ManageEngine Cloud is happy to announce support for Security Assertion Markup Language (SAML) based Single Sign-On (SSO ) for the full-stack ITSM suite ServiceDesk Plus Cloud. You can now eliminate passwords from the login process and access your applications faster and safer using Active Directory integration / LDAP authentication identity. With this, ServiceDesk Plus Cloud moves to a rapidly adopted industry standard for login federation. SAML configuration is now available for subscribers of all three editions (Standard, Professional and Enterprise)
SAML is a derivative of XML. The purpose of SAML is to enable Single Sign-On for web applications across various domains. SAML is developed by the Security Services Technical Committee of "Organization for the Advancement of Structured Information Standards" (OASIS).
Note : User Management in ManageEngine ServiceDesk Plus Cloud is powered by Zoho. So the names 'Zoho' / 'ManageEngine ServiceDesk Plus Cloud' will be used interchangeably. Both Zoho and ManageEngine are divisions of Zoho Corp.
1) Facilitate easy and secure access for users to their IT help desk using Active Directory integration / LDAP Authentication
2) Help IT authenticate users and control application access centrally
3) Reduce password maintenance and security overheads for managing help desk users
Admins can enable SAML Authentication for their organizations.The following are the steps to enable SAML Authentication :
Why should I add and verify my domain ?
1) When you import users from Active Directory to Zoho / Servicedesk Plus
Cloud, invitation mail will not be sent to the imported users, whose email address has the verified domain name.
2) Verification is necessary for us to confirm your ownership of the domain.
You can access ServiceDesk Plus Cloud using your own customized domain URL (e.g., helpdesk.zylker.com) or a subdomain to www.servicedeskplus.ca
To perform SAML Authentication, you must have configured a subdomain or a custom domain. When you configure a custom domain, make sure you add a CName alias and it points to customer-www.servicedeskplus.ca Domain mapping feature is available in Admin » Self-Service Portal settings
You can use the Provisioning App to Import users from Active Directory to ServiceDesk Plus Cloud. Detailed steps are available here.
All authentication requests will be forwarded to this Identity Provider. The Identity Provider can perform Active directory /LDAP/custom Authentication and once the user is authenticated, the Identity Provider will send the response to
accounts.zoho.com
We have tested SAML Authentication with AD FS 2.0 and AD FS 3.0
< as Identity Provider.
The steps for installing and configuring AD FS to work with Zoho / ManageEngine ServiceDesk Plus Cloud can be found here :
AD FS 2.0 Installing and configuring Active Directory FS for ME ServiceDesk Plus On-Demand.pdf
AD FS 3.0 Installing and configuring Active Directory FS for ME ServiceDesk Plus On-Demand.pdf
The authentication request sent from zoho can be found here
The expected assertion
response can be found here
For SAML Authentication, the login and logout requests will be redirected to the Identity Provider installed in your network.
You need to specify the identity provider's login url & logout url so that requests will
be redirected accordingly.
You need to also give the algorithm and the public key certificate of the Identity Provider so that Zoho / ManageEngine will decrypt the SAML responses sent by the identity provider. Assuming idp-w2k8 is the system where Identity Provider (e.g., AD FS 2.0) is installed, the following is the SAML Configuration.
Once all the above steps are done, when your organization users access ServiceDesk Plus Cloud using your configured subdomain or custom domain (e.g., http://helpdesk.zylker.com),
they will be redirected to the Identity
provider installed inside your network for authentication.Once the Authentication succeeds, they will then be redirected to ServiceDesk Plus Cloud web site, which will allow the users inside.
Note : Once you have configured SAML authentication, your organization users must access ServiceDesk Plus Cloud through the sub-domain or customized domain only.
Assuming zylker.com is the verified domain and idp-w2k8 is the system where Identity Provider is installed.
|
<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_abe4735eceae4bd49afdb3f254dc5ea01359616" Version="2.0" IssueInstant="2013-01-31T07:18:15.281Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="Zoho" IsPassive="false" Destination="https://idp-w2k8/adfs/ls" AssertionConsumerServiceURL="https://accounts.zoho.com/samlresponse/zylker.com" > <saml:Issuer>zoho.com</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" /> </samlp:AuthnRequest> |
|---|
Assuming zylker.com is the verified domain
The Assertion Consumer Service URL is : https://accounts.zoho.com/samlresponse/<your_verified_domain>
e.g., https://accounts.zoho.com/samlresponse/zylker.com
|
<?xml version="1.0" encoding="UTF-8"?>
|
|---|