Active Directory SSO Integration

(Cloud)
HomeActive Directory SSO Integration

ManageEngine On-Demand is happy to announce support for Security Assertion Markup Language (SAML) based Single Sign-On (SSO ) for the ITIL ready ServiceDesk Plus On-Demand IT help desk. You can now eliminate passwords from the login process and access your applications faster and safer using Active Directory integration / LDAP authentication identity. With this, ServiceDesk Plus On-Demand moves to a rapidly adopted industry standard for login federation. SAML configuration is now available for subscribers of all three editions (Standard, Professional and Enterprise)

SAML is a derivative of XML. The purpose of SAML is to enable Single Sign-On for web applications across various domains. SAML is developed by the Security Services Technical Committee of "Organization for the Advancement of Structured Information Standards" (OASIS).

Note : User Management in ManageEngine ServiceDesk Plus On-Demand is powered by Zoho. So the names 'Zoho' / 'ManageEngine ServiceDesk Plus On-Demand' will be used interchangeably. Both Zoho and ManageEngine are divisions of Zoho Corp.

How does SAML for ServiceDesk Plus On-Demand help you?

1) Facilitate easy and secure access for users to their IT help desk using Active Directory integration / LDAP Authentication

2) Help IT authenticate users and control application access centrally

3) Reduce password maintenance and security overheads for managing help desk users

SAML

How to enable SAML Authentication in ManageEngine ServiceDesk Plus On-Demand?

Admins can enable SAML Authentication for their organizations.The following are the steps to enable SAML Authentication :

Domain Configuration

Add & verify your domain in Admin » Organization Details » Domains

Why should I add and verify my domain ?

1) When you import users from Active Directory to Zoho / Servicedesk Plus
On-Demand, invitation mail will not be sent to the imported users, whose email address has the verified domain name.

2) Verification is necessary for us to confirm your ownership of the domain.

Subdomain or Domain Mapping

You can access ServiceDesk Plus On-Demand using your own customized domain URL (e.g., helpdesk.zillum.com) or a subdomain to           sdpondemand.manageengine.com

To perform SAML Authentication, you must have configured a subdomain or a custom domain. When you configure a custom domain, make sure you add a CName alias and it points to customer-sdpondemand.manageengine.com Domain mapping feature is available in Admin » Self-Service Portal settings

Import Users

You can use the Provisioning App to Import users from Active Directory to ServiceDesk Plus On-Demand. Detailed steps are available here.

 

SAML Configuration

Install any SAML Compliant Identity Provider in your network.

All authentication requests will be forwarded to this Identity Provider. The Identity Provider can perform Active directory /LDAP/custom Authentication and once the user is authenticated, the Identity Provider will send the response to accounts.zoho.com
We have tested SAML Authentication with AD FS 2.0 and AD FS 3.0 as Identity Provider.

The steps for installing and configuring AD FS to work with Zoho / ManageEngine ServiceDesk Plus On-Demand can be found here :

AD FS 2.0 Installing and configuring Active Directory FS for ME ServiceDesk Plus On-Demand.pdf

AD FS 3.0 Installing and configuring Active Directory FS for ME ServiceDesk Plus On-Demand.pdf

AD FS 2.0 can be downloaded from here.

If you are using any other SAML 2.0 compliant Identity Provider :

The authentication request sent from zoho can be found here
The expected assertion response can be found here

SAML Configuration

For SAML Authentication, the login and logout requests will be redirected to the Identity Provider installed in your network.
You need to specify the identity provider's login url & logout url so that requests will be redirected accordingly.


You need to also give the algorithm and the public key certificate of the Identity Provider so that Zoho / ManageEngine will decrypt the SAML responses sent by the identity provider. Assuming idp-w2k8 is the system where Identity Provider (e.g., AD FS 2.0) is installed, the following is the SAML Configuration.


Once all the above steps are done, when your organization users access ServiceDesk Plus On-Demand using your configured subdomain or custom domain (e.g., http://helpdesk.zillum.com),
they will be redirected to the Identity provider installed inside your network for authentication.Once the Authentication succeeds, they will then be redirected to ServiceDesk Plus On-Demand web site, which will allow the users inside.

Note : Once you have configured SAML authentication, your organization users must access ServiceDesk Plus On-Demand through the sub-domain or customized domain only.

SAML Authentication Request

Assuming zillum.com is the verified domain and idp-w2k8 is the system where Identity Provider is installed.

<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_abe4735eceae4bd49afdb3f254dc5ea01359616"
Version="2.0"
IssueInstant="2013-01-31T07:18:15.281Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="Zoho"
IsPassive="false"
Destination="https://idp-w2k8/adfs/ls"
AssertionConsumerServiceURL="https://accounts.zoho.com/samlresponse/zillum.com" >
<saml:Issuer>zoho.com</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" />
</samlp:AuthnRequest>

Expected SAML Response

Assuming zillum.com is the verified domain
The Assertion Consumer Service URL is : https://accounts.zoho.com/samlresponse/<your_verified_domain>
e.g., https://accounts.zoho.com/samlresponse/zillum.com

<?xml version="1.0" encoding="UTF-8"?> 
<samlp:Response ID="_38563ef5-2341-4826-94f2-290fca589a51"
Version="2.0"
IssueInstant="2013-01-31T07:19:18.219Z"
Destination="https://accounts.zoho.com/samlresponse/zillum.com"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="_abe4735eceae4bd49afdb3f254dc5ea01359616"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://idp-w2k8/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_c42ed101-0051-48ad-a678-8cb58dee03f6"
IssueInstant="2013-01-31T07:19:18.219Z"
Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >


<Issuer>http://idp-w2k8/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_c42ed101-0051-48ad-a678-8cb58dee03f6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>wlE4Jf0Z8Z+2OyWE69RRH81atZ8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Y3izuExs6/EDebT9Q4U3qbL6Q==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC7jCCAdagAwIBAgIQVsvKLeIHJYVEYQONFS3p3zANBgkqhkiG9w0BAQUFADAgMR4+zaLeWShiGw==</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user1@zillum.com</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_abe4735eceae4bd49afdb3f254dc5ea01359616"
NotOnOrAfter="2013-01-31T07:24:18.219Z"
Recipient="https://accounts.zoho.com/samlresponse/zillum.com" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2013-01-31T07:17:18.203Z"
NotOnOrAfter="2013-01-31T07:17:19.203Z" >
<AudienceRestriction>
<Audience>zoho.com</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2013-01-31T07:19:18.110Z"
SessionIndex="_c42ed101-0051-48ad-a678-8cb58dee03f6" >
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>

Trusted by the world's best organizations

Let's support faster, easier, and together