Configuring OpenID SSO for Freshservice

These steps show you how to configure the single sign-on (SSO) functionality using OpenID between ManageEngine ADSelfService Plus and Freshservice.

Prerequisites

1. Login to ADSelfService Plus as administrator.
2. Go to Configuration > Password Sync/ Single Sign On then click Add Application. Select Freshservice from the list.
Note: You can also use the search bar at the top-left of the page to search for the application.
3. Click IdP Details and select the SSO(OAuth/OpenID Connect) tab.
4. Note the Client ID, Client Secret, Issuer, Authorization Endpoint URL, Token Endpoint URL, and User Endpoint URL values.

Freshservice (service provider) configuration steps

1. Login to Freshservice with admin credentials.
2. Go to Admin > General Settings > Security Settings.
3. Select Helpdesk Security.

4. Click the Modify Login Policy button in the Default Login Policy tab.

5. Toggle the status of Single Sign-on to enabled.

6. You can select OAuth 2.0 or OIDC under IdP of your choice. It is recommended to choose OIDC.

7. If you have chosen OIDC, fill the following fields under Map information from IdP with the corresponding details saved during Step 4 of the Prerequisites:
1. Client id: Client ID
2. Client secret: Client Secret
3. Enter the Scopes to specify the level of access of the access tokens. It is necessary to include the openid scope in this field.
4. Authorization URL: Authorization Endpoint URL
5. Access token URL: Token Endpoint URL

8. If you have chosen OAuth 2.0, you will have to fill all the details in the previous step, plus the User info URL field with the User Endpoint URL information saved in Step 4 of the Prerequisites.

9. Copy the Redirect URL under Map information in IdP for later steps.

ADSelfService Plus (identity provider) configuration steps

1. Switch back to ADSelfService Plus' Freshservice configuration page.

2. Enter the Application Name and Description as per your preferences.
3. Enter the Domain Name of your Freshservice account. For example, if your Freshservice username is johnwatts@thinktodaytech.com, then thinktodaytech.com is your domain name.
4. In the Assign Policies field, select the policies for which SSO need to be enabled.
Note: ADSelfService Plus allows you to create OU and group-based policies for your AD domains. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy.
5. Under the SSO tab, select Enable Single Sign-On.
6. Choose OAuth/OpenID Connect from the Select Method drop-down.
7. Enter the Freshservice portal's login URL in the SP Login Initiate URL field.
Note: Freshservice requires sign-in to begin from their login page, known as SP-initiated login. Users are first directed to the Freshservice login page, specified in the SP Login Initiate URL field, after which Freshservice (the SP) redirects them to ADSelfService Plus (the IdP) for authentication.
8. Enter the Redirect URL copied in Step 9 of configuring Freshservice in the SSO Redirect URL field.
9. Using the Scopes drop-down, select openid, which is the scope required for OIDC authentication. You can also specify scopes such as profile or email to include extra user information in the authorization request.
Note: Scopes specify the level of access the access token has. They are typically included in the authorization request. Specify the scopes for which you wish to allow access to your authorization token, using the drop-down.
10. Click Add Application to save the configuration.

The Well-known Configuration URL in the IdP details pop-up contains all the endpoint values, supported scopes, response modes, client authentication modes, and client details. This is enabled only after you finish configuring the application for SSO in ADSelfService Plus. You can provide this to your service provider if required.