Security Assertion Markup Language(SAML) brings an easier alternative to conventional sign-in methods already available for online services. Users will no longer have to provide passwords specific to each service they access. ServiceDesk Plus application supports SAML 2.0, which can be configured from Admin > Users & Permission > SAML Single Sign On.
Role Required: SDAdmin
SAML exchanges authentication and authorization data between two entities, namely an Identity Provider(IdP) and a Service Provider(SP). Here ServiceDesk Plus acts as the SP and upon integration, users can directly log in to the application from the IdP without providing any login credentials.
For example, you can set up Active Directory Federation Service (ADFS) as the IdP to allow your users to log in to ServiceDesk Plus using their Active Directory credentials.
The following screenshot shows how a user logs in to an application configured with SAML.
Go to Admin > Users & Permission > Single Sign On > SAML SSO.
Under the Configuration tab, enable SAML Single Sign-On.
The SAML configuration page has three sections: service provider details, identity provider details, and additional claims.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy84NjYvMTQyNjIvY2tmaW5kZXIvaW1hZ2VzL3NhbWwlMjBvcCgxKS5wbmciLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjE3NjQ0NDUzNjF9fX1dfQ__&Signature=Sn-3nM7K1qxKqkaM3E--h7f1PCGjo0Dea9FpJr7pj92HDQpPO1FrsDrBj4XSmNEKn52Qsz~nUqwcbOeGDrgD6E-WOKkQJny~z7yLidYhwF1hG5-oNYjdfE2gJKUpjJEDtnOteMcW4LN7mi8-fMcgqs-RR6FNyIowzoYr7rtZVrnzZC1Y~EN8qyoSB4FC79h2bUH4QIAEn8oBdgIztt-zdtCXnVQCG~~DIoRLF8XpLwWYizJTPq7x5wUGbdFQDBOfzV6oY6HsGFfiYwnKIdRXQsJVftfSTT0jvcqhmw3QJpv0Y0fAcciW5qtTbfWA94M4VXiFKU4IXe4KjEIpC5ZRyg__&Key-Pair-Id=K2TK3EG287XSFC)
You can use service provider details to configure ServiceDesk Plus as a SP with your IdP.
Service Provider Details
|
Field Name |
Description |
|
Entity ID |
Use these details to configure ServiceDesk Plus as a service provider in your IdP. |
|
Assertion Consumer URL |
|
|
Single Logout Service URL |
|
|
Click the file to download it. Upload this file in the IdP portal. |
|
|
SP Metadata file |
In some IdPs, uploading the metadata file is enough to configure ServiceDesk Plus as a SP. |
After configuring ServiceDesk Plus as a SP in your IdP, return to the SAML configuration page in ServiceDesk Plus and configure identity provider details and additional claims as mentioned below.
Identity Provider Details
|
Field Name |
Description |
|
Login URL* |
Enter the login URL of IdP. |
|
Logout URL |
Enter the logout URL of IdP. You can skip this field if single logout (SLO) is not required. |
|
Name ID Format* |
Select the Name ID Format based on your login preference.
|
|
Algorithm* |
Select the Algorithm from the drop-down. This algorithm should be the same as configured in the IdP. |
|
Certificate |
Upload the IdP certificate by clicking Choose File. |
* Mandatory fields
Additional Claims
Additional attributes allow you to create a detailed user profile for dynamic users who log in via SAML. You can import additional attributes from IdP if dynamic user addition is enabled.
To import additional attributes,
Select the fields (default and user defined) by enabling the check boxes beside them.
Specify the attribute name configured in the IdP across the selected fields. These details will not be used to update the existing user profiles.
Finally, click Save.
The History tab lists all the activities carried out under the Configuration tab. You can use predefined filters to view the activities related to a particular attribute.
The login page after enabling SAML single sign-on will be displayed as shown below.
Users can either log in using the Local Authentication (enabled by default) or log in using SAML by clicking the link below the Log In button.
If Local Authentication is disabled, the IdP login page will be displayed.
When the login name generated by the IdP does not match with the login name of a user in ServiceDesk Plus,
If dynamic user addition is enabled, then the user will be added afresh with the login name generated by the IdP and password as configured in Active Directory/LDAP settings.
If dynamic user addition is disabled, then the user will not be able to log in to ServiceDesk Plus.
ServiceDesk Plus supports SAML single logout service. Using this, you can choose to log out from ServiceDesk Plus only or from all the services integrated with the IdP.
Click 
.
If you have configured SAML logout in your IdP domain, you will find two options listed.
Click Log out to log out of ServiceDesk Plus application alone.
If you click Log Out of SAML, you will be logged out of all the services integrated with the IdP.
|
Error Code |
Reason |
Solution |
|
4 |
The IdP certificate file is not uploaded right. |
Reconfigure the IdP details. |
| 8 | SAML response is not received from IdP. | ServiceDesk Plus supports only POST binging method. Ensure that the IdP follows POST binding method. |
|
10 |
Error in validating the logout response of the IdP. |
Refer errors 42, 44, 50, 4, and 36. Contact servicedeskplus-support@manageengine.com. |
|
21, 22, 23 |
The IdP response Status is Failure. |
Reconfigure the IdP details by following the instructions given here. |
|
35 |
The IdP response is not signed. ServiceDesk Plus accepts only signed responses. |
Configure the IdP settings for ServiceDesk Plus to sign assertion and responses. |
|
36 |
Unable to verify IdP signature in the SAML response. |
Upload the correct IdP certificate file in the SAML configuration page of ServiceDesk Plus. |
|
40 |
Entity IDs in the SAML response and ServiceDesk Plus are not the same. |
Reconfigure the SP details in your IdP portal. |
|
The destination URL in the SAML response does not match the actual URL from which the response is called. |
Reconfigure the SP details in your IdP portal.
If you have configured a proxy server (say azure app proxy) to externalize the application, add proxyName="<external_url>" and proxyPort="<external_port>" attributes to the connector tag in the server.xml file.
The proxyName should not contain (http:// or https://) protocols or a slash at end(/). Example: If the external URL is https://zylker.com, the proxyName should be zylker.com. |
|
|
44 |
The Issuer field is empty in the SAML response. |
|
|
46, 47, 51 |
The SAML response will not be validated as the System Time Stamp does not match the Standard Time. |
Set proper time and time zone in the application server. |
|
48 |
The user has configured Assertion Encryption, which is not supported in ServiceDesk Plus. |
Change Assertion Encryption to Assertion Sign in the IdP, which will sign the assertion but not encrypt it. |
|
49 |
Issuer name is missing in the SAML assertion. |
Reconfigure the SP and IdP.
If the error persists, email us at servicedeskplus-support@manageengine.com with the log files. |
|
50 |
The SAML assertion from the IdP is not for the intended user/requester. |
Log in again by using SAML authentication. |
|
52 (In ServiceDesk Plus) |
The SAML response is not mapped with the right user, and dynamic user addition is disabled in the Self-Service Portal settings.
|
If the user does not exist in ServiceDesk Plus, create a new user manually with the login name generated by the IdP. If the user already exists in the application, change the Name ID attribute in the IdP portal to match the login name in ServiceDesk Plus.
|
|
52 (In Asset Explorer) |
No such user exists in the application or the user is not a technician. |
Create a new technician manually with the login name generated by the IdP or change the requester into a technician. |
| 53 | Exception occurred while creating user account. | Contact servicedeskplus-support@manageengine.com. with the log files. |
| 54 | Max length exceeded | Remove unused additional attributes to reduce the character count below 50000. |
|
60 |
User not found (during email based SAML login). |
If the user does not exist in ServiceDesk Plus and dynamic user addition is disabled, create a new user manually and configure the email address. If dynamic user addition is enabled, new user will be added automatically. If the user already exists in the application, configure their email address to match the login email ID in ServiceDesk Plus. |
|
61 |
Login is disabled for the user. |
Enable login for the user. |
|
62 |
More than one user is configured with the login email ID. |
Ensure that the login email address is configured with only one user. This error is thrown if the login email ID is configured as a primary/secondary email address of another user. |
FAQs:
1. Despite having valid login credentials, why am I added as a new user in ServiceDesk Plus when logging in using SAML?
When you log in using SAML, the IdP provides a login name in the SAML response. This login name is generated based on the NameID attribute configured in the IdP. The application does not map this with your credentials because your login name in ServiceDesk Plus is not the same as the login name in the SAML response. Now there are two possibilities:
If dynamic user addition is enabled, you will be added as a new user with the login name generated by the IdP and password as configured in the Active Directory/LDAP settings.
If dynamic user addition is disabled, an error message will be displayed and you will not be able to log in to ServiceDesk Plus.
To solve this, reconfigure your IdP settings by choosing the right NameID attribute.
2. Why am I added as a separate user even after configuring my IdP to return the correct login name?
If the user falls under a domain, the IdP should return the domain name of the user along with the login name.
For example, if Peter is a technician with login name peter in the Zylker domain, then the IdP should return Zylkerpeter as the login name.
If the above case fails, a new user will be created.
Choose the proper NameID attribute and reconfigure the IdP to solve this.
3. How to fix alignment issues in the login page after enabling SAML as shown in the below image?
Go to Admin >> Self-Service Portal Settings.
Click Customize now under Login Page customization.
In the HTML editor, add the classes shown in the screenshot.These classes will also be available under <server_home>customlogindefault.html
.sign-line{
text-align: center;
display: block;
border-bottom: 1px solid #ccc;
margin:10px 0;
}
.or-ctr{
background: #fff;
position: relative;
top: 8px;
padding: 0 4px;
font-size: 12px;
color: #727272;
}
.sign-saml{
color: #009adb;
text-decoration: none;
}
Click Save and check to see if the link now appears aligned.