Active Directory SSO Integration

(Cloud)

ManageEngine Cloud is happy to announce support for Security Assertion Markup Language (SAML) based Single Sign-On (SSO ) for the full-stack ITSM suite ServiceDesk Plus Cloud. You can now eliminate passwords from the login process and access your applications faster and safer using Active Directory integration / LDAP authentication identity. With this, ServiceDesk Plus Cloud moves to a rapidly adopted industry standard for login federation. SAML configuration is now available for subscribers of all three editions (Standard, Professional and Enterprise)

SAML is a derivative of XML. The purpose of SAML is to enable Single Sign-On for web applications across various domains. SAML is developed by the Security Services Technical Committee of "Organization for the Advancement of Structured Information Standards" (OASIS).

Note : User Management in ManageEngine ServiceDesk Plus Cloud is powered by Zoho. So the names 'Zoho' / 'ManageEngine ServiceDesk Plus Cloud' will be used interchangeably. Both Zoho and ManageEngine are divisions of Zoho Corp.

How does SAML for ServiceDesk Plus Cloud help you?

1) Facilitate easy and secure access for users to their IT help desk using Active Directory integration / LDAP Authentication

2) Help IT authenticate users and control application access centrally

3) Reduce password maintenance and security overheads for managing help desk users

SAML

How to enable SAML Authentication in ManageEngine ServiceDesk Plus Cloud?

Admins can enable SAML Authentication for their organizations.The following are the steps to enable SAML Authentication :

Domain Configuration

Add & verify your domain in Admin » Organization Details » Domains

Why should I add and verify my domain ?

1) When you import users from Active Directory to Zoho / Servicedesk Plus
Cloud, invitation mail will not be sent to the imported users, whose email address has the verified domain name.

IT self service workflow

2) Verification is necessary for us to confirm your ownership of the domain.

IT self service workflow

Subdomain or Domain Mapping

You can access ServiceDesk Plus Cloud using your own customized domain URL (e.g., helpdesk.zylker.com) or a subdomain to           sdpondemand.manageengine.com

To perform SAML Authentication, you must have configured a subdomain or a custom domain. When you configure a custom domain, make sure you add a CName alias and it points to customer-sdpondemand.manageengine.com Domain mapping feature is available in Admin » Self-Service Portal settings

IT self service workflow

Import Users

You can use the Provisioning App to Import users from Active Directory to ServiceDesk Plus Cloud. Detailed steps are available here.

 

SAML Configuration

Install any SAML Compliant Identity Provider in your network.

All authentication requests will be forwarded to this Identity Provider. The Identity Provider can perform Active directory /LDAP/custom Authentication and once the user is authenticated, the Identity Provider will send the response to accounts.zoho.com
We have tested SAML Authentication with AD FS 2.0 and AD FS 3.0 < as Identity Provider.

The steps for installing and configuring AD FS to work with Zoho / ManageEngine ServiceDesk Plus Cloud can be found here :

AD FS 2.0 Installing and configuring Active Directory FS for ME ServiceDesk Plus On-Demand.pdf

AD FS 3.0 Installing and configuring Active Directory FS for ME ServiceDesk Plus On-Demand.pdf

If you are using any other SAML 2.0 compliant Identity Provider :

The authentication request sent from zoho can be found here
The expected assertion response can be found here

SAML Configuration

For SAML Authentication, the login and logout requests will be redirected to the Identity Provider installed in your network.
You need to specify the identity provider's login url & logout url so that requests will be redirected accordingly.

SAML Configuration

You need to also give the algorithm and the public key certificate of the Identity Provider so that Zoho / ManageEngine will decrypt the SAML responses sent by the identity provider. Assuming idp-w2k8 is the system where Identity Provider (e.g., AD FS 2.0) is installed, the following is the SAML Configuration.


Once all the above steps are done, when your organization users access ServiceDesk Plus Cloud using your configured subdomain or custom domain (e.g., http://helpdesk.zylker.com),
they will be redirected to the Identity provider installed inside your network for authentication.Once the Authentication succeeds, they will then be redirected to ServiceDesk Plus Cloud web site, which will allow the users inside.

Note : Once you have configured SAML authentication, your organization users must access ServiceDesk Plus Cloud through the sub-domain or customized domain only.

SAML Authentication Request

Assuming zylker.com is the verified domain and idp-w2k8 is the system where Identity Provider is installed.

<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_abe4735eceae4bd49afdb3f254dc5ea01359616"
Version="2.0"
IssueInstant="2013-01-31T07:18:15.281Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="Zoho"
IsPassive="false"
Destination="https://idp-w2k8/adfs/ls"
AssertionConsumerServiceURL="https://accounts.zoho.com/samlresponse/zylker.com" >
<saml:Issuer>zoho.com</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" />
</samlp:AuthnRequest>

Expected SAML Response

Assuming zylker.com is the verified domain
The Assertion Consumer Service URL is : https://accounts.zoho.com/samlresponse/<your_verified_domain>
e.g., https://accounts.zoho.com/samlresponse/zylker.com

<?xml version="1.0" encoding="UTF-8"?> 
<samlp:Response ID="_38563ef5-2341-4826-94f2-290fca589a51"
Version="2.0"
IssueInstant="2013-01-31T07:19:18.219Z"
Destination="https://accounts.zoho.com/samlresponse/zylker.com"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="_abe4735eceae4bd49afdb3f254dc5ea01359616"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://idp-w2k8/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_c42ed101-0051-48ad-a678-8cb58dee03f6"
IssueInstant="2013-01-31T07:19:18.219Z"
Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >


<Issuer>http://idp-w2k8/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_c42ed101-0051-48ad-a678-8cb58dee03f6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>wlE4Jf0Z8Z+2OyWE69RRH81atZ8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Y3izuExs6/EDebT9Q4U3qbL6Q==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC7jCCAdagAwIBAgIQVsvKLeIHJYVEYQONFS3p3zANBgkqhkiG9w0BAQUFADAgMR4+zaLeWShiGw==</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user1@zylker.com</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_abe4735eceae4bd49afdb3f254dc5ea01359616"
NotOnOrAfter="2013-01-31T07:24:18.219Z"
Recipient="https://accounts.zoho.com/samlresponse/zylker.com" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2013-01-31T07:17:18.203Z"
NotOnOrAfter="2013-01-31T07:17:19.203Z" >
<AudienceRestriction>
<Audience>zoho.com</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2013-01-31T07:19:18.110Z"
SessionIndex="_c42ed101-0051-48ad-a678-8cb58dee03f6" >
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>

Active Directory SSO Integration

Let's support faster, easier, and together