Single Sign On Authentication

    NTLM authentication

    ADManager Plus uses Jespa for NTMLv2 SSO authentication. In builds 7162 and above, the Jespa JAR file has to be downloaded and added to ADManager Plus' lib folder before enabling NTMLv2 SSO. To do this,

    • Download the latest Jespa JAR file.
    • Extract the downloaded ZIP file and move the JAR files to <Installation Directory>/ManageEngine/ADManager Plus/lib and restart ADManager Plus.
    Note: If you're running build 7161 or older and have NTLMv2 SSO enabled, you can continue using this feature without any changes.

    To enable single sign-on to ADManager Plus based on domains, follow the steps listed below:

    • Click the Delegation tab.
    • In the left pane, under Configuration, click Logon Settings.
    • Navigate to the Single Sign On tab and mark the Enable Single-Sign On with Active Directory checkbox.
    • Select the domains that you wish to enable single-sign on from the Select Domains drop-down box.
    • Click Save Settings.

    To modify existing single sign-on settings,

    • Click Delegationtab.
    • Select Single Sign On under Configuration in the left navigation section.
    • Click the edit icon in the status column against the domain that you wish to modify the settings.
    • Enter the Computer Name and Password in the respective fields.
    • Click on the Create this computer account in the domain check-box to create a computer with the entered credentials if it is already not present in the domain.
    • If the message Error in creating computer account appears, then the DNS Servers and DNS Site can be entered manually.
    • Click Save.

    To identify the DNS Server IP address:

    • Open Command Prompt from a machine belonging to the domain that you have selected.
    • Type ipconfig /all and press enter.
    • Use the first IP address displayed under DNS Server.

    To identify the DNS Site:

    • Open Active Directory Sites and Services in Active Directory.
    • Expand the Sites and identify the Site in which the Domain Controller configured under the selected domain appear.
    • Use the Site name for DNS Site.

    Troubleshooting steps for SSO:

    Trusted sites are the sites with which NTLM authentication can occur seamlessly. If SSO has failed, then the most probable cause is that the ADManager Plus URL isn't a part of your browser's trusted sites. Kindly add the ADManager Plus URL in the trusted sites list. Follow the steps given below:

    • Internet Explorer
    • Google Chrome
    • Mozilla Firefox
    Note:
    • It is recommended that you close all browser sessions after adding the URL to the trusted sites list for the changes to take effect.
    • Google Chrome and Internet Explorer use the same internet settings. Changing the settings either in Internet Explorer or in Chrome will enable NTLM SSO in both browsers. It is again recommended to close both the browser sessions for the changes to be enabled.

    Internet Explorer:

    • Open Internet Explorer and click the Tools button.
    • Click Internet options.
    • In the Internet options dialog box that opens, click the Security tab, and then click a security zone (Local intranet, Trusted sites, or Restricted sites).
    • Click Sites.
    • If you are using IE 11, click on the advanced button and add the ADManager Plus site to the list of intranet site.
    • If you are using versions lower than IE 11, add the ADManager Plus site to the list of intranet sites.
    • Click Close, and then click OK.
    • Close all browser sessions and reopen your browser.

    Google Chrome

    • Open Chrome and click the Customize and control Google Chrome icon (3 horizontal lines icon on the far right of the Address bar).
    • Click Settings, scroll to the bottom and click the Show advanced settings link.
    • Under the Network section click Change proxy settings.
    • In the Internet Properties dialog box that opens, navigate to the Security tab --> Local Intranet, and then click Sites.
    • Click Advanced and add the URL of ADManager Plus in the list of intranet sites.
    • Click Close, and then OK.
    • Close all browser sessions and reopen your browser.

    Mozilla Firefox

    • Open Firefox web browser and type about:config in the address bar.
    • Click I'll be careful, I promise in the warning window.
    • In the Search field, type: network.automatic-ntlm-auth.trusted-uris.
    • Double-click the "network.automatic-ntlm-auth.trusted-uris" preference and type the URL of AD360 in the prompt box. If there are sites already listed, type a comma and then the URL of ADManager Plus. Click OK to save the changes.
    • Close all browser sessions and reopen your browser.

    SAML authentication

    You can set up single sign on to access ADManager Plus through any of these popular identity providers.

    Steps to set up single sign on to ADManager Plus

    Step 1: Add ADManager Plus as a custom app in the identity management solution

    Step 2: Configure the identity management solution's settings in ADManager Plus

    Configure single sign on using Okta

    Step 1: Configure ADManager Plus in Okta

    • Logon to Okta portal.
    • Under Apps tab, click Add and select Create New App.
    • Select Platform as Web and choose Sign on method as SAML 2.0 and click Create.
    • In General Settings, provide a name for the connection. For example, ADManager Plus - MFA and upload a logo for the application.
    • In Configure SAML section, enter the value for Single Sign URL and Audience URI which can be obtained from ADManager Plus ->Delegation -> Configuration tab -> Single Sign on -> SAML Authentication -> Okta -> ACS/Recipient url.
    • Click Finish. Once the configuration is complete, navigate to Sign on tab to download metadata file.

    Step 2: Configure Okta in ADManager Plus

    • Logon to ADManager Plus.
    • Click Delegation tab. Select Single Sign on option under the Configuration section. Click SAML authentication.
    • Select Okta from the drop down list.
    • Upload the metadata file obtained in step 1.
    • Enable the Force Logon option if you wish users to logon to the product only via SAML Single-sign Ons.
    • Click Save to complete the configuration.

    Configure single sign on using OneLogin

    Step 1: Configure ADManager Plus in OneLogin

    • Logon to OneLogin portal.
    • Click Apps tab and select Add Apps.
    • Click SAML Test Connector in the apps category.
    • Enter the configuration display name and upload the logo for the application. Click Next.
    • Under Configuration tab, enter Recipient, Audience URI and ACS URL, which can be obtained from ADManager Plus portal under Delegation -> Configuration tab -> Single Sign on -> SAML Authentication -> OneLogin -> ACS/Recipient URL.
    • Click More Actions in the top panel and click SAML Metadata to download the metadata file.
    • Click Save to complete the configuration in Onelogin.

    Step 2: Configure OneLogin in ADManager Plus:

    • Logon to ADManager Plus.
    • Click Delegation tab. Select Single Sign on option under Configuration. Click SAML authentication.
    • Select Onelogin from the drop down list.
    • Upload the metadata file obtained in step 1.
    • Enable the Force Logon option if you wish users to logon to the product only via SAML Single-sign Ons.
    • Click Save to complete the configuration.

    Configure single sign on using Ping Identity

    Step 1: Configure ADManager Plus in Ping Identity

    • Logon to Ping Identity portal.
    • Click Applications -> My Applications -> Add Application -> New SAML Application.
    • Enter the application name, description, category and logo to proceed to the next step.
    • To auto-populate the configuration details of ADManager Plus, you can upload the metadata file which can be downloaded by logging onto to ADManager Plus -> Delegation -> Configuration tab -> Single Sign on -> SAML Authentication -> Ping Identity -> Download SP Metadata.
    • The alternative option is to enter the ACS URL and entity ID which can be obtained by logging on to ADManager Plus -> Delegation -> Configuration tab -> Single Sign on -> SAML Authentication -> OneLogin -> ACS/Recipient URL.
    • Enable the Force Logon option if you wish users to logon to the product only via SAML Single-sign Ons.
    • In the next step, click Save & Publish.
    • Once the configuration is complete, the metadata file can be downloaded.

    Step 2: Configure Ping Identity in ADManager Plus

    • Logon to ADManager Plus.
    • Click Delegation tab. Select Single Sign on option under Configuration. Click SAML authentication.
    • Select Ping Identity from the drop down list.
    • Upload the metadata file obtained in step 1.
    • Enable the Force Logon option if you wish users to logon to the product only via SAML Single-sign Ons.
    • Click Save to complete the configuration.

    Configure single sign on using custom identity provider

    You can configure any custom identity provider of your choice to enable single sign on to access ADManager Plus. To do so, configure ADManager Plus settings in the preferred identity provider by following the steps explained above.

    Configure custom identity provider in ADManager Plus

    • Logon to ADManager Plus.
    • Click Delegation tab. Select Single Sign on option under Configuration. Click SAML authentication.
    • Select custom identity provider from the drop down list.
    • Upload the metadata file of the custom identity provider.
    • Enable the Force Logon option if you wish users to logon to the product only via SAML Single-sign Ons.
    • Click Save to complete the configuration.

    Configure single sign on using Active Directory Federation Services (ADFS)

    Prerequisites

    To configure ADFS for identity verification in ADManager Plus, you need the following components:
    • You need to install the ADFS server. The detailed steps for installing and configuring ADFS can be found in this Microsoft article.
    • An SSL certificate to sign your ADFS login page and the fingerprint for that certificate.

    Configuration steps:

    Only form-based authentication method is configured for users trying to access ADManager Plus through ADFS authentication - for both intranet and extranet based use.  You can view this setting in Authentication Policies → Primary Authentication → Global Settings.

    Claim Rules and Relying Party Trust

    During configuration, you will need to add a Relying Party Trust and create claim rules. A Relying Party Trust is created to establish the connection between two applications for authentication purposes by verifying claims. In this case, ADFS will trust the relying party (ADManager Plus) and authenticate users based on the claims generated. Claims are generated from claim rules by applying certain conditions on them. A claim is an attribute that is used for identifying an entity, to establish access. For example, the Active Directory userPrincipalName.

    Adding a Relying Party Trust

    Steps:

    1. The connection between ADFS and ADManager Plus is created using a Relying Party Trust (RPT). Select the Relying Party Trusts folder from AD FS.
    2. From the Actions sidebar, select Add Relying Party Trust. The Add Relying Party Trust Wizard opens.
    3. Click Start.
    4. In the Select Data Source page, click on the Enter Data About the Party Manually option and click Next.
    5. In the Specify Display Name page, enter a display name of your choice and also add additional notes if required. Click Next.
    6. In the Choose Profile page, click on the ADFS FS profile button. Click Next.
    7. On the Configure Certificate screen, the default settings have already been applied. Click Next.
    8. On the Configure URL screen, check the box labelled Enable Support for the SAML 2.0 WebSSO protocol. The Relying party SAML 2.0 SSO service URL will be the ACS URL of your ADManager Plus server. Note that there is no trailing slash at the end of the URL. For example:  https://admp.com/samlLogin/fdc0aa2a6d1801c525635ee0a71eb34196906b0f

      Note:

      1. ACS URL/Recipient URL: Log into ADManager Plus web console with admin credentials.

      2. Navigate to the Delegation tab → Configuration → Single Sign On → SAML authentication → ACS URL/Recipient URL. Copy the ACS URL/Recipient URL.

      9.  

    9. In the next page, for the Relying party trust identifiers option, add https://admp.com/samlLogin/fdc0aa2a6d1801c525635ee0a71eb34196906b0f
    10. On the next page, you can choose to configure multi-factor authentication settings for the relying party trust. Click Next.
    11. In the Choose Issuance Authorization Rules page, you can choose to either Permit all users to access this relying party or Deny all users to access this relying party. Click Next.
    12. The next two pages will display an overview of the settings you have configured. In the Finish page, click Close to exit the wizard. If you have selected the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes option, the Claim Rules Editor will automatically open.

    Creating a Claim Rule

    Once you have configured the Relying Party Trust, you can create the claim rules using the Claim Rules Editor which opens by default when you finish creating the trust.

    Steps:

    1. To create a new rule, click on Add Rule.
    2. From the list of claim rule templates available, select Send LDAP Attributes as Claims. Click Next.
    3. In the next page, provide a Claim rule name and select Active Directory as the attribute store.
    4. From the LDAP Attribute column, select userPrincipalName.
    5. From the Outgoing Claim Type column, select Name ID.
    6. Click Finish to save the rule.

      Note:

      You can choose multiple LDAP attributes and map them to their corresponding outgoing claim types. For example, you can add LDAP attributes such as the Given Name, Surname, Phone Number, etc.

    7. Once you click Finish, you can view the rule that has been created.
    After completing the ADFS configuration, download the metadata file by clicking on the Identity Provider metadata link.  For example:  https://server_name/FederationMetadata/2007-06/FederationMetadata.xml.  You will need this file while configuring SAML authentication in ADManager Plus. So, save this file and keep it safe.

    Troubleshooting tips:

    • If the following error message after the identity provider configuration,"Sorry, the page you requested was not found.Please check the URL for proper spelling and capitalization. If you're having trouble locating a destination, try from our home page." Please reenter the ACS/Receipient URL and try again.
    • If an error occurs while accessing ADManager Plus from identity provider portal, kindly ensure if the deafult relay state field is configured.

    Configure single sign-on using Azure AD

    Step 1: Configure ADManager Plus in Azure AD

    1. Logon to Azure AD portal.
    2. Select Azure Active Directory.
    3. On the left pane, under Manage section, select Enterprise applications.
    4. On top of the Enterprise applications - All applications window, click + New application.
    5. For initial configuration of ADManager Plus, click the Non-gallery application tile. Enter the application Name (ADManager Plus) and click Add. Now it will be listed in the Enterprise applications - All applications page.
    6. Click on  the ADManager Plus application listed under All applications.
    7. From the left pane of the application, under Manage, select Single sign-on.
    8. In the Set up Single Sign-on page, click Upload metadata file and upload the metadata file which can be downloaded by logging onto to ADManager Plus → Delegation → Configuration → Logon Settings → Single Sign on → SAML Authentication → Custom SAML → Download SP Metadata.
    9. Now back in Azure AD, go to the SAML Signing Certificate section and download the metadata file. This file will be used later while configuring Azure AD in ADManager Plus.

    Step 2: Assigning users/groups

    1. Logon to Azure AD portal.
    2. Select Azure Active Directory
    3. On the left pane, under Manage section, select Enterprise applications, then select  All applications.
    4. From the list of applications, select ADManager Plus.
    5. From the left pane of the ADManager Plus application page, Select Users and groups.
    6. Click +Add user.
    7. In the Add assignment page, click Users and groups section to select the desired users and groups.
    8. Click Assign.

    Step 3: Configure Azure AD in ADManager Plus

    1. Login to ADManager Plus.
    2. Click Delegation tab.
    3. Under Configuration on the left pane, select Logon Settings.
    4. Select Single Sign On.
    5. Check Enable Single Sign On with Active Directory option and select SAML Authentication.
    6. Choose Custom SAML as the identity provider.
    7. Choose Upload Metadata File under SAML config mode.
    8. Select Browse and upload the metadata file which can be downloaded by loggin onto the Azure AD portal → Enterprise applications - All applications → ADManager Plus → Manage → Single sign on → SAML signing certificate → Download federation metadata.
    9. Enter the Service Provider Details and download the metadata file.
    10. Click Save to finish configuration.

    Configuring Forced SAML logins

    If the 'Impersonate as admin' option is not enabled for a technician, or if the technician hasn't logged in before the 'Force SAML' option is enabled, the technician's details will not be stored in the product. This will not allow the product to confirm the identify of the technician. Therefore, the technician will not be allowed to log in, when 'Force SAML' is enabled

    Don't see what you're looking for?

    •  

      Visit our community

      Post your questions in the forum.

       
    •  

      Request additional resources

      Send us your requirements.

       
    •  

      Need implementation assistance?

      Try onboarding

       
    Copyright © © 2020, ZOHO Corporation.All Rights Reserved.