AssetExplorer

    SAML Authentication

    Security Assertion Markup Language(SAML) brings an easier alternative to conventional sign-in methods already available for online services. Users will no longer have to provide passwords specific to each service they access. Manage Engine Asset Explorer supports SAML 2.0, which can be configured from Admin >> Organizational Details >> SAML Single Sign-On.

     

    How does SAML work

    SAML exchanges authentication and authorization data between two entities, namely an Identity Provider(IdP) and a Service Provider(SP). Here Asset Explorer acts as the SP and upon integration, users can directly log in to the application from the IdP without providing any login credentials. 

     

    For example, you can set up Active Directory Federation Service (ADFS) as the IdP to allow your users to log in to Asset Explorer using their Active Directory credentials.

    The following screen shot shows  how a user logs in to an application configured with SAML.

     

     

     

    Configuring  SAML in Asset Explorer

    Role Required: SDAdmin

    Go to Admin >> Organizational Details >> SAML single sign-on.

    In the configurations tab, you will find two sections, Service Provider Details and Configure Identity Provider Details.

     

    Under the Service Provider Details section, you will find the following:

    Field Name Description
    Entity ID

    Use these details to configure Asset Explorer as a service provider in your IdP.

    Assertion Consumer URL
    Single Logout Service URL
    SP Certificate Click the file to download it. Upload this file in the IdP portal.
    SP metadata file In some IdPs, uploading the metadata file is enough to configure Asset Explorer as a service provider.

    Note: Changes in the alias URL from the Self Service Portal settings and changing the service from http to https will be reflected in the Assertion Consumer URL and Single Logout Service URL. You will have to reconfigure SAML authentication in both SP and IdP portals by regenerating the SP certificate. 

     

    First, you must configure Asset Explorer as a Service Provider with your Identity Provider.

    We have tested SAML 2.0 with ADFS 3.0Okta, and OneLogin as the Identity Providers. 


    After configuring Asset Explorer as a service provider in your IdP domain, return to the SAML configuration page in Asset Explorer.

    Under the Configure Identity Provider Details section,

    • Enter the Login URL and Logout URL of the IdP.

    • Select the Algorithm from the drop-down. This algorithm should be the same as that configured in the IdP.

    • Upload the IdP certificate by clicking the Choose File button.

     

     

    • Click Save. The details of the certificate will be displayed to the right as shown below.

     

     

     

    • Enable SAML authentiction using the toggle button available in the top.

    NoteEnabling SAML Single Sign-On will automatically disable Active Directory/LDAP authentication.

    The History tab lists all the activities carried out in the configuration page. You can view the activities related to a particular attribute using predefined filters as shown below.




    Log in to Asset Explorer Using SAML

    The login page after enabling SAML single sign-on will be displayed as shown below.

     

     

     

    Users can either log in using the Local Authentication (enabled by default) or log in using SAML by clicking the link below the Log In button. 

    If Local Authentication is disabled, the IdP login page will be displayed.

     

    Note: When the login name generated by the IdP does not match with the login name of a user in the application, then the user will not be able to log in to Asset Explorer.

     

    Log Out Using SAML

    Asset Explorer supports SAML single logout service. Using this, you can choose to log out from Asset Explorer only or from all the services integrated with the IdP. 

    • Click 

    • If you have configured SAML logout in your IdP domain, you will find two options listed. 

    • Click Log out to log out of Asset Explorer application alone. 

    • If you click Log Out of SAML, you will be logged out of all the services integrated with the IdP.

     

     

    Troubleshooting

     

    Error Code

    Reason

    Solution

    4

    The IdP certificate file is not uploaded right.

    Reconfigure the IdP details.

    10

    Error in validating the logout response of the IdP.

    Refer errors 42, 44, 50, 4, and 36. Contact assetexplorer-support@manageengine.com

    21, 22, 23

    The IdP response Status is Failure.

    Reconfigure the IdP details by following the instructions given here.

    35

    The IdP response is not signed. Asset Explorer accepts only signed responses.

    Configure the IdP settings for Asset Explorer to sign assertion and responses.

    36

    Unable to verify IdP signature in the SAML response.

    Upload the correct IdP certificate file in the SAML configuration page of Asset Explorer.

    40

    Entity IDs in the SAML response and Asset Explorer are not the same.

    Reconfigure the SP details in your IdP portal.

    42

    The destination URL in the SAML response does not match the actual URL from which the response is called.

    Reconfigure the SP details in your IdP portal.

    44

    The Issuer field is empty in the SAML response.

    Contact assetexplorer-support@manageengine.com

    46, 47, 51

    The SAML response will not be validated as the System Time Stamp does not match the Standard Time.

    Set proper time and time zone in the application server.

    48

    The user has configured Assertion Encryption, which is not supported in Asset Explorer.

    Change Assertion Encryption to Assertion Sign in the IdP, which will sign the assertion but not encrypt it.

    49

    Issuer name is missing in the SAML assertion.

    Reconfigure the SP and IdP. 

     

    If the error persists, email us at assetexplorer-support@manageengine.com with the log files.

    50

    The SAML assertion from the IdP is not for the intended user/requester.

    Log in again by using SAML authentication.

    52 (In Asset Explorer)

    No such user exists in the application or the user is not a technician.

    Create a new technician manually with the login name generated by the IdP or change the requester into a technician.

     

     

    FAQs:

     

    1. How to fix alignment issues in the login page after enabling SAML as shown in the below image?



     

     

    • Add the classes given below in the HTML editor. These classes will also be available under <server_home>\custom\login\default.html

     

     .sign-line{  

      text-align: center; 

      display: block; 

      border-bottom: 1px solid #ccc; 

      margin:10px 0; 

     } 

     .or-ctr{ 

      background: #fff; 

      position: relative; 

      top: 8px; 

      padding: 0 4px; 

      font-size: 12px; 

      color: #727272; 

     } 

     .sign-saml{ 

      color: #009adb; 

      text-decoration: none; 

     } 

     

    • Click Save and check to see if the link now appears aligned.

     

     

     

     

    Zoho Corp. All rights reserved.