SSO Settings

If the SSO Settings option is enabled, users can automatically log in to ADSelfService Plus by simply logging in to their Windows machine or through a third-party identity provider.

ADSelfService Plus supports single sign-on (SSO) with two types of authentication:

  1. NTLM Authentication
  2. SAML Authentication

1. NTLM Authentication:

In this method of authentication, users log in to the ADSelfService Plus web console using the credentials they used to log in to the machine. To enable NTLM authentication, follow the steps below.

Important: ADSelfService Plus' access URL must be associated with the local intranet sites for automatic logon.
Prerequisites:
  1. Jespa deployment
    1. Download the latest Jespa JAR file.
    2. Add the downloaded file to the <ADSelfServicePlus_install_directory>/lib folder where <ADSelfServicePlus_install_directory> is the location where ADSelfService Plus is installed.
    3. Restart ADSelfServicePlus for the changes to take effect.
  2. Ensure a computer account has been configured in the ADSelfService Plus admin portal for NTLM SSO.
Note: Customers who are on build 6210 or lower can continue using the feature without having to perform the first prerequisite.
Please contact support@adselfserviceplus.com if you require any assistance in configuring NTLM Authentication for your users.

Configuration Steps:
A. Finding the IP address of the DNS servers

dns-server

B. Finding the DNS site

Active Directory Sites and Services

C. Adding sites to the local intranet zone

There are two ways to apply the required configuration:

Method 1: Using a group policy (supported on Google Chrome and Internet Explorer)
  1. Create a new Group Policy Object and navigate to User Configuration → Administrative Templates → Windows Components → Internet Explorer → Internet Control Panel → Security Page → Sites to Zones Assignment list. Select Enable.
  2. Click Show to display the zone assignments. Enter the access URL in Value name and relate it to the trusted sites by entering "1" in Value, then click OK.
  3. Navigate to User Configurations → Administrative Templates → All Settings → Logon options. Select Enable.
  4. From the Logon options list, click Automatic logon only in Intranet zone, then OK.
Method 2: Manual configuration
1.Google Chrome: 2.Internet Explorer: 3.Mozilla Firefox:

2. SAML Authentication

In this method of authentication, users log in to the ADSelfService Plus web console using the credentials of a SAML-based identity provider.

After enabling the SAML-based SSO option, every time a user attempts to access ADSelfService Plus' web console, the IdP receives the authentication request. IdP authenticates the user, and after successful authentication, the user will be automatically logged in to the ADSelfService Plus portal. If the user is already logged in to the identity provider, when that user tries to access ADSelfService Plus, they will be granted access automatically.

Prerequisites:
  1. Log in to ADSelfService Plus web console as an administrator. Navigate to AdminCustomize → Logon settings → Single sign-On. Click the Enable SSO checkbox and the SAML Authentication button. Copy the ACS URL/Recipient URL and the Relay State URL.

    logon-settings-saml
  2. The SAML-based identity provider that you intend to use must have ADSelfService Plus as one of its supported SAML applications. If it is not supported by default, you can add ADSelfService Plus as a new application in your identity provider. Find the steps to add a new application in Okta, OneLogin, ADFS and Line Works by clicking on the respective links. For other identity providers, contact their support team for further assistance.
  3. Log in to your identity provider with admin credentials, and navigate to ADSelfService Plus from the list of applications provided. Either download the Metadata in XML format, or get the required data by copying the Issuer URL/Entity ID, IdP Login URL, IdP Logout URL, and X509-certificate. You'll need this information while configuring ADSelfService Plus for logon SSO.

Service Provider Configuration (ADSelfService Plus)
  1. Navigate to AdminCustomize → Logon settings → Single sign-On.
  2. Check the Enable SSO checkbox to enable SSO in ADSelfService Plus.

  3. logon-settings


  4. Click the SAML Authentication button to enable SAML configuration in your domain.
  5. Select the identity provider of your choice in the Select IdP drop-down. If you have selected Custom SAML from the drop-down, you must type in the IdP name and upload IdP logo in the respective fields.
  6. There are two SAML Configuration Modes: Upload Metadata File and Manual Configuration.
    • Select Upload Metadata File if you have downloaded the IdP metadata file from the identity provider.
      • Click Browse to upload the IdP metadata file.

      saml-sso-configuration-upload-metadata


    • Select Manual Configuration to manually configure the URLs and certificates.
      • Enter the Issuer URL/Entity ID URL obtained from the identity provider in the respective field (Refer to step 3 of Prerequisites).
      • In the IdP Login URL, enter the Login URL obtained from the identity provider (Refer to step 3 of Prerequisites).
      • In the space provided for X.509-Certificate, enter the public certificate key fetched from the identity provider (Refer to step 3 of Prerequisites).

      • saml-sso-configuration-upload-metadata


        Important: By default, ADSelfService Plus utilizes the same SAML authentication configuration for SSO during login and multi-factor authentication (MFA) during password self-service. This means that the SAML configurations you complete for logon SSO settings will automatically be used for MFA if the latter is enabled.
      • If you want to use a custom SAML IdP, select Custom SAML from the Select IdP drop-down menu, and enter a name in the IdP Name field. You can also attach the IdP's logo in the IdP Logo field.

      • SSO Settings


      • Click Advanced Settings to configure the SAML request and response that are processed.

      • SSO Settings


      • Select whether the SAML Request sent to the IdP will be signed or unsigned from the SAML Request drop-down menu.
      • Select the Authentication Context Class sent in the SAML request from the Authentication Context Class drop-down menu.
      • Select the SAML Response and Assertion Signature from the respective drop-down menus to determine whether the messages received from the IdP are signed or not.

      • SSO Settings


      • Select the Signature Algorithm that the IdP uses to sign the SAML response/assertion from the Signature Algorithm drop-down menu.

      • SSO Settings


      • Select Encrypted or Unencrypted from the Assertion Encryption drop-down menu.
      • Note: Please check with your IdP if encrypted assertion is supported.

        SSO Settings


      • If the SAML assertion is encrypted, select either Self-Signed or CA-Signed from the Encryption Certificate drop-down options provided.
      • If the encryption certificate is CA-Signed, upload the CA Public Key and CA Private Key as given by the certificate authority (CA).

      • SSO Settings


      • If the encryption certificate is Self-Signed, then you can download the self-signed certificate by clicking Download Self Signed Certificate. You will need this for configuring SAML authentication in the IdP.

      • SSO Settings


        Note: You can choose which encryption certificate you want to use based on your organization's requirements. However, choosing a CA-signed encryption certificate is a recommended practice.
      • Select either Enable or Disable from the Single Logout drop-down menu. When the Single Logout option is configured and a user logs out of ADSelfService Plus, the user is automatically logged out from the IdP and vice versa.

      • SSO Settings


  7. Click Save.
  8. A summary of the IdP and service provider configurations are displayed below.
  9. To regenerate the SAML signing and self-signed encryption certificates, click Regenerate corresponding to the respective Signing Certificate and Encryption Certificate fields. The certificates expire by default after a period of one year.

  10. SSO Settings


    Note: Click here to refer to the complete list of the SAML authentication error codes and their description.

Copyright © 2023, ZOHO Corp. All Rights Reserved.