SAML Authentication

 

SAML Authentication adds an extra layer of security to the password reset and account unlock process. If your organization already has SAML-based identity provider (IdP) applications such as OneLogin or Okta, it is only sensible that you use SAML Authentication as a method to verify users' identity. When SAML authentication is enabled, users are redirected to their IdP login URL for authentication, during password self-service operations. After successful authentication, the users are routed back to the ADSelfService Plus portal where they can reset their password or unlock their account. To use SAML authentication, end users do not have to enroll with ADSelfService Plus.

 

Steps to be followed:

Configuration of SAML authentication must be done in two places:

  1. At the service provider (SP).

  2. At the identity provider (IdP).

Here, the IdP is the SAML-based identity provider application such as OneLogin or Okta. The SP is ADSelfService Plus.

SAML authentication cannot be used to perform user identification through the ADSelfService Plus mobile app during self-service actions.

Prerequisites:

  1. Log in to ADSelfService Plus web console with admin credentials. Navigate to Configuration tab → Multi-factor Authentication section → SAML authentication. Copy the ACS URL/ Recepient URL and the Relay State.

  2. The SAML-based identity provider that you intend to use must have ADSelfService Plus as one of its SAML supported applications. If it is not supported by default, you can add ADSelfService Plus as a new application in your identity provider. Find the steps to add a new application in OktaOneLogin, ADFS and Line Works by clicking on the respective links. For other identity providers, contact their support team for further assistance.

  3. Log in to your identity provider application web-console with admin credentials and navigate to ADSelfService Plus from the list of applications provided.

  4. Either download the Metadata in XML format, or get the required data by copying the Issuer URL/Entity ID, IdP Login URL, and the X509-certificate.

Step 1: Service Provider Configuration (ADSelfService Plus)

Steps to be followed:

  1. Log in to ADSelfService Plus web-console with admin credentials.

  2. Navigate to Configuration tab → Self-ServiceMulti-factor Authentication.

  3. Click SAML Authentication tab.

  4. Check the Enable SAML Authentication check box.

  5. Choose an Identity Provider (IdP) from the drop-down list.

  6. There are two SAML Config Modes: Upload Metadata File and Manual Configuration.

    1. Select Upload Metadata File to manually upload the IdP metadata file downloaded from the identity provider (Refer step 4 of Prerequisite).

      • Click Browse to upload the IdP metadata file.

    2. Select Manual Configuration to manually configure the URLs and certificates.

      • Enter the Issuer URL/Entity ID URL obtained from the identity provider in the respective field. (Refer step 4 of Prerequisite).

      • In the IdP Login URL, enter the login URL obtained from the identity provider (Refer step 4 of Prerequisite).

      • In the space provided for X.509-Certificate, enter the public certificate key fetched from the identity provider (Refer step 4 of Prerequisite).

        The X.509-Certificate begins with '-----BEGIN CERTIFICATE-----', and ends with '-----END CERTIFICATE-----'. If this pattern--though default in most cases--is absent, do ensure that you maintain it.

         

        Saml Configuration

        Important: By default, ADSelfService Plus utilizes the same SAML authentication configuration for multi-factor authentication during password self-service and SSO during login. Meaning, the SAML configurations which you complete for multi-factor authentication will automatically be reflected on the logon SSO settings, if the latter is enabled.

         

        When you select the Create a new SAML SSO checkbox, you can maintain a separate SAML configuration for multi-factor authentication by generating a new ACS URL/Recipient URL and SP Metadata file. Use the newly generated ACS URL/Recipient URL or the SP Metadata file to create a new SAML configuration for ADSelfService Plus in your identity provider.

        • Only after you click Save, the new ACS/Recipient URL will be generated.

        • Copy the Relay State value.

  7. Click Save.

Step 2: Setting up a SAML application in the Identity Provider

A. Steps to set up a SAML application in Okta

  1. Log in to Okta web-console with admin credentials. Make sure that you are logged into the admin portal.

  2. Navigate to the Classic UI drop-down box.

  3. Go to the Applications tab > Add applications shortcut > Create New App button.

  4. In the dialog box that opens, select the SAML 2.0 option, then click Create.

  5. In General Settings, enter the SAML application name (Example: SelfService MFA) in the App name field. Upload a logo for the application if needed, then click Next.

     

    General Settings

  6. In Configure SAML, enter the ACS URL/Recipient URL into the Single sign on URL and Audience URI (SP Entity ID) fields.

     

    SAML Settings

    • ACS URL/Recipient URL: Log into ADSelfService Plus web-console with admin credentials. Navigate to Configuration tab → Multi-factor AuthenticationSAML authenticationACS URL/Recipient URL. Copy the ACS URL/Recipient URL.

    • If your identity provider needs metadata of the service provider, click Download SP Metadata and download an XML file of your SAML configurations.

  7. Click Next.

  8. In Feedback, select an appropriate response and then click Finish.

  9. The Sign on tab of the newly created application appears. Download the metadata file by clicking the Identity Provider metadata link. You will need this file while configuring SAML authentication in ADSelfService Plus. So, save this file and keep it safe. Rename the downloaded metadata file as 'metadata_okta.xml'.

     

    Sign On Methods

  10. Click on the Assignments tab and navigate to Assign. Select Assign to People or Assign to Groups based on your requirement. After selecting an option, click the Save and Go Back button.

  11. Click Done.

 

B. Steps to set up a SAML application in OneLogin

  1. Log in to OneLogin web-console with admin credentials.

  2. Click the Administration button.

  3. Navigate to Apps tab → Add Apps.

  4. Find SAML in the Find Applications section. Select SAML Test Connector (IdP) from the search result.

    Finding SAML Test Connector (IdP)

  5. Update the Display Name and the application logo. Click SAVE.

  6. Under the Configuration tab, enter the ACS URL/Recipient URL into the ACS (Consumer) URL Validator, ACS (Consumer) URL, Recipient, and Audience fields.

    • ACS URL/Recipient URL: Log into ADSelfService Plus web-console with admin credentials. Navigate to Configuration tab → Multi-factor Authentication → SAML authentication → ACS URL/Recipient URL. Copy the ACS URL/Recipient URL.

    • If your identity provider needs metadata of the service provider, click Download SP Metadata and download an XML file of your SAML configurations.

  7. Click on the Users tab and assign the application to users or groups based on your requirement.

  8. In the MORE ACTIONS button on the top panel, select SAML Metadata to download the metadata file. You will need this file while configuring SAML authentication in ADSelfService Plus. So, save this file and keep it safe.

    Connection configuration

  9. Click SAVE.

 

C. Steps to set up a SAML application in ADFS

Prerequisites:

To configure ADFS for identity verification in ADSelfService Plus, you need the following components:

  1. You need to install the ADFS server. The detailed steps for installing and configuring ADFS can be found in this Microsoft article.

  2. An SSL certificate to sign your ADFS login page and the fingerprint for that certificate.

Configuration steps

Only form-based authentication method is configured for users trying to access ADSelfService Plus through ADFS authentication - for both intranet and extranet based use. You can view this setting in Authentication Policies → Primary Authentication → Global Settings.

Claim Rules and Relying Party Trust

During configuration, you will need to add a Relying Party Trust and create claim rules.

A Relying Party Trust is created to establish the connection between two applications for authentication purposes by verifying claims. In this case, ADFS will trust the relying party (ADSelfService Plus) and authenticate users based on the claims generated.

Claims are generated from claim rules by applying certain conditions on them. A claim is an attribute that is used for identifying an entity, to establish access. For example, the Active Directory sAMAccountName.

Step 1: Adding a Relying Party Trust

 

Step 2: Creating Claim Rules

Once you have configured the Relying Party Trust, you can create the claim rules using the Claim Rules Editor which opens by default when you finish creating the trust.

Step 3: Enabling SAML logout option

IdP-initiated SSO for ADSelfService Plus

These steps help you authenticate your ADSelfService Plus account through ADFS.

Prerequisite

Enable RelayState in ADFS.

Steps to generate an IdP URL:

D. Steps to set up a SAML application in Line Works

  1. Log in to Line Works Developer console. Go to the Apps section > SAML Apps click add to button.

    adfs-add-saml

  2. In the window that opens, provide an appropriate Application Name, Description, and Logo in the respective fields.

  3. In the ACS URL field and the Issuer URL/Entity ID, enter the ACS URL/Recipient URL of ADSelfService Plus.

    • ACS URL/Recipient URL: Log into ADSelfService Plus web-console with admin credentials. Navigate to Configuration tab → Multi-factor Authentication SAML authenticationACS URL/Recipient URL. Copy the ACS URL/Recipient URL.


    adfs-add-saml

  4. In the popup window that opens, click OK.

  5. Go to SAML Apps section and find the application you have just created. Click the Change button and change the status to 'Effectiveness'. Click Save.

    adfs-add-saml

 

Copyright © 2019, ZOHO Corp. All Rights Reserved.
ManageEngine