auth.trusted-uris.
  4. Double-click the network.automatic-ntlm-auth.trusted-uris preference and type the URL of AD360 and the integrated products in the prompt box. Use a comma to separate multiple URLs.
  5. Click OK to save the changes.
  6. Close all browser sessions and reopen the browser.

II. Check the computer account configuration

Status: Error in Creating Computer Account

Error Message

This error can be due to any of the reasons listed below:

  1. Invalid domain credentials in AD360
  2. This could happen when the credentials of the user account specified in the domain settings section of the integrated products have expired. To update the credentials and synchronize it with AD360, follow these steps:

  3. Domain controllers are not accessible from AD360
  4. When AD360 cannot reach the specified domain controllers (DCs), you must add another DC that it can access.

  5. Non-conformance to password policy
  6. When the password of the automatically created computer accounts for NTLM authentication does not meet the domain password policy settings, this error occurs. To resolve this issue, you need to create a computer account manually, and assign it a password that meets the complexity requirements of the domain policy settings. To accomplish this, follow the steps given below:

SAML authentication

You can set up single sign-on to access AD360 and the integrated products through any of these popular identity providers.

IMPORTANT: SAML-based SSO cannot be enabled if Reverse Proxy is also enabled.

Configuring single sign-on to AD360 using Okta

Step 1: Configure AD360 in Okta

  1. Log in to the Okta portal.
  2. Under the Apps tab, click Add Application and select Create New App.
  3. Select Platform as Web and choose Sign on method as SAML 2.0 and click Create.
  4. In General Settings, enter the SAML application name, say AD360, in the App name field. Upload a logo for the application if needed, then click Next.
  5. In the Configure SAML section, enter the values for,
  6. The values for these two fields can be obtained from AD360 → Admin → Administration → Logon Settings → Single Sign-On → SAML Authentication → Identity Provider (IdP) → Okta. Copy the ACS/Recipient URL value and paste it in the Single sign on URL field. Copy the Entity ID value and paste it in the Audience URI field.

  7. Leave the other settings as it is.
  8. Click Finish.
  9. Once the configuration is complete, navigate to the Sign on tab to download the Identity Provider metadata file.

Step 2: Configure Okta in AD360

  1. Log in to AD360 as an administrator.
  2. Navigate to Admin → Administration → Logon Settings → Single Sign-On → SAML Authentication.
  3. Select Okta from the Identity Provider (IdP) drop-down.
  4. For SAML Configuration Mode option, select Upload Metadata File.
  5. Click Browse and upload the metadata file obtained in Step 1 (8).
  6. If you want to enable Single Logout,
       
    1. Copy the Issuer URL, SP Logout URL and download the X.509 Certificate in AD360.
    2. In Okta, go to the Configure SAML page, and click Show Advanced Settings.
    3. Check the Enable Single Logout option.
    4. Paste the Issuer URL value in SP Issuer field and the SP Logout URL value in Single Logout URL field.
    5. Click the Browse button next to Signature Certificate and select the X.509 Certificate you downloaded from AD360. Click Upload Certificate.
  7. Click Save to complete the configuration.

Configuring single sign-on to AD360 using OneLogin

Step 1: Configure AD360 in OneLogin

  1. Log in to the OneLogin portal.
  2. Click Apps tab and select Add Apps.
  3. Click SAML Test Connector (IdP) in the apps category.
  4. Enter the Display Name and upload the icon for the application. Click Save.
  5. Under Configuration tab, enter the values for ACS (Consumer) URL Validator and ACS (Consumer) URL.
  6. The values for these two fields can be obtained from AD360 → Admin → Administration → Logon Settings → Single Sign-On → SAML Authentication → Identity Provider (IdP) → OneLogin. Copy the ACS/Recipient URL value and paste it in these two fields.

  7. Click More Actions in the top panel and click SAML Metadata to download the metadata file.
  8. Click Save to complete the configuration in Onelogin.

Step 2: Configure OneLogin in AD360

  1. Log in to AD360 as an admin.
  2. Navigate to Admin → Administration → Logon Settings → Single Sign-On → SAML Authentication.
  3. Select OneLogin from the Identity Provider (IdP) drop-down.
  4. For SAML Configuration Mode option, select Upload Metadata File.
  5. Click Browse and upload the metadata file obtained in Step 1 (6).
  6. If you want to enable Single Logout, copy the SP Logout URL in AD360 and paste it in the Single Logout URL field in OneLogin’s Configuration page.
  7. Click Save to complete the configuration.

Configuring single sign-on to AD360 using Ping Identity

Step 1: Configure AD360 in Ping Identity

  1. Log in to the Ping Identity portal.
  2. Click Applications → My Applications → SAML → Add Application → New SAML Application.
  3. On the Application Details page, enter Application Name, Application Description and Category. You can optionally assign an application icon.
  4. Click Continue to Next Step.
  5. On the Application Configuration page, provide the ACS URL and Entity ID.
  6. The values for these two fields can be obtained from AD360 → Admin → Administration → Logon Settings → Single Sign-On → SAML Authentication → Identity Provider (IdP) → Ping Identity. Copy the ACS/Recipient URL value and paste it in the ACS URL field. Copy the Entity ID value and paste it in the Entity ID field.

  7. In the next step, click Save & Publish.
  8. Once the configuration is complete, the metadata file can be downloaded.

Step 2: Configure Ping Identity in AD360

  1. Log in to AD360 as an admin.
  2. Navigate to Admin → Administration → Logon Settings → Single Sign-On → SAML Authentication.
  3. Select OneLogin from the Identity Provider (IdP) drop-down.
  4. For SAML Configuration Mode option, select Upload Metadata File.
  5. Click Browse and upload the metadata file obtained in Step 1 (7).
  6. If you want to enable Single Logout,
       
    1. Copy the SP Logout URL in AD360 and paste it in the Single Logout Endpoint field in Ping Identity’s SAML Applicationpage.
    2. Download the X.509 Certificate in AD360. In Ping Identity’s SAML Application page, click the Browse button next to Primary Verification Certificate and upload the downloaded certificate. 
  7. Click Save to complete the configuration.

Configuring single sign-on to AD360 using ADFS

Step 1: Configure AD360 in ADFS

Prerequisites:

To configure ADFS for identity verification in AD360, you need the following components:

  1. You need to install the ADFS server. The detailed steps for installing and configuring ADFS can be found in this Microsoft article.
  2. An SSL certificate to sign your ADFS login page and the fingerprint for that certificate.

Configuration steps

Note: Only Forms Authentication method is configured for users trying to access AD360 through ADFS authentication. You can view this setting in Authentication Policies → Primary Authentication → Global Settings.

Claim Rules and Relying Party Trust

During configuration, you will need to add a Relying Party Trust and create claim rules. A Relying Party Trust is created to establish the connection between two applications for authentication purposes by verifying claims. In this case, ADFS will trust the relying party (AD360) and authenticate users based on the claims generated. Claims are generated from claim rules by applying certain conditions on them. A claim is an attribute that is used for identifying an entity, to establish access. For example, the Active Directory sAMAccountName.

  1. Open the AD FS Management console.
  2. The connection between ADFS and AD360 is created using a Relying Party Trust (RPT). Select the Relying Party Trusts folder from AD FS.
  3. Add Relying Party Trust

  4. From the Actions sidebar, select Add Relying Party Trust. The Add Relying Party Trust Wizard opens.
  5. Add Relying Party Trust Wizard

  6. Click Start.
  7. In the Select Data Source page, click on the Enter Data About the Party Manually option and click Next.
  8. Data About the Party Manually

  9. In the Specify Display Name page, enter a Display name of your choice and also add additional notes if required. Click Next.
  10. Specify Display Name

  11. In the Choose Profile page, select the AD FS profile option. Click Next.
  12. Choose AD FS profile

  13. On the Configure Certificate screen, the default settings have already been applied. Click Next.
  14. Configure Certificate

  15. On the Configure URL screen, check the box labeled Enable Support for the SAML 2.0 WebSSO protocol. The Relying party SAML 2.0 SSO service URL will be the ACS URL of AD360. Note that there is no trailing slash at the end of the URL. For example:
  16. https://ad360-server/samlLogin/955060d15d6bb8166c13b8b6e10144e5f755c953

    Note: To get the ACS URL value, navigate to AD360 → Admin → Administration → Logon Settings → Single Sign-On → SAML Authentication → Identity Provider (IdP) → ADFS. Copy the ACS URL/Recipient URL value.

    add-relying-party

  17. In the next page, in the Relying party trust identifiers field, copy and paste the Entity ID value.
  18. Note: To get the Entity ID value, navigate to AD360 → Admin → Administration → Logon Settings → Single Sign-On → SAML Authentication → Identity Provider (IdP) → ADFS. Copy the Entity ID value.

    Relying party trust identifiers

  19. On the next page, you can choose to configure multi-factor authentication settings for the relying party trust. Click Next.
  20. In the Choose Issuance Authorization Rules page, you can choose to either Permit all users to access this relying party. Click Next.
  21. The next two pages will display an overview of the settings you have configured.
  22. In the Finish page, click Close to exit the wizard. Keep the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes option selected to open the Claim Rules editor automatically.
  23. relyin-party-wizard-closes

  24. Once you have configured the Relying Party Trust, you can create the claim rules using the Claim Rules Editor.
  25. In the Issuance Transform Rules tab, click Add Rule.
  26. From the Claim rule template drop-down, select Send LDAP Attributes as Claims. Click Next.
  27. send-ldap-attributes-claims

  28. In the next page, provide a Claim rule name and select Active Directory from the Attribute store drop-down.
  29. In the LDAP Attribute column, select userPrincipalName.
  30. In the Outgoing Claim Type column, select Name ID.
  31. Click Finish to save the rule.
  32. Outgoing Claim Type

  33. Once you click Finish, you can view the rule that has been created.
  34. edit-claim-rules

  35. After completing the ADFS configuration, download the metadata file by clicking on the Identity Provider metadata link. For example:
    https://<server_name>/FederationMetadata/2007-06/FederationMetadata.xml.
  36. Note: Replace <server_name> with the AD FS Server hostname.

    You will need this file while configuring SAML authentication in AD360. So, save this file and keep it safe.

  37. Navigate to the Relaying Party Trusts and find the rule you've created.
  38. Right-click on the rule and click Properties.
  39. In the window which opens, find the Endpoints tab and click Add SAML button.
  40. relying-party-trust-endpoint.png

  41. In the Trusted URL, paste the SP Logout URL.
  42. Note: To get the SP Logout URL, navigate to AD360 → Admin → Administration → Logon Settings → Single Sign-On → SAML Authentication → Identity Provider (IdP) → ADFS. Copy the SP Logout URL value.

  43. In the Signature tab, upload the X.509 Certificate.
  44. Note: To get the X.509 Certificate, navigate to AD360 → Admin → Administration → Logon Settings → Single Sign-On → SAML Authentication → Identity Provider (IdP) → ADFS. Click Download X.509 Certificate link to download the certificate file.

  45. Click OK.

Step 2: Configure AD FS in AD360

Prerequisites :

Enable RelayState in ADFS.

  1. Log in to AD360 as an admin.
  2. Navigate to Admin → Administration → Logon Settings → Single Sign-On → SAML Authentication.
  3. Select ADFS from the Identity Provider (IdP) drop-down.
  4. Click Browse and upload the metadata file you downloaded from Step 1 (23).
  5. Click Save.

Accessing AD360 through ADFS

  1. To access AD360, use the URL provided below:
    https:// <ADFSserver>/adfs/ls/idpinitiatedsignon.aspx
  2. Where, ADFSserver is the server in which the ADFS is deployed.

  3. Select AD360 from the list of applications.

Configuring single sign-on to AD360 using custom identity provider

You can configure any custom identity provider of your choice to enable single sign-on to access AD360 and the integrated products. To do so, configure AD360 settings in the preferred identity provider by following the steps explained above.

Configure custom identity provider in AD360

  1. Log in to AD360 as an admin.
  2. Navigate to Admin → Administration → Logon Settings → Single Sign-On → SAML Authentication.
  3. Select Custom Identity Provider from the drop down list.
  4. Upload the metadata file of the custom identity provider.
  5. Click Save to complete the configuration.

Troubleshooting tips for SAML-based SSO

Error: Unable to connect. Sorry. The requested page could not be loaded. Some possible reasons could be:

Solution: If you get the above error message, please re-enter the ACS/Recipient URL in the IdP and try again.