Configuring single sign-on for SAML-enabled custom enterprise applications

With single sign-on (SSO), users don't need to remember each of their different passwords—instead, they can access multiple applications without logging into them every time . Most cloud applications have built-in support for SSO, but what about your custom enterprise applications? How do you enable SSO for these applications?

ADSelfService Plus, an integrated self-service password management and single sign-on solution, lets you provide Active Directory-based SSO for any SAML-enabled application. If your in-house application supports SAML, then you can use ADSelfService Plus to enable SSO for that application. With SSO enabled, users can automatically log into the custom application without having to enter their username and password. And, if you have enabled NTLM SSO in ADSelfService Plus, simply logging into Windows is enough for users to access all their applications in just one click. 

Configuration steps

The steps given below will guide you through setting up the single sign-on functionality between ADSelfService Plus and your custom SAML applications.

Step 1: Adding the custom application to ADSelfService Plus

• Log into ADSelfService Plus web console as an administrator.
• Navigate to Configuration → Self-service → Password Sync/ Single sign-on.
• Click New Custom App from the top right corner.

  
  Custom saml apps single sign on configuration

• Enter your Application name.
• Choose the Category to which the application belongs. For example, Analytics tool or CRM.
• Provide a suitable option for the Supported SSO flow.

  Note: Please check with the application service provider to know the supported SSO flow.

• Click Next.

The advanced configuration section is not mandatory. But if the application supports a particular RSA-SHA algorithm or you want the SAML response to be unsigned, then click Advanced Configuration and update the settings.

Advanced Configuration:

This section allows you to configure settings specific to your application.

• Upload an image for the app icon in both sizes.
• Choose RSA-SHA1 or RSA-SHA256 Algorithm depending on the encryption your application supports.
• Pick a SAML response (Signed/ Unsigned).

  Note: By default, the SAML Assertion will always be signed.

• Click Next.

Step 2: Configuring SSO settings for the custom application

• In the Domain Name field, enter the domain name of your email address. For example, if you use johndoe@mydomain.com to log into the application, then mydomain.com is the domain name.
• Enter a Display Name for the connection.
• Based on the SSO flow you selected earlier, enter the required details.
  1. If you had selected Only SP flow:
     • In the SAML Redirect URL field, enter the SAML redirect URL your application service provider supplies. The URL value can be found in the application’s default login page or the SSO configuration page.
     • Enter the Assertion Consumer Service (ACS) URL your application service provider provides in the ACS URL field. This value can also be found in the application’s SSO configuration page.
  2. If you had selected Only IdP flow or Both SP and IdP flows:
     • Enter the Assertion Consumer Service (ACS) URL your application service provider provides in the ACS URL field. This value can also be found in the application’s SSO configuration page.
     • In the Entity ID field, enter the Entity ID that your application service provider supplies.This value can also be found in the application’s SSO configuration page.
• Provide a description in the respective field.
• In the Available Policies field, select the policies for which you wish to enable single sign-on.
• Click Save.

Note: After saving the configuration, click the Download Certificate link at the top right corner. In the SSO/SAML Details pop-up screen that appears, copy the Login URL, Logout URL, Help URL, and SHA fingeprint value or download the required certificate based on the application's requirement. These will be needed to complete the configuration at the application’s end.

Once the configuration is completed, users who have logged into ADSelfService Plus can automatically log into the custom enterprise application without entering their username and password.

Note: To add a new domain of the same application, locate the application from the app list and follow the Configuring SSO settings for the custom application steps.