SSO Settings

If the SSO Settings option is enabled, users can automatically log in to ADSelfService Plus by simply logging in to their Windows machine or through a third-party identity provider.

ADSelfService Plus supports single sign-on (SSO) with two types of authentication:

  1. NTLM Authentication
  2. SAML Authentication

1. NTLM Authentication:

In this method of authentcation, users log in to the ADSelfService Plus web console using the credentials they used to log in to the machine. To enable NTLM authentication, follow the steps below.

Important: ADSelfService Plus' access URL must be associated with the local intranet sites for automatic logon.
A. Finding the IP address of the DNS servers


B. Finding the DNS site

Active Directory Sites and Services

C. Adding sites to the local intranet zone

There are two ways to apply the required configuration:

Method 1: Using a group policy (supported on Google Chrome and Internet Explorer)
  1. Create a new Group Policy Object and navigate to User Configuration → Administrative Templates → Windows Components → Internet Explorer → Internet Control Panel → Security Page → Sites to Zones Assignment list. Select Enable.
  2. Click Show to display the zone assignments. Enter the access URL in Value name and relate it to the trusted sites by entering "1" in Value, then click OK.
  3. Navigate to User Configurations → Administrative Templates → All Settings → Logon options. Select Enable.
  4. From the Logon options list, click Automatic logon only in Intranet zone, then OK.
Method 2: Manual configuration
1.Google Chrome: 2.Internet Explorer: 3.Mozilla Firefox:

2. SAML Authentication:

In this method of authentication, users log in to the ADSelfService Plus web console using the credentials of a SAML-based identity provider.

After enabling the SAML-based SSO option, every time a user attempts to access ADSelfService Plus' web console, the IdP receives the authentication request. IdP authenticates the user, and after successful authentication, the user will be automatically logged in to the ADSelfService Plus portal. If the user is already logged in to the identity provider, when that user tries to access ADSelfService Plus, they will be granted access automatically.

  1. Log in to ADSelfService Plus web console as an administrator. Navigate to AdminCustomize → Logon settings → Single sign-On. Click the Enable SSO checkbox and the SAML Authentication button. Copy the ACS URL/Recipient URL and the Relay State URL.

  2. The SAML-based identity provider that you intend to use must have ADSelfService Plus as one of its supported SAML applications. If it is not supported by default, you can add ADSelfService Plus as a new application in your identity provider. Find the steps to add a new application in Okta, OneLogin, ADFS and Line Works by clicking on the respective links. For other identity providers, contact their support team for further assistance.

  3. Log in to your identity provider with admin credentials, and navigate to ADSelfService Plus from the list of applications provided. Either download the Metadata in XML format, or get the required data by copying the Issuer URL/Entity ID, IdP Login URL, IdP Logout URL, and X509-certificate. You'll need this information while configuring ADSelfService Plus for logon SSO.

Service Provider Configuration (ADSelfService Plus)
  1. Navigate to AdminCustomize → Logon settings → Single sign-On.
  2. Check the Enable SSO checkbox to enable SSO in ADSelfService Plus.

  3. Click the SAML Authentication button to enable SAML configuration in your domain.
  4. Select the identity provider of your choice in the Select IdP drop-down. If you have selected Custom SAML from the drop-down, you must type in the IdP name and upload IdP logo in the respective fields.
  5. There are two SAML Configuration Modes: Upload Metadata File and Manual Configuration.

    1. Select Upload Metadata File if you have downloaded the IdP metadata file from the identity provider. 
      • Click Browse to upload the IdP metadata file.


    2. Select Manual Configuration to manually configure the URLs and certificates.

      • Enter the Issuer URL/Entity ID URL obtained from the identity provider in the respective field (Refer step 3 of Prerequisites).
      • In the IdP Login URL, enter the Login URL obtained from the identity provider (Refer step 3 of Prerequisites).

      • In the space provided for X.509-Certificate, enter the public certificate key fetched from the identity provider (Refer step 3 of Prerequisites).


      Important: By default, ADSelfService Plus utilizes the same SAML authentication configuration for SSO during login and multi-factor authentication (MFA) during password self-service. This means that the SAML configurations you complete for logon SSO settings will automatically be used for MFA if the latter is enabled.
  6. Select the Sign SAML logout Request option to sign the logout request which goes from ADSelfService Plus to the SAML-based identity provider. 
  7. Select the Sign SAML Logout Response option to sign the logout response that goes from ADSelfService Plus to the SAML-based identity provider.
  8. Click Save.

Important :

  1. When the Single Logout option is configured, and a user logs out of ADSelfService Plus, the user is automatically logged out from the identity provider, and vice versa.
  2. To enable Single Logout in ADSelfService Plus, you need to configure this feature in your SAML-based identity providers. Click on the respective links for the steps to configure this feature in Okta, OneLogin, ADFS, and LineWorks. For other identity providers, contact their support team for further assistance.


Your request has been submitted to the ADSelfService Plus technical support team. Our technical support people will assist you at the earliest.


Need technical assistance?

  • Enter your email ID
  • Talk to experts
    By clicking 'Talk to experts', you agree to processing of personal data according to the Privacy Policy.

Copyright © 2023, ZOHO Corp. All Rights Reserved.