Single Sign-On

You can set up single sign-on to AD360 and the products integrated with it through NTLM or SAML authentication.

• SAML authentication
• NTLM authentication

SAML authentication

You can set up single sign-on to access AD360 and the integrated products through any of these popular identity providers.

IMPORTANT: SAML-based SSO cannot be enabled if Reverse Proxy is also enabled.

• Okta
• One Login
• Ping Identity
• ADFS
• Custom identity provider

Configuring single sign-on to AD360 using Okta

Step 1: Configure AD360 in Okta

1. Log in to the Okta portal.
2. Under the Apps tab, click Add Application and select Create New App.
3. Select Platform as Web and choose Sign on method as SAML 2.0 and click Create.
4. In General Settings, enter the SAML application name, say AD360, in the App name field. Upload a logo for the application if needed, then click Next.
5. In the Configure SAML section, enter the values for,
• Single sign on URL
• Audience URI

The values for these two fields can be obtained from AD360 → Admin → Administration → Logon Settings → Single Sign-On → SAML Authentication → Identity Provider (IdP) → Okta. Copy the ACS/Recipient URL value and paste it in the Single sign on URL field. Copy the Entity ID value and paste it in the Audience URI field.

6. Leave the other settings as it is.
7. Click Finish.
8. Once the configuration is complete, navigate to the Sign on tab to download the Identity Provider metadata file.

Step 2: Configure Okta in AD360

1. Log in to AD360 as an administrator.
2. Navigate to Admin tab >Administration > Logon Settings > Single Sign-On.
3. Mark the checkbox against Enable Single Sign-On.
4. Select the SAML Authentication radio button.
5. Select Okta from the Identity Provider (IdP) drop-down.
6. For SAML Configuration Mode option, select Upload Metadata File.
7. Click Browse and upload the metadata file obtained in Step 1 (8).
8. If you want to enable Single Logout,
    
   1. Copy the Issuer URL, SP Logout URL and download the X.509 Certificate in AD360.
   2. In Okta, go to the Configure SAML page, and click Show Advanced Settings.
   3. Check the Enable Single Logout option.
   4. Paste the Issuer URL value in SP Issuer field and the SP Logout URL value in Single Logout URL field.
   5. Click the Browse button next to Signature Certificate and select the X.509 Certificate you downloaded from AD360. Click Upload Certificate.
9. Click Save to complete the configuration.

Configuring single sign-on to AD360 using OneLogin

Step 1: Configure AD360 in OneLogin

1. Log in to the OneLogin portal.
2. Click Apps tab and select Add Apps.
3. Click SAML Test Connector (IdP) in the apps category.
4. Enter the Display Name and upload the icon for the application. Click Save.
5. Under Configuration tab, enter the values for ACS (Consumer) URL Validator and ACS (Consumer) URL.

The values for these two fields can be obtained from AD360 → Admin → Administration → Logon Settings → Single Sign-On → SAML Authentication → Identity Provider (IdP) → OneLogin. Copy the ACS/Recipient URL value and paste it in these two fields.

6. Click More Actions in the top panel and click SAML Metadata to download the metadata file.
7. Click Save to complete the configuration in Onelogin.

Step 2: Configure OneLogin in AD360

1. Log in to AD360 as an admin.
2. Navigate to Admin tab >Administration > Logon Settings > Single Sign-On.
3. Mark the checkbox against Enable Single Sign-On.
4. Select the SAML Authentication radio button.
5. Select OneLogin from the Identity Provider (IdP) drop-down.
6. For SAML Configuration Mode option, select Upload Metadata File.
7. Click Browse and upload the metadata file obtained in Step 1 (6).
8. If you want to enable Single Logout, copy the SP Logout URL in AD360 and paste it in the Single Logout URL field in OneLogin’s Configuration page.
9. Click Save to complete the configuration.

Configuring single sign-on to AD360 using Ping Identity

Step 1: Configure AD360 in Ping Identity

1. Log in to the Ping Identity portal.
2. Click Applications → My Applications → SAML → Add Application → New SAML Application.
3. On the Application Details page, enter Application Name, Application Description and Category. You can optionally assign an application icon.
4. Click Continue to Next Step.
5. On the Application Configuration page, provide the ACS URL and Entity ID.

The values for these two fields can be obtained from AD360 → Admin → Administration → Logon Settings → Single Sign-On → SAML Authentication → Identity Provider (IdP) → Ping Identity. Copy the ACS/Recipient URL value and paste it in the ACS URL field. Copy the Entity ID value and paste it in the Entity ID field.

6. In the next step, click Save & Publish.
7. Once the configuration is complete, the metadata file can be downloaded.

Step 2: Configure Ping Identity in AD360

1. Log in to AD360 as an admin.
2. Navigate to Admin tab >Administration > Logon Settings > Single Sign-On.
3. Mark the checkbox against Enable Single Sign-On.
4. Select the SAML Authentication radio button.
5. Select OneLogin from the Identity Provider (IdP) drop-down.
6. For SAML Configuration Mode option, select Upload Metadata File.
7. Click Browse and upload the metadata file obtained in Step 1 (7).
8. If you want to enable Single Logout,
    
   1. Copy the SP Logout URL in AD360 and paste it in the Single Logout Endpoint field in Ping Identity’s SAML Applicationpage.
   2. Download the X.509 Certificate in AD360. In Ping Identity’s SAML Application page, click the Browse button next to Primary Verification Certificate and upload the downloaded certificate. 
9. Click Save to complete the configuration.

Configuring single sign-on to AD360 using ADFS

Step 1: Configure AD360 in ADFS

Prerequisites:

To configure ADFS for identity verification in AD360, you need the following components:

1. You need to install the ADFS server. The detailed steps for installing and configuring ADFS can be found in this Microsoft article.
2. An SSL certificate to sign your ADFS login page and the fingerprint for that certificate.

Configuration steps

Note: Only Forms Authentication method is configured for users trying to access AD360 through ADFS authentication. You can view this setting in Authentication Policies → Primary Authentication → Global Settings.

Claim Rules and Relying Party Trust

During configuration, you will need to add a Relying Party Trust and create claim rules. A Relying Party Trust is created to establish the connection between two applications for authentication purposes by verifying claims. In this case, ADFS will trust the relying party (AD360) and authenticate users based on the claims generated. Claims are generated from claim rules by applying certain conditions on them. A claim is an attribute that is used for identifying an entity, to establish access. For example, the Active Directory sAMAccountName.

1. Open the AD FS Management console.
2. The connection between ADFS and AD360 is created using a Relying Party Trust (RPT). Select the Relying Party Trusts folder from AD FS.



3. From the Actions sidebar, select Add Relying Party Trust. The Add Relying Party Trust Wizard opens.



4. Click Start.
5. In the Select Data Source page, click on the Enter Data About the Party Manually option and click Next.



6. In the Specify Display Name page, enter a Display name of your choice and also add additional notes if required. Click Next.



7. In the Choose Profile page, select the AD FS profile option. Click Next.



8. On the Configure Certificate screen, the default settings have already been applied. Click Next.



9. On the Configure URL screen, check the box labeled Enable Support for the SAML 2.0 WebSSO protocol. The Relying party SAML 2.0 SSO service URL will be the ACS URL of AD360. Note that there is no trailing slash at the end of the URL. For example:

https://ad360-server/samlLogin/955060d15d6bb8166c13b8b6e10144e5f755c953

Note: To get the ACS URL value, navigate to AD360 → Admin → Administration → Logon Settings → Single Sign-On → SAML Authentication → Identity Provider (IdP) → ADFS. Copy the ACS URL/Recipient URL value.



10. In the next page, in the Relying party trust identifiers field, copy and paste the Entity ID value.

Note: To get the Entity ID value, navigate to AD360 → Admin → Administration → Logon Settings → Single Sign-On → SAML Authentication → Identity Provider (IdP) → ADFS. Copy the Entity ID value.



11. On the next page, you can choose to configure multi-factor authentication settings for the relying party trust. Click Next.
12. In the Choose Issuance Authorization Rules page, you can choose to either Permit all users to access this relying party. Click Next.
13. The next two pages will display an overview of the settings you have configured.
14. In the Finish page, click Close to exit the wizard. Keep the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes option selected to open the Claim Rules editor automatically.



15. Once you have configured the Relying Party Trust, you can create the claim rules using the Claim Rules Editor.
16. In the Issuance Transform Rules tab, click Add Rule.
17. From the Claim rule template drop-down, select Send LDAP Attributes as Claims. Click Next.



18. In the next page, provide a Claim rule name and select Active Directory from the Attribute store drop-down.
19. In the LDAP Attribute column, select userPrincipalName.
20. In the Outgoing Claim Type column, select Name ID.
21. Click Finish to save the rule.



22. Once you click Finish, you can view the rule that has been created.



23. After completing the ADFS configuration, download the metadata file by clicking on the Identity Provider metadata link. For example:
    https://<server_name>/FederationMetadata/2007-06/FederationMetadata.xml.

Note: Replace <server_name> with the AD FS Server hostname.

You will need this file while configuring SAML authentication in AD360. So, save this file and keep it safe.

24. Navigate to the Relaying Party Trusts and find the rule you've created.
25. Right-click on the rule and click Properties.
26. In the window which opens, find the Endpoints tab and click Add SAML button.



27. In the Trusted URL, paste the SP Logout URL.

Note: To get the SP Logout URL, navigate to AD360 → Admin → Administration → Logon Settings → Single Sign-On → SAML Authentication → Identity Provider (IdP) → ADFS. Copy the SP Logout URL value.

28. In the Signature tab, upload the X.509 Certificate.

Note: To get the X.509 Certificate, navigate to AD360 → Admin → Administration → Logon Settings → Single Sign-On → SAML Authentication → Identity Provider (IdP) → ADFS. Click Download X.509 Certificate link to download the certificate file.

29. Click OK.

Step 2: Configure AD FS in AD360

Prerequisites

Enable RelayState in ADFS.

• For Windows Server 2012:
• Navigate to the %systemroot%\ADFS\Microsoft.IdentityServer.Servicehost.exe.config file in your ADFS server.
• In the <microsoft.identityServer.web> section, enter the following code: <useRelayStateForIdpInitiatedSignOn enabled="true" />
  Sample code:
  <microsoft.identityServer.web>
  …..
  <useRelayStateForIdpInitiatedSignOn enabled="true" />
  </microsoft.identityServer.web>
• Restart the ADFS server.
• For Windows Server 2016:
• Open Powershell with administrative properties in your ADFS server.
• Run the following command to enable IdP-initiated SSO:
  Set-ADFSProperties -EnableIdPInitiatedSignonPage $true
• Run the following code to enable RelayState:
  Set-ADFSProperties -EnableRelayStateForIDPInitiatedSignon $true
• Restart the ADFS server.

1. Log in to AD360 as an admin.
2. Navigate to Admin tab >Administration > Logon Settings > Single Sign-On.
3. Mark the checkbox against Enable Single Sign-On.
4. Select the SAML Authentication radio button.
5. Select ADFS from the Identity Provider (IdP) drop-down.
6. Click Browse and upload the metadata file you downloaded from Step 1 (23).
7. Click Save.

Accessing AD360 through ADFS

1. To access AD360, use the URL provided below:
   https:// <ADFSserver>/adfs/ls/idpinitiatedsignon.aspx

Where, ADFSserver is the server in which the ADFS is deployed.

2. Select AD360 from the list of applications.

Configuring single sign-on to AD360 using custom identity provider

You can configure any custom identity provider of your choice to enable single sign-on to access AD360 and the integrated products. To do so, configure AD360 settings in the preferred identity provider by following the steps explained above.

Configure custom identity provider in AD360

1. Log in to AD360 as an admin.
2. Navigate to Admin tab >Administration > Logon Settings > Single Sign-On.
3. Mark the checkbox against Enable Single Sign-On.
4. Select the SAML Authentication radio button.
5. Select Custom Identity Provider from the drop down list.
6. Upload the metadata file of the custom identity provider.
7. Click Save to complete the configuration.

Troubleshooting tips for SAML-based SSO

Error: Unable to connect. Sorry. The requested page could not be loaded. Some possible reasons could be:

• Direct access to the URL is restricted.
• The product is being accessed from multiple tabs. Try Again.

Solution: If you get the above error message, please re-enter the ACS/Recipient URL in the IdP and try again.

NTLM authentication

To enable NTLM-based single sign-on, follow the steps listed below:

1. Navigate to Admin tab >Administration > Logon Settings > Single Sign-On.
2. Mark the checkbox against Enable Single Sign-On.
3. Select the NTLMv2 Authentication radio button.
Note: To enable NTLMv2 SSO for ManageEngine AD360 and the integrated components in builds 4309 and above, you will have to download the Jespa JAR file and add it to the product's lib folder. For more information, click here. If you have already enabled NTLMv2 SSO, you can continue using the feature and no further actions are needed.
4. Select the products for which you wish to enable single sign-on from the Select Components drop-down box.

   Note: The product will be displayed only if it supports single sign-on.

5. Select the domains from the Select Domains drop-down box. These are the domains that contain the user accounts used to access AD360 and the components.
6. Click Save Settings.

Note:

If AD360 is installed as a service, configure the service account with administrator privileges by following the steps listed below.

• Click Start → Run → services.msc.
• Locate the Manageengine AD360 service.
• Right-click the service and select Properties, then Log On.
• Select This account and provide the credentials.

To modify existing single sign-on settings,

1. Navigate to Admin → Administration → Logon Settings.
2. Click the [] icon in the status column against the domain that you wish to modify the settings.
3. Enter the Computer Name and Password in the respective fields.
4. Click on the Create this computer account in the domain check-box to create a computer with the entered credentials if it is already not present in the domain.
5. Click Advanced. If the DNS Servers and DNS Site are not filled automatically after entering the computer name and password, enter them manually.
6. Click Save.

To identify the DNS Server IP address

1. Open Command Prompt from a machine belonging to the domain that you have selected.
2. Type ipconfig /all and press enter.
3. Use the first IP address displayed under DNS Server.

To identify the DNS Site

1. Open Active Directory Sites and Services in Active Directory.
2. Expand the Sites and identify the Site in which the Domain Controller configured under the selected domain appear.
3. Use the Site name for DNS Site.

Troubleshooting steps for NTLM-based SSO

I. Change browser settings to allow Single Sign-On

Trusted sites are the sites with which NTLM authentication can occur seamlessly. If SSO has failed, then the most probable cause is that the AD360 or its integrated component’s URL isn't a part of your browser's trusted sites. Please add the URLs of AD360 and the selected components in the trusted sites list. Follow the steps given below:

• Internet Explorer
• Google Chrome
• Mozilla Firefox

Note:

• It is recommended that you close all browser sessions after adding the URL to the trusted sites list for the changes to take effect.
• Google Chrome and Internet Explorer use the same internet settings. Changing the settings either in Internet Explorer or in Chrome will enable NTLM SSO in both browsers. It is again recommended to close both the browser sessions for the changes to be enabled.

Internet Explorer:

1. Open Internet Explorer and click the Tools button.
2. Click Internet options.
3. In the Internet options dialog box that opens, click the Security tab.
4. Under Select a zone to view or change security settings box, select Local Intranet.
5. Now click the Sites button.
6. If you are using IE 11, click on the advanced button and add the URLs of AD360 and the components to the list of intranet site.
7. If you are using versions lower than IE 11, add the URLs of AD360 and the components to the list of intranet sites.
8. Click Close, and then click OK.
9. Close all browser sessions and reopen the browser.

Google Chrome

1. Open Chrome and click the Customize and control Google Chrome icon (3 horizontal lines icon on the far right of the Address bar).
2. Click Settings, scroll to the bottom and click the Show advanced settings link.
3. Under the System section click Open proxy settings.
4. In the Internet Properties dialog box that opens, navigate to the Security tab → Local Intranet, and then click Sites.
5. Click Advanced and add the URLs of AD360 and the components to the list of intranet sites.
6. Click Close, and then OK.
7. Close all browser sessions and reopen the browser.

Mozilla Firefox

1. Open Firefox web browser and type about:config in the address bar.
2. Click I accept the risk in the warning window.
3. In the Search field, type: network.automatic-ntlm-auth.trusted-uris.
4. Double-click the network.automatic-ntlm-auth.trusted-uris preference and type the URL of AD360 and the integrated products in the prompt box. Use a comma to separate multiple URLs.
5. Click OK to save the changes.
6. Close all browser sessions and reopen the browser.

II. Check the computer account configuration

Status: Error in Creating Computer Account

This error can be due to any of the reasons listed below:

1. Invalid domain credentials in AD360

This could happen when the credentials of the user account specified in the domain settings section of the integrated products have expired. To update the credentials and synchronize it with AD360, follow these steps:

• Log into the AD360 web-console with admin credentials.
• Navigate to the required component using the Apps Pane or the Jump to link.
• Click on domain settings and update the domain credentials (i.e., username and password).
• Synchronize the updated domain credentials with AD360 by navigating to AD360 → Admin tab and clicking on the Sync now button.
2. Domain controllers are not accessible from AD360

When AD360 cannot reach the specified domain controllers (DCs), you must add another DC that it can access.

• Log into AD360 web-console with admin credentials.
• Navigate to the required component through the Apps Pane or the Jump to link.
• Click domain settings and specify the name of the relevant DC, and also the credentials of the account that the AD360 should use.
• Synchronize the updated domain controller with AD360 by navigating to AD360 → Admin tab and clicking on the Sync now button.
3. Non-conformance to password policy

When the password of the automatically created computer accounts for NTLM authentication does not meet the domain password policy settings, this error occurs. To resolve this issue, you need to create a computer account manually, and assign it a password that meets the complexity requirements of the domain policy settings. To accomplish this, follow the steps given below:

• Click the error message Error in creating a new computer account in the status column against the domain in which you wish to create a computer account.
• Create a computer account manually by entering Computer Name and Password.

III. Domain not found or Receive timed out

Cause: The DNS Server IP address configured has a wrong IP Address or the IP address is not resolved properly in DNS Server

To fix this issue,

1. Ping the DNS Server IP address from AD360 server and check if it is reachable.
2. If not, open Command Prompt from a machine belonging to the domain that you have selected.
3. Type ipconfig /all and press enter.
4. Use the first IP address displayed under DNS Server.
5. Navigate to Admin > Administration > Logon Settings > Single Sign-On in AD360.
6. Click the icon in the status column against the domain that you wish to modify the settings.
7. Click Advanced. Enter the IP that you had copied from the command prompt in the DNS Servers field.
8. Click Save.

Back to Top