SSO Settings

 

If SSO Settings option is enabled, users can log into ADSelfService Plus automatically by simply logging into their Windows machine or through a third-party identity provider.

 

Single sign-on to ADSelfService Plus is not supported for logins from mobile app or mobile browser.

 

ADSelfService Plus supports single sign-on with two types of authentication. They are:

  1. NTLM Authentication.

  2. SAML Authentication.

1. NTLM Authentication:

 

In this method of authentication, users log in to ADSelfService Plus web console using the credentials with which they logged into the machine. To enable NTLM authentication, follow the below steps.

 

Important: It must be noted that ADSelfService Plus' access URL must be associated with the local intranet sites for automatic logon.

A. How to find the IP address of the DNS Servers?

B. How to find the DNS Site?

C. How to add sites to the Local intranet zone?

 

The required configuration can be applied in two ways.

Method 1: Using a group policy (supported on Google Chrome and Internet Explorer)

  1. Create a new Group Policy Object and navigate to User Configuration → Administrative Templates → Windows Components → Internet Explorer → Internet Control Panel → Security Page → Sites to Zones Assignment list. Select Enable.

  2. Click Show to display the zone assignments. Enter the access URL in Value name and relate it to the trusted sites by entering the number 1 in Value, and then click OK.

  3. Navigate to User Configurations → Administrative Templates &rarr All Settings → Logon options. Select Enable.

  4. From the Logon options list, click Automatic logon only in Intranet zone, and then click OK.

Method 2: Manual configuration

  1. Google Chrome:

    • Navigate to Settings → Advanced drop-down → System module → Open proxy settings.

    • Click the Security tab and select the Local intranet icon.

    • Click the Sites button and proceed to enter the access URL of ADSelfService Plus in the required field, and click Add.

  2. Internet Explorer:

    • Navigate to Tools → Internet Options → Security.

    • Click the Security tab and select the Local intranet icon.

    • Click the Sites button and proceed to enter the access URL of ADSelfService Plus in the required field, and then click Add.

  3. Mozilla Firefox:

    • Type about:config in the address bar and hit the enter key to display the list of preferences. If there's a warning message displayed, click the I accept the risk button to proceed.

    • Navigate to the network.automatic-ntlm-auth.trusted-uris preference.

    • Double-click the preference and enter the access URL of ADSelfService Plus. For example: selfservice-5994:8888

    • Click OK.

2. SAML Authentication:

 

ADSelfService Plus supports one click access to its web console through SAML-based identity providers (IdPs).

 

After enabling SAML-based SSO option, every time a user attempts to access ADSelfService Plus' web console, the IdP receives the authentication request. IdP authenticates the user, and after successful authentication, the user will be automatically logged into the ADSelfService Plus portal. If the user is already logged in to the identity provider, when a user tries to access ADSelfService Plus, they will be granted access automatically.

 

Prerequisites:

  1. Log in to ADSelfService Plus web console as an administrator. Navigate to Admin tab → Customize → Logon settings → SSO Settings tab. Click the Enable SSO checkbox and the SAML Authentication radio button. Either download the X.509 Certificate file, or get the required data by copying the Relay State, ACS URL/ Recepient URL, SP Issuer URL, and SP Logout URL. You'll need this information while configuring your identity provider.

     

    logon-settings-saml

     

  2. The SAML-based identity provider that you intend to use must have ADSelfService Plus as one of its SAML supported applications. If it is not supported by default, you can add ADSelfService Plus as a new application in your identity provider. Find the steps to add a new application in Okta, OneLogin, ADFS and Line Works by clicking on the respective links. For other identity providers, contact their support team for further assistance.

  3. Log in to your identity provider with admin credentials and navigate to ADSelfService Plus from the list of applications provided. Either download the Metadata in XML format, or get the required data by copying the Issuer URL/Entity ID, IdP Login URL, IdP Logout URL, and the X.509-certificate. You'll need this information while configuring ADSelfService Plus for logon SSO.

Step 1: Service Provider Configuration (ADSelfService Plus)

  1. Log in to ADSelfService Plus web console with admin credentials.

  2. Navigate to Admin tab → Customize → Logon settings → SSO Settings tab.

  3. Check the Enable SSO checkbox to enable single sign-on in ADSelfService Plus.

     

    logon-settings

     

  4. Click the SAML Authentication radio button to enable SAML configuration in your domain.

  5. Select the identity provider of your choice in the Select IdP drop-down box. If you have selected Custom SAML from the drop-down list, you must type in the IdP name and upload IdP logo in the respective fields.

  6. There are two SAML Configuration Modes: Upload Metadata File and Manual Configuration.

     

    1. Select Upload Metadata File if you have downloaded the IdP metadata file from the identity provider. (Refer step 3 of Prerequisites)

      • Click Browse to upload the IdP metadata file.

       

      saml-sso-configuration-upload-metadata

       

    2. Select Manual Configuration to manually configure the URLs and certificates.

      1. Enter the Issuer URL/Entity ID URL obtained from the identity provider in the respective field (Refer step 3 of Prerequisites).

      2. In the IdP Login URL, enter the Login URL obtained from the identity provider (Refer step 3 of Prerequisites).

         

        manualy-logon-settings

         

  7. Select the Sign SAML logout Request option to sign the logout request which goes from ADSelfService Plus to the SAML-based identity provider. Know more.

  8. Select the Sign SAML Logout Response option to sign the logout response that goes from ADSelfService Plus to the SAML-based identity provider. Know more.

     

    service-provider-details

     

  9. Click Save.

 

  1. By default, ADSelfService Plus maintains the same SAML authentication configuration for logon SSO and multi-factor authentication.Select the checkbox to create a new SAML SSO

  2. When Single logout option is configured, and a user logs out of ADSelfService Plus, the user is automatically logged out from the identity provider, and vice versa.

  3. To enable Single Logout in ADSelfService Plus, you need to configure this feature in your SAML-based identity providers. Click on the respective links for the steps to configure this feature in Okta, OneLogin ,ADFS and LineWorks. For other identity providers, contact their support team for further assistance.

Copyright © 2019, ZOHO Corp. All Rights Reserved.
ManageEngine