ManageEngine On-Demand is happy to announce support for Security Assertion Markup Language (SAML) based Single Sign-On (SSO ) for the ITIL ready ServiceDesk Plus On-Demand IT help desk. You can now eliminate passwords from the login process and access your applications faster and safer using your Active Directory / LDAP identity. With this, ServiceDesk Plus On-Demand moves to a rapidly adopted industry standard for login federation. SAML configuration is now available for subscribers of all three editions (Standard, Professional and Enterprise)
SAML is a derivative of XML.
The purpose of SAML is to enable Single Sign-On for web applications across various domains. SAML is developed by the Security Services Technical Committee of "Organization for the Advancement of Structured Information Standards" (OASIS).
Note : User Management in ManageEngine ServiceDesk Plus On-Demand is powered by Zoho. So the names 'Zoho' / 'ManageEngine ServiceDesk Plus On-Demand' will be used interchangeably. Both Zoho and ManageEngine are divisions of Zoho Corp.
How does SAML for ServiceDesk Plus On-Demand help you?
1) Facilitate easy and secure access for users to their IT help desk using Active Directory / LDAP Authentication
2) Help IT authenticate users and control application access centrally
3) Reduce password maintenance and security overheads for managing help desk users
How to enable SAML Authentication in ManageEngine ServiceDesk Plus On-Demand?
Admins can enable SAML Authentication for their organizations.The following are the steps to enable SAML Authentication :
Add & verify your domain in Admin » Organization Details » Domains
Why should I add and verify my domain ?
1) When you import users from Active Directory to Zoho / Servicedesk Plus On-Demand, invitation mail will not be sent to the imported users, whose email address has the verified domain name.
2) Verification is necessary for us to confirm your ownership of the domain.
Subdomain or Domain Mapping
You can access ServiceDesk Plus On-Demand using your own customized domain URL (e.g., helpdesk.zillum.com) or a subdomain to sdpondemand.manageengine.com
To perform SAML Authentication, you must have configured a subdomain or a custom domain.
When you configure a custom domain, make sure you add a CName alias and it points to csdp.manageengine.com
Domain mapping feature is available in Admin » Self-Service Portal settings
Import Users
Import users from Active Directory to Zoho
You can import users from Active Directory to your organization (in ServiceDesk Plus On-Demand / Zoho) by running this ProvisioningApp tool : http://www.zoho.com/mail/ProvisioningApp.exe
You must have Microsoft .NET Framework 2.0 installed on the system where you are going to run this tool. Download .NET Framework 2.0 from here.
Since User management in ServiceDesk Plus On-Demand is powered by Zoho, all the users will be imported to Zoho Accounts.
You need to convert these users to Requesters. You can do so in Admin » Requesters page by clicking on 'Import from Zoho Accounts' and import the required users as Requesters.
SAML Configuration
Install any SAML Compliant Identity Provider in your network.
All authentication requests will be forwarded to this Identity Provider. The Identity Provider can perform AD/LDAP/custom Authentication and once the user is authenticated, the Identity Provider will send the response to accounts.zoho.com.
We have tested SAML Authentication with AD FS 2.0 as Identity Provider. The steps for installing and configuring AD FS 2.0 to work with Zoho / ManageEngine ServiceDesk Plus On-Demand can be found here : Installing and configuring AD FS for ME ServiceDesk Plus On-Demand.pdf
AD FS 2.0 can be downloaded from here.
If you are using any other SAML 2.0 compliant Identity Provider :
The authentication request sent from zoho can be found here. The expected assertion response can be found here
SAML Configuration
For SAML Authentication, the login and logout requests will be redirected to the Identity Provider installed in your network.
You need to specify the identity provider's login url & logout url so that requests will be redirected accordingly.
You need to also give the algorithm and the public key certificate of the Identity Provider so that Zoho / ManageEngine will decrypt the SAML responses sent by the identity provider. Assuming idp-w2k8 is the system where Identity Provider (e.g., AD FS 2.0) is installed, the following is the SAML Configuration.
Once all the above steps are done, when your organization users access ServiceDesk Plus On-Demand using your configured subdomain or custom domain (e.g., http://helpdesk.zillum.com),
they will be redirected to the Identity provider installed inside your network for authentication.Once the Authentication succeeds, they will then be redirected to ServiceDesk Plus On-Demand web site, which will allow the users inside.
Note : Once you have configured SAML authentication, your organization users must access ServiceDesk Plus On-Demand through the sub-domain or customized domain only.
SAML Authentication Request
Assuming zillum.com is the verified domain and idp-w2k8 is the system where Identity Provider is installed.
Assuming zillum.com is the verified domain
The Assertion Consumer Service URL is : https://accounts.zoho.com/samlresponse/<your_verified_domain>
e.g., https://accounts.zoho.com/samlresponse/zillum.com
