How to enable SAML-based SSO for ADSelfService Plus using 1Kosmos

Objective

This article provides step-by-step instructions to configure SAML-based Single Sign-On (SSO) for ADSelfService Plus using 1Kosmos as the Identity Provider (IdP), ensuring users can access the ADSelfService Plus portal securely without entering credentials repeatedly.

This article contains information on:

• Prerequisites
• SP Configuration
• IdP configuration

Prerequisite

Firstly, you need to configure 1Kosmos as an IdP using the following steps:

1. Log in to the 1Kosmos AdminX portal using admin credentials.
2. Navigate to Settings > IdP Configuration.
3. Click Create Identity Provider to add a new IdP.
4. Under the Core Configuration section, enter the following details:
   • Name: Provide a unique name (e.g., 1Kosmos).
   • Authentication Request: Choose Signed to ensure secure SAML authentication requests.
5. From the SAML Metadata section, download the SAML metadata file to be used later in ADSelfService Plus.
6. Click Save.

ADSelfService Plus (SP) configuration

To configure ADSelfService Plus to accept authentication via 1Kosmos:

1. Log in to the ADSelfService Plus web console with admin credentials.
2. Navigate to Admin > Customize > Logon Settings > Single Sign On.
3. Check the box labeled Enable SSO.
4. Choose the SAML Authentication radio button.
5. From the Select IdP drop-down, choose 1Kosmos.

   

   Selecting 1Kosmos as an IdP in ADSelfService Plus

6. Select Upload Metadata File as your SAML Configuration Mode and click Browse to upload the metadata file downloaded from 1Kosmos.

   

   SP metadata upload in ADSelfService Plus for 1Kosmos

7. Click Advanced Settings. Under Authentication Request Configuration, choose Signed from the SAML Request drop-down
8. Click Save.
9. Now scroll down to the Service Provider (SP) Details section and click the Download SP Metadata link to download the ADSelfService Plus metadata file. Alternatively, if you wish to configure your IDP manually, copy the SP Issuer URL and ACS URL.
10. Click Download X.509 Certificate to download the ADSelfService Plus SSO certificate file.

    

    SP metadata details in ADSelfService Plus for 1Kosmos

1Kosmos (IdP) configuration

To integrate ADSelfService Plus as a SAML Service Provider in 1Kosmos:

1. Log in to the 1Kosmos AdminX portal using admin credentials.
2. Navigate to Applications > Manage Applications.
3. Click Add an Application, and under the Custom App section, select SAML 2.0 Generic.
4. Click Add Integration to begin configuring the SAML application.
5. Review the displayed information outlining the access and privileges required to proceed, then click Add Application.
6. Under the Basic Settings section:
   • Enter an appropriate Application Name (e.g., "ADSelfService Plus").
   • Choose the desired Instance Type (Production or Sandbox).
   • Enter the ADSelfService Plus access URL in the Access URL text box in the following format: https://<FQDN_FOR_ADSSP>/ For example: https://adselfservice.com/
7. Under the SAML Settings section:
   • Upload the metadata file downloaded from ADSelfService Plus in point 9 of the SP configuration. This will automatically populate the Assertion Statement under SAML settings, as well as the Entity ID and ACS URL under Advanced Options.
   • Alternatively, you can manually configure these settings:
     • Assertion Statement under SAML settings
       • Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
       • Value: email (located under BlockID Session Attributes)
     • Advanced Options
       • Entity ID: Enter the SP Issuer URL obtained from ADSelfService Plus in point 9 of the SP configuration.
       • Assertion Consumer Service (ACS) URL: Enter the ACS URL obtained from ADSelfService Plus in point 9 of the SP configuration and set the Method to POST.
8. Under the Advanced Options section, go to Certificates and upload the PEM-encoded X.509 certificate downloaded in step 10 of the SP configuration, and enable the Assertion checkbox to ensure the SAML assertion is signed.
9. Click Save.

Related articles

Discover additional information regarding compatible IdPs for ADSelfService Plus and the process of configuring SAML SSO through them by visiting this link.