Verify users' identities using SAML-based identity providers during self-service password reset and account unlock

SAML authentication is one of the available methods among the extensive range of MFA options supported by ADSelfService Plus. Verification of a user's identity is done using SAML-based identity providers like OneLogin, Okta, or custom SAML-based identity providers.

When SAML authentication is enabled in ADSelfService Plus, users are routed to their identity provider for authentication during password self-service operations.

After successful authentication in the identity provider, users are redirected back to the ADSelfService Plus portal where they can reset their password or unlock their account. To use SAML authentication for self-service password reset, users do not have to enroll in ADSelfService Plus.

Note: This option will work only if the identity providers have SAML 2.0 enabled.

Prerequisites:

1. Log in to your identity provider application web-console with admin credentials and navigate to ADSelfService Plus from the list of applications provided. If ADSelfService Plus is not supported by default, configure a new application for ADSelfService Plus in your identity provider application.
2. Either download the metadata in XML format, or copy the Issuer URL/Entity ID, IdP login URL, and the X.509 certificate.

Configuration steps

1. Log in to the ADSelfService Plus web console with admin credentials.
2. Navigate to Configuration > Self-Service > Multi-factor Authentication.
3. Click SAML Authentication in the Authenticators Setup tab.
4. In the Configure Identity Provider (IdP) section, choose Custom SAML from the Select IdP drop-down list.
5. Provide an appropriate IdP name.
6. There are two SAML configuration modes: Upload Metadata File and Manual Configuration.
   1. Select Upload Metadata File to manually upload the IdP metadata file (refer to step 2 of Prerequisites).
      1. Click Browse to upload the IdP metadata file.

         

         Fig. 1: Configuring SAML authentication in ADSelfService Plus by uploading the metadata file

      2. Select Manual Configuration to manually configure the URLs and certificates.
         1. Enter the Issuer URL/Entity ID obtained from the identity provider in the respective field (refer to step 2 of Prerequisites).
         2. In the IdP Login URL field, enter the login URL obtained from the identity provider (refer to step 2 of Prerequisites).
         3. In the X.509 Certificate field, enter the public certificate key fetched from the identity provider (refer to step 2 of Prerequisites).

            

            Fig. 2: Configuring SAML authentication in ADSelfService Plus through manual configuration.

7. Click Save.
8. Navigate to the MFA for Reset/Unlock tab and specify the number of authenticators required for user verification.
9. From the Select the authenticators required drop-down, choose SAML Authentication.

   

   Fig. 3: Enabling SAML authentication for password self-service operations in ADSelfService Plus

And that's it! You are all set to authenticate users through SAML-based identity providers for self-service password reset and account unlock.

Like this tip? Get the most out of ADSelfService Plus by checking out more tips and tricks here.