Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Web Help Desk (WHD) > Web Help Desk Administrator Guide > Configure and manage authentication > Deploy SSO with SAML using AD FS

Deploy SSO with SAML using AD FS

Created by Steve.Hawkins, last modified by Anthony.Rinaldi_ret on Jul 18, 2016

Views: 101 Votes: 0 Revisions: 4

When you configure SSO in Web Help Desk using AD FS, you can enable users who log in to the Microsoft Exchange Server to be automatically logged in to Web Help Desk as well.

If you are using Windows Server 2008 R2, you must upgrade to AD FS 2.0. AD FS 1.0 is the default on Windows Server 2008 R2 and does not support SAML 2.0.

Before you begin

  1. Enable automatic AD logon through Microsoft Windows. Add the AD FS logon URL to the Local Intranet sites in Internet Explorer through Tools > Internet options or through your corporate group policy.
  2. Set up your SAML server. Use an identity repository (such as AD FS or Light Directory Access Protocol [LDAP]) in the remote login URL for your SAML server.
  3. Enable SSL in your Web Help Desk installation. Use a trusted certificate (such as GoDaddy or Verisign) or create your own certificate.

    When you create or generate a certificate, ensure that:

    • The certificates are generated in the proper order.
    • The Common Name (CN) certificate attribute only contains the fully-qualified domain name (FQDN) with no descriptions or comments. The exact value of this field is matched against the domain name of the server to verify its identity.

    See Working with Keys and Certificates for information about trusting certificates.

  4. Configure Web Help Desk and the AD FS settings separately.

    For information about configuring SSO with SAML using AD FS, see the AD FS 2.0 Step-by-Step and How To Guides located on the Microsoft TechNet website.

Configure Web Help Desk for AD FS

In the following settings, replace mydomain.com with your actual domain name.

  1. Log in to Web Help Desk as an administrator.
  2. Click Setup and select General > Authentication. 
  3. Click the Authentication drop-down menu and select SAML 2.0. 
  4. In the Sign-in page URL field, enter:

    https://adfs.<mydomain>.com/adfs/ls

    To bypass external authentication, add the following to your login URL:

    ?username=<username>&password=<password>

  5. Click Upload to apply a Verification certificate and enable SSL.

    Apply the same certificate used to sign the assertion in the of AD FS 2.0 Relying Party (RP) setting.

  6. In the Logout URL field, enter the following URL or leave this field blank to use the Web Help Desk default logout page:

    https://adfs.<mydomain.com>/adfs/ls

    Web Help Desk redirects the users to this page to log out.

Configure SAML 2.0 on the AD FS server

  1. Enter the following AD FS 2.0 RP settings:
    • Identifier: <mydomain.com>/helpdesk/WebOjects/Helpdesk.woa 
    • Signature: Enter the name of the certificate you uploaded to Web Help Desk in the Web Help Desk SAML configuration instructions.
    • Endpoint: Binding: POST, URL: <server IP address>/helpdesk/WebObjects/Helpdesk.woa
    • Detail: Secure hash algorithm SHA-1
  2. Enter the following AD FS 2.0 Log Out settings:

    https://<ADFS_Server_fqdn>/<domain name>/adfs/ls/?wa=wsignout1.0

    • Identifier: https://<mydomain.com us>/helpdesk/WebObjects/Helpdesk.woa
    • Signature: Use the same certificate as above.
    • Endpoint: SAML Logout, Binding: POST, URL:
    • Detail: Secure hash algorithm SHA-1
  3. Enter the following AD FS 2.0 Claim Mapping settings:
    • Attribute store: Active Directory 
    • LDAP attribute: Usually an email address. If your Web Help Desk client login attribute is a user name rather than an email address, use the user ID or account name instead of the email address.
    • Outgoing claim type: NameID 
 
Last modified
15:52, 18 Jul 2016

Tags

Classifications

Public