Written By

Rosy Cordeiro

Rosy Cordeiro is a seasoned documentation expert with over a decade of experience spanning ITSM, Telecom, and Security domains. Throughout her career, she has worked with diverse teams, collaborating with SMEs, engineers, and developers to create technical documents for several projects in the sectors like banking, education, security etc.

Key Cloak

ServiceOps offers support for SAML 2.0, which facilitates integration for Single Sign-On. ServiceOps acts as the Service Provider (SP) and it integrates with Identity Providers (IdP) using SAML 2.0. The integration basically involves supplying details about SP to IdP and vice-versa. Once you integrate ServiceOps with an IdP, the users simply have to sign-in to IdP and then, they can automatically sign-in to ServiceOps from the respective identity provider’s GUI without having to provide credentials again. ServiceOps supports integration with Key Cloak.

To configure SSO with the Keycloak service, follow the below steps:

Sign-in to the ServiceOps portal as a Technician.

Navigate to Settings > Admin > Organization > System Preference > Application Settings tab, and the following page appears.Verify that the Base URL (3) is the same as the portal URL. If it has default IP Address, update it, and click Update (4) as shown below.

Navigate to Settings > Admin > Users > SSO Configuration and the below page appears.

Enable the SSO functionality, and the following parameters appear. The parameters are available only if the SSO functionality is enabled. By default, it is disabled. In this, the IDP details of Key Cloak are to be configured in the ServiceOps and the ServiceOps SP details in the Key Cloak.

Provide the following details:

Parameter	Description
Enforce to authenticate with Single Sign-On only (Refer Note)	This parameter indicates that the users created in the system must be authenticated and allowed via SSO Login only. If enabled, the Login button (for local authentication) will be hidden for all the users. Also, the parameter Excluded Technicians will be available for configuration. By default, it is disabled. Note: Once the SSO is enabled, the user can only log in via SSO using valid configurations and credentials.
Auto Create User	Enable if the user is to be created automatically, if not available in the system. By default, disabled.
Excluded Technicians	Select the technicians to exclude from using the Single Sign-On functionality. You can select multiple technicians. Also, you can search for the desired technician. Here, chosen technicians having Local Authentication mode will be allowed to use SSO login mechanism.
IDP Entity ID	Enter the Entity ID of the IDP. It is a mandatory field.
IDP Login URL	Enter the login URL of the IDP on which the user will get redirected. It is a mandatory field.
IDP Logout URL	Enter the logout URL of the IDP on which the user will be redirected once signing-out from the ServiceOps portal. If not provided, the user will remain on the same page. This field is optional.
IDP Security Certificate	Enter the certificate that IDP provides for integration. The response sent by the IDP is validated using it.
SP Entity ID	It displays the entity ID of the Service Provider.
Assertion Consumer URL	It displays the endpoint of the ServiceOps application where the IDP posts the SAML responses.
SP Single Logout URL	It displays the URL to which the user gets redirected after sign-out.
SP Public Key	It is provided by the Service Provider.
SP Private Key	It is provided by the Service Provider.
SP Metadata File	Download the metadata file provided by the Service Provider. It contains all the details about the interaction of the Service Provider and the SAML enabled entity.

Notes:

Super admin (Tenant registered User) is always allowed to login normally without SSO even if not added in the exclusion list.
The Login button is always visible whether this option is enabled or not.(If any super admin user wants to update/configure, then one can login and update).
If this option is enabled, no one can login using “Login” button. Also, an error message “You are not allowed to Login from here. Try login from Single Sign on Login page.” is displayed. (Except Tenant user).

Click Update, and a confirmation message “SSO Configuration has been updated successfully” will appear.
In Key Cloak, navigate to ServiceOps (Realm) > Realm Settings > General tab, and the below page will appear:

Click the SAML 2.0 Identity Provider Metadata, and the XML file appears as shown below. Copy the highlighted Entity ID, Login URL, Logout URL, and the Security Certificate from here and paste them into the ServiceOps.

Navigate to Serviceops (Realm) > Identity Providers > saml > Settings tab, as shown below. Configure the following details:
- Service Provider Entity ID
- Single Sign-On Service URL
- Single Logout Service URL

Navigate to the ServiceOps Home page > Admin > Users > SSO Configuration page to access these details

Open the ServiceOps Portal and sign-in using the SSO login button, as shown below.

You will be redirected to the Key Cloak Sign-in page, as shown below.

Sign-in to Key Cloak, and you will be redirected to the ServiceOps portal as shown below.

Redirection from Key Cloak to the ServiceOps Portal

To sign-out, click on the username, and click Sign-Out. You will be redirected to the Key Cloak page again or remain on the portal as per the configured SAML logout URL.

To import users, click the User Import Configuration button, and a popup appears.
Enter the following details:
- Enable the functionality. By default, disabled.
- SSO Provider: Select the provider of SSO functionality.

In the Configuration tab, configure the following parameters:
- Client ID: Enter the Client ID. You can get the client id from the Key Cloak, as shown below.

Client Secret: Enter the Client Secret. You can get these details from Key Cloak, as shown below.

Domain URL: Enter the domain URL of the Key Cloak client.
Group Filter: Enter the Group Filter whose users you want to import from the Key Cloak.
Realms: Enter the realms name created in Key Cloak.
Add Notification Email: Add the email address of the users who should be notified about the import.

In the Mapping tab, map the fields which are required to be imported, as shown below. The custom fields created in the Key Cloak need to be prefixed with attributes word. For Example: attributes.Location.

Key Cloak provides limited user details. Hence, to map additional fields, you need to create custom fields in Key Cloak. To do so, select the required realm, and navigate to Users > User (Rosy) > Attributes tab. In this case, Realm is Serviceops.

Creating Custom Fields in the Key Cloak client

Enter the Key name and value in the table, and click Add. You can now use this field to map by adding the prefix “attributes.” to the key name.

In the Schedule tab, enable the scheduler, select the schedule type, and select the date and time you want the users to be imported automatically.

Once all the details are filled, click Save. You can also check the connectivity by clicking the Test Connection button.
Once the connection is successful, click the Import Users button, and the imported users get added as requesters in the ServiceOps as shown below:

Here, you can also click the Show History button to view the User Import Configuration history.

Written By

Rosy Cordeiro

Rosy Cordeiro is a seasoned documentation expert with over a decade of experience spanning ITSM, Telecom, and Security domains. Throughout her career, she has worked with diverse teams, collaborating with SMEs, engineers, and developers to create technical documents for several projects in the sectors like banking, education, security etc.

WSO2

ServiceOps offers support for SAML 2.0, which facilitates integration for Single Sign-On. ServiceOps acts as the Service Provider (SP) and it integrates with Identity Providers (IDP) using SAML 2.0. The integration basically involves supplying details about SP to IDP and vice-versa. Once you integrate ServiceOps with an IDP, the users simply have to sign-in to IDP and then, they can automatically sign-in to ServiceOps from the respective identity provider’s GUI without having to provide credentials again. ServiceOps supports integration with WSO2.

To configure SSO with the WSO2 service, follow the below steps:

Sign-in to the ServiceOps portal as a Technician.

Navigate to Settings > Admin > Organization > System Preference > Application Settings tab, and the following page appears.Verify that the Base URL (3) is the same as the portal URL. If it has default IP Address, update it, and click Update (4) as shown below.

Navigate to Settings > Admin > Users > SSO Configuration and the below page appears.

Enable the SSO functionality, and the following parameters appear. The parameters are available only if the SSO functionality is enabled. By default, it is disabled. In this, the IDP details of WSO2 are to be configured in the ServiceOps and the ServiceOps SP details in the WSO2.

Provide the following details:

Parameter	Description
Enforce to authenticate with Single Sign-On only (Refer Note)	This parameter indicates that the users created in the system must be authenticated and allowed via SSO Login only. If enabled, the Login button (for local authentication) will be hidden for all the users. Also, the parameter Excluded Technicians will be available for configuration. By default, it is disabled. Note: Once the SSO is enabled, the user can only login via SSO using valid configurations and credentials.
Auto Create User	Enable if the user is to be created automatically, if not available in the system. By default, disabled.
Excluded Technicians	Select the technicians to exclude from using the Single Sign-On functionality. You can select multiple technicians. Also, you can search for the desired technician. Here, chosen technicians having Local Authentication mode will be allowed to use SSO login mechanism.
IDP Entity ID	Enter the Entity ID of the IDP. It is a mandatory field.
IDP Login URL	Enter the login URL of the IDP on which the user will get redirected. It is a mandatory field.
IDP Logout URL	Enter the logout URL of the IDP on which the user will be redirected once signing-out from the ServiceOps portal. If not provided, the user will remain on the same page. This field is optional.
IDP Security Certificate	Enter the certificate that IDP provides for integration. The response sent by the IDP is validated using it.
SP Entity ID	It displays the entity ID of the Service Provider.
Assertion Consumer URL	It displays the endpoint of the ServiceOps application where the IDP posts the SAML responses.
SP Single Logout URL	It displays the URL to which the user gets redirected after sign-out.
SP Public Key	It is provided by the Service Provider.
SP Private Key	It is provided by the Service Provider.
SP Metadata File	Download the metadata file provided by the Service Provider. It contains all the details about the interaction of the Service Provider and the SAML enabled entity.

Notes:

Super admin (Tenant registered User) is always allowed to login normally without SSO even if not added in the exclusion list.
The Login button is always visible whether this option is enabled or not.(If any super admin user wants to update/configure, then one can login and update).
If this option is enabled, no one can login using “Login” button. Also, an error message “You are not allowed to Login from here. Try login from Single Sign on Login page.” is displayed. (Except Tenant user).

Click Update, and a confirmation message “SSO Configuration has been updated successfully” will appear.
In WSO2e Management Console, navigate to Main > Identity Providers > Resident > Inbound Authentication Configuration > SAML2 Web SSO Configuration tab.

Copy the highlighted Identity Provider Entity ID (6), SSO URL (7), Logout URL (7) from here and paste them into the ServiceOps. Also, click Download SAML Metadata (8), and use the Security Certificate from there.

Navigate to Main > Identity > Service Providers > Add/List, and the below page will appear. Here, a new Service Provider is created. In case, the service provider already exists, navigate to the List tab, select the provider, and click the Edit icon. Select the mode as Manual Configuration, enter the Service Provider Name, and click Register.

The details page appears as shown below.

Navigate to Inbound Authentication Configuration > SAML2 Web SSO Configuration. Click the Configure (3) link.

In the Register New Service Provider page.
Configure the following details:
- Issuer (SP Entity ID in ServiceOps)
- Assertion Consumer URLs
- SLO Response URL and SLO Request URL (SP Single Logout URL)
- Once configured, click Update.

Navigate to the ServiceOps Home page > Admin > Users > SSO Configuration page to access the below details.

Open the ServiceOps Portal and sign-in using the SSO login button, as shown below.

You will be redirected to the WSO2 Identity Server Sign-in page, as shown below:

Sign-in to WSO2 Identity Server, and you will be redirected to the ServiceOps portal as shown below:

Redirection from WSO2 to the ServiceOps Portal

To sign-out, click on the username, and click Sign-Out. You will be redirected to the WSO2 Identity Server page again or remain on the portal as per the configured SAML logout URL.

Written By

Rosy Cordeiro

Rosy Cordeiro is a seasoned documentation expert with over a decade of experience spanning ITSM, Telecom, and Security domains. Throughout her career, she has worked with diverse teams, collaborating with SMEs, engineers, and developers to create technical documents for several projects in the sectors like banking, education, security etc.

ServiceOps offers support for SAML 2.0, which facilitates integration for Single Sign-On. ServiceOps acts as the Service Provider (SP) and it integrates with Identity Providers (IdP) using SAML 2.0. The integration basically involves supplying details about SP to IdP and vice-versa. Once you integrate ServiceOps with an IdP, the users simply have to sign-in to IdP and then, they can automatically sign-in to ServiceOps from the respective identity provider’s GUI without having to provide credentials again. ServiceOps supports integration with One Login.

To configure SSO with the One Login service, follow the below steps:

Sign-in to the ServiceOps portal as a Technician.

Navigate to Settings > Admin > Organization > System Preference > Application Settings tab, and the following page appears.Verify that the Base URL (3) is the same as the portal URL. If it has default IP Address, update it, and click Update (4) as shown below.

Navigate to Settings > Admin > Users > SSO Configuration and the below page appears.

Enable the SSO functionality, and the following parameters appear. The parameters are available only if the SSO functionality is enabled. By default, it is disabled. In this, the IDP details of the onelogin portal are to be configured in the ServiceOps. And, set the ServiceOps SP details in the onelogin.

Provide the following details:

Parameter	Description
Enforce to authenticate with Single Sign-On only (Refer Note)	This parameter indicates that the users created in the system must be authenticated and allowed via SSO Login only. If enabled, the Login button (for local authentication) will be hidden for all the users. Also, the parameter Excluded Technicians will be available for configuration. By default, it is disabled. Note: Once the SSO is enabled, the user can only login via SSO using valid configurations and credentials.
Auto Create User	Enable if the user is to be created automatically, if not available in the system. By default, disabled.
Excluded Technicians	Select the technicians to exclude from using the Single Sign-On functionality. You can select multiple technicians. Also, you can search for the desired technician. Here, chosen technicians having Local Authentication mode will be allowed to use SSO login mechanism.
IDP Entity ID	Enter the Entity ID of the IDP. It is a mandatory field.
IDP Login URL	Enter the login URL of the IDP on which the user will get redirected. It is a mandatory field.
IDP Logout URL	Enter the logout URL of the IDP on which the user will be redirected once signing-out from the ServiceOps portal. If not provided, the user will remain on the same page. This field is optional.
IDP Security Certificate	Enter the certificate that IDP provides for integration. The response sent by the IDP is validated using it.
SP Entity ID	It displays the entity ID of the Service Provider.
Assertion Consumer URL	It displays the endpoint of the ServiceOps application where the IDP posts the SAML responses.
SP Single Logout URL	It displays the URL to which the user gets redirected after sign-out.
SP Public Key	It is provided by the Service Provider.
SP Private Key	It is provided by the Service Provider.
SP Metadata File	Download the metadata file provided by the Service Provider. It contains all the details about the interaction of the Service Provider and the SAML enabled entity.

Notes:

Super admin (Tenant registered User) is always allowed to login normally without SSO even if not added in the exclusion list.
The Login button is always visible whether this option is enabled or not.(If any super admin user wants to update/configure, then one can login and update).
If this option is enabled, no one can login using “Login” button. Also, an error message “You are not allowed to Login from here. Try login from Single Sign on Login page.” is displayed. (Except Tenant user).

Click Update, and a confirmation message “SSO Configuration has been updated successfully” will appear.
In One Login, navigate to Administration > Applications > Applications tab, and the following page appears. The page displays a list of applications already created. You can also create a new one using Add App option if required.

Select the required application and its details will appear.

Navigate to the Configuration tab, as shown below.

Configure the following details:

ACS (Consumer) URL
Single Logout URL
Login URL

To access these details, navigate to ServiceOps Home page > Admin > Users > SSO Configuration page.

Open the ServiceOps Portal and sign-in using the SSO Login button, as shown below.

You will be redirected to the One Login sign-in page, as shown below.

Sign-in to One Login, and you will be redirected to the ServiceOps Portal. For Signing out, go to username, and click Sign-Out. You will be redirected to the One Login page again or remain on the portal as per the configured SAML logout URL.

To import users, click the User Import Configuration button and a popup appears.
Enter the following details:
- Enable the functionality. By default, it is disabled.
- SSO Provider: Select the provider of SSO functionality.

In the Configuration tab, configure the following parameters:
- Client ID: Enter the Client ID.
- Client Secret: Enter the Client Secret.
- Domain URL: Enter the Domain URL. You can get these details from OneLogin as shown below:
- Group Filter: Enter the Group Filter whose users you want to import from the OneLogin.
- Add Notification Email: Add the email address of the users who should be notified about the import.

In the Mapping tab, map the fields that you want to import as shown below:

In the Schedule tab, schedule the date and time when you want the users to be imported automatically.

Once all the details are filled, click Save. You can also check the connectivity by clicking the Test Connection button.
Once the connection is successful, click Import Users button and the imported users get added as requesters in the ServiceOps as shown below:

Here, you can also click the Show History button to view the User Import Configuration history.

Written By

Rosy Cordeiro

Rosy Cordeiro is a seasoned documentation expert with over a decade of experience spanning ITSM, Telecom, and Security domains. Throughout her career, she has worked with diverse teams, collaborating with SMEs, engineers, and developers to create technical documents for several projects in the sectors like banking, education, security etc.

ADFS

ServiceOps offers support for SAML 2.0, which facilitates integration for Single Sign-On. ServiceOps acts as the Service Provider (SP) and it integrates with Identity Providers (IdP) using SAML 2.0. The integration basically involves supplying details about SP to IdP and vice-versa. Once you integrate ServiceOps with an IdP, the users simply have to sign-in to IdP and then, they can automatically sign-in to ServiceOps from the respective identity provider’s GUI without having to provide credentials again. ServiceOps supports integration with ADFS.

To configure SSO with the ADFS service, follow the below steps:

Sign-in to the ServiceOps portal as a Technician.

Navigate to Settings > Admin > Organization > System Preference > Application Settings tab, and the following page appears.Verify that the Base URL (3) is the same as the portal URL. If it has default IP Address, update it, and click Update (4) as shown below.

Navigate to Settings > Admin > Users > SSO Configuration and the below page appears.

Enable the SSO functionality, and the following parameters appear. The parameters are available only if the SSO functionality is enabled. By default, it is disabled. In this, the IDP details of the ADFS server are to be configured in the ServiceOps. Also, set the ServiceOps SP details in the ADFS.

Provide the following details:

Parameter	Description
Enforce to authenticate with Single Sign-On only (Refer Note)	This parameter indicates that the users created in the system must be authenticated and allowed via SSO Login only. If enabled, the Login button (for local authentication) will be hidden for all the users. Also, the parameter Excluded Technicians will be available for configuration. By default, it is disabled. Note: Once the SSO is enabled, the user can only login via SSO using valid configurations and credentials.
Auto Create User	Enable if the user is to be created automatically, if not available in the system. By default, disabled.
Excluded Technicians	Select the technicians to exclude from using the Single Sign-On functionality. You can select multiple technicians. Also, you can search for the desired technician. Here, chosen technicians having Local Authentication mode will be allowed to use SSO login mechanism.
IDP Entity ID	Enter the Entity ID of the IDP. It is a mandatory field.
IDP Login URL	Enter the login URL of the IDP on which the user will get redirected. It is a mandatory field.
IDP Logout URL	Enter the logout URL of the IDP on which the user will be redirected once signing-out from the ServiceOps portal. If not provided, the user will remain on the same page. This field is optional.
IDP Security Certificate	Enter the certificate that IDP provides for integration. The response sent by the IDP is validated using it.
SP Entity ID	It displays the entity ID of the Service Provider.
Assertion Consumer URL	It displays the endpoint of the ServiceOps application where the IDP posts the SAML responses.
SP Single Logout URL	It displays the URL to which the user gets redirected after sign-out.
SP Public Key	It is provided by the Service Provider.
SP Private Key	It is provided by the Service Provider.
SP Metadata File	Download the metadata file provided by the Service Provider. It contains all the details about the interaction of the Service Provider and the SAML enabled entity.

Notes:

Super admin (Tenant registered User) is always allowed to login normally without SSO even if not added in the exclusion list.
The Login button is always visible whether this option is enabled or not.(If any super admin user wants to update/configure, then one can login and update).
If this option is enabled, no one can login using “Login” button. Also, an error message “You are not allowed to Login from here. Try login from Single Sign on Login page.” is displayed. (Except Tenant user).

Click Update, and a confirmation message “SSO Configuration has been updated successfully” will appear.
In the ADFS server, open the Server Manager application in your machine and navigate to Tools > AD FS Management tab. The following page appears.
Note: Here, Server Manager v6.3.9600.16384 and Windows Server v2012 R2 is used.

Right-click Service and choose the Edit Federation Service Properties option. The following window appears. Copy the Federation Service identifier and paste it into the IDP Entity ID field of ServiceOps.

Click the Endpoints folder and search for FederationMetadata.xml in the Metadata section below:

Now, go to the URL path and open the XML file in any editor. Copy the highlighted Single Logout Service URL and Certificate from here and use them in the ServiceOps.

SAML Settings

Add Relying Party Trusts
- Navigate to Trust Relationships > Relying Party Trusts > Add Relying Party Trust, and a wizard opens.

Click Start.

Select Data Source. Here, the manual option is selected, as shown below. Click Next.

Enter the display name and click Next.

Choose the profile and click Next.

Choose Profile

Configure Certificate using the Browse button and click Next.

Configure the URL.Enable the option Enable Support for the SAML 2.0 Web SSO Protocol.Enter the Relying Party SAML 2.0 SSO service URL. The URL format should be as per the example provided below.

You can get the Relying party SAML 2.0 SSO service URL and Relying party trust identifier (SP Entity ID) details from the ServiceOps Home page > Admin > Users > SSO Configuration page.

Configure the identifiers.
Enter the SP Entity ID of ServiceOps and click Add. Once done, click Next.

Configure Multi-factor Authentication (optional). Click Next.

Choose Issuance Authorization Rules and click Next.

Review the settings and click Next. If any changes are required, click Previous and make the editions.

Once done, click Close, and the relying party trust gets successfully added to the AD FS database.

Edit Claim Rules. If the option to open the Edit Claim Rules dialog is enabled, the Edit Claim Rules window will appear as shown below. You can also open this later by right-clicking on the Relying Party Trusts instance. You can edit the claim rules to enable proper communication with the Motadata instance. To edit,
- In the Issuance Transform Rules tab, click the Add Rule button below:

Select the Claim rule template as Send LDAP Attributes as Claims and click Next.

Configure Rule.
- Configure the Claim rule name.
- Set the Attribute store to Active Directory.
- Map the LDAP attributes to outgoing claim types using the dropdown list. Here, E-Mail Addresses and Given Name are set as LDAP Attributes. While E-Mail Address and Name are set as Outgoing Claim Type. You can configure other fields as well.

Once done, click Finish, and the rule gets created.
Now, again click Add Rules to add another rule.
Select the Claim rule template as Transform an Incoming Claim and click Next.

Enter the Claim rule name.
Set the Incoming claim type to the Outgoing Claim Type in the previous rule. For example: E-Mail Address.
Set the Outgoing claim type to Name ID and the Outgoing name ID format to Email.
Note: These values must match the Name ID policy you define during SAML 2.0 configuration.
Select Pass through all claim values.

Configure the SAML Logout Endpoint.
- Right-click on the Relying Party Trusts and select Properties.
- Select the Endpoints tab and click Add SAML.

Select the Endpoint type as SAML Logout. Next, specify the Trusted and Response URL. Again, you can get these details from ServiceOps.

Once done, click OK, and the following screen appears.

Click Apply and OK to bring the changes into effect.

Open the ServiceOps Portal and sign-in using the SSO login button, as shown below:

You will be redirected to the AD FS Server Sign-in page, as shown below.

Sign-in to the AD FS Server, and you will be redirected to the ServiceOps portal as shown below:

Redirection from ADFS to the ServiceOps Portal

To sign-out, click on the username, and click Sign-Out. You will be redirected to the AD FS Server page again or remain on the portal as per the configured SAML logout URL.

Written By

Rosy Cordeiro

Rosy Cordeiro is a seasoned documentation expert with over a decade of experience spanning ITSM, Telecom, and Security domains. Throughout her career, she has worked with diverse teams, collaborating with SMEs, engineers, and developers to create technical documents for several projects in the sectors like banking, education, security etc.

Azure AD

ServiceOps offers support for SAML 2.0, which facilitates integration for Single Sign-On. ServiceOps acts as the Service Provider (SP) and it integrates with Identity Providers (IdP) using SAML 2.0. The integration basically involves supplying details about SP to IdP and vice-versa. Once you integrate ServiceOps with an IdP, the users simply have to sign-in to IdP and then, they can automatically sign-in to ServiceOps from the respective identity provider’s GUI without having to provide credentials again. ServiceOps supports integration with Azure.

To configure SSO with the Azure AD service, follow the below steps:

Sign-in to the ServiceOps portal as a Technician.

Navigate to Settings > Admin > Organization > System Preference > Application Settings tab, and the following page appears.Verify that the Base URL (3) is the same as the portal URL. If it has default IP Address, update it, and click Update (4) as shown below.

Navigate to Settings > Admin > Users > SSO Configuration and the below page appears.

Enable the SSO functionality, and the following parameters appear. The parameters are available only if the SSO functionality is enabled. By default, it is disabled. In this, the IDP details of the Azure AD portal are to be configured in the ServiceOps while the SP details in the Azure AD.

Provide the following details:

Parameter	Description
Enforce to authenticate with Single Sign-On only (Refer Note)	This parameter indicates that the users created in the system must be authenticated and allowed via SSO Login only. If enabled, the Login button (for local authentication) will be hidden for all the users. Also, the parameter Excluded Technicians will be available for configuration. By default, it is disabled. Note: Once the SSO is enabled, the user can only login via SSO using valid configurations and credentials.
Auto Create User	Enable if the user is to be created automatically, if not available in the system. By default, disabled.
Excluded Technicians	Select the technicians to exclude from using the Single Sign-On functionality. You can select multiple technicians. Also, you can search for the desired technician. Here, chosen technicians having Local Authentication mode will be allowed to use SSO login mechanism.
IDP Entity ID	Enter the Entity ID of the IDP available from the Azure AD portal as shown below. It is a mandatory field.
IDP Login URL	Enter the login URL of the IDP on which the user will get redirected. It is available in the Azure AD portal as shown below.
IDP Logout URL	Enter the logout URL of the IDP on which the user will be redirected once signing-out from the ServiceOps portal. If not provided, the user will remain on the same page. This field is optional.
IDP Security Certificate	Enter the certificate that IDP provides for integration. The response sent by the IDP is validated using it.

SP Entity ID	It displays the entity ID of the Service Provider. This is to be configured in the Azure AD portal in the ‘Identifier (Entity ID)’ field.
Assertion Consumer URL	It displays the endpoint of the ServiceOps application where the IDP posts the SAML responses. This is to be configured in the Azure AD portal in the ‘Reply URL’ field.
SP Single Logout URL	It displays the URL to which the user gets redirected after sign-out. This is to be configured in the Azure AD portal in the ‘Logout URL’ field.
SP Public Key	It is provided by the Service Provider.
SP Private Key	It is provided by the Service Provider.
SP Metadata File	Download the metadata file provided by the Service Provider. It contains all the details about the interaction of the Service Provider and the SAML enabled entity.

Notes:

Super admin (Tenant registered User) is always allowed to login normally without SSO even if not added in the exclusion list.
The Login button is always visible whether this option is enabled or not.(If any super admin user wants to update/configure, then one can login and update).
If this option is enabled, no one can login using “Login” button. Also, an error message “You are not allowed to Login from here. Try login from Single Sign on Login page.” is displayed. (Except Tenant user).

Click Update, and a confirmation message “SSO Configuration has been updated successfully” will appear.
To configure the SAML settings in Microsoft Azure, navigate to Enterprise Application > SSO Azure > Single Sign-On tab, and the following page will appear:

Edit the Basic SAML Configuration and configure the following details:
- Identifier Entity ID
- Reply URL
- Sign-on URL
- Relay State
- Logout URL

Open the ServiceOps Portal and sign-in using the SSO Login button as shown below.

You will be redirected to the Microsoft Azure sign-in page, as shown below.

Sign-in to Microsoft Azure, and you will be redirected to the ServiceOps Portal. For Signing out, go to username, and click Sign-Out. You will be redirected again to the Microsoft Azure page.

To import users, click the User Import Configuration button and a popup appears.
Enter the following details:
- Enable the functionality. By default, it is disabled.
- SSO Provider: Select the provider of SSO functionality.

Notes:

Here, you can import both Azure AD and Office 365 users.
Office 365 uses Azure Active Directory for user management; hence the configurations of both the services are identical.

In the Configuration tab, configure the following details:
- Client ID: Enter the Client ID.
- Client Secret: Enter the Client Secret.
- Tenant ID: Enter the Tenant ID. You can get these details from Microsoft Azure as shown below:
- Group Filter: Enter the Group Filter whose users you want to import from the Azure AD.
- Add Notification Email: Add the email address of the users who should be notified about the import.

Azure AD Details - Client ID and Tenant ID

In the Mapping tab, map the fields that you want to import as shown below:

In the Schedule tab, schedule the date and time when you want to import the users automatically.

Once all the details are filled, click Save. You can also check the connectivity by clicking the Test Connection button.
Once the connection is successful, click Import Users button and the imported users get added as requesters in the ServiceOps as shown below:

Here, you can also click the Show History button to view the User Import Configuration history.

Written By

Rosy Cordeiro

Rosy Cordeiro is a seasoned documentation expert with over a decade of experience spanning ITSM, Telecom, and Security domains. Throughout her career, she has worked with diverse teams, collaborating with SMEs, engineers, and developers to create technical documents for several projects in the sectors like banking, education, security etc.

OKTA

ServiceOps offers support for SAML 2.0, which facilitates integration for Single Sign-On. ServiceOps acts as the Service Provider (SP) and it integrates with Identity Providers (IDP) using SAML 2.0. The integration basically involves supplying details about SP to IDP and vice-versa. Once you integrate ServiceOps with an IDP, the users simply have to sign-in to IDP and then, they can automatically sign-in to ServiceOps from the respective identity provider’s GUI without having to provide credentials again. ServiceOps supports integration with OKTA.

To configure SSO with the OKTA service, follow the below steps:

Sign-in to the ServiceOps portal as a Technician.

Navigate to Settings > Admin > Organization > System Preference > Application Settings tab, and the following page appears.Verify that the Base URL (3) is the same as the portal URL. If it has default IP Address, update it, and click Update (4) as shown below.

Navigate to Settings > Admin > Users > SSO Configuration and the below page appears.

Enable the SSO functionality, and the following parameters appear. These are available only if the SSO functionality is enabled. By default, it is disabled. In this, the IDP details of the OKTA portal are to be configured in the ServiceOps while the SP details in the OKTA.

Provide the following details:

Parameter	Description
Enforce to authenticate with Single Sign-On only (Refer Note)	This parameter indicates that the users created in the system must be authenticated and allowed via SSO Login only. If enabled, the Login button (for local authentication) will be hidden for all the users. Also, the parameter Excluded Technicians will be available for configuration. By default, it is disabled. Note: Once the SSO is enabled, the user can only login via SSO using valid configurations and credentials.
Auto Create User	Enable if the user is to be created automatically, if not available in the system. By default, disabled.
Excluded Technicians	Select the technicians to exclude from using the Single Sign-On functionality. You can select multiple technicians. Also, you can search for the desired technician. Here, chosen technicians having Local Authentication mode will be allowed to use only SSO login mechanism.
IDP Entity ID	Enter the Entity ID of the IDP available from the OKTA portal. It is a mandatory field.
IDP Login URL	Enter the login URL of the IDP on which the user will get redirected. It is available in the OKTA portal.
IDP Logout URL	Enter the logout URL of the IDP on which the user will be redirected once signing-out from the ServiceOps portal. If not provided, the user will remain on the same page. This field is optional.
IDP Security Certificate	Enter the certificate that IDP provides for integration. The response sent by the IDP is validated using it.
SP Entity ID	It displays the entity ID of the Service Provider. This is to be configured in the OKTA portal in the ‘Audience URI’ field.
Assertion Consumer URL	It displays the endpoint of the ServiceOps application where the IDP posts the SAML responses. This is to be configured in the OKTA portal in the ‘Single sign on URL’ field.
SP Single Logout URL	It displays the URL to which the user gets redirected after sign-out. This is to be configured in the OKTA portal in the ‘Single sign on URL’ field.
SP Public Key	It is provided by the Service Provider.
SP Private Key	It is provided by the Service Provider.
SP Metadata File	Download the metadata file provided by the Service Provider. It contains all the details about the interaction of the Service Provider and the SAML enabled entity.

Notes:

Super admin (Tenant registered User) is always allowed to login normally without SSO even if not added in the exclusion list.
The Login button is always visible whether this option is enabled or not.(If any super admin user wants to update/configure, then one can login and update).
If this option is enabled, no one can login using “Login” button. Also, an error message “You are not allowed to Login from here. Try login from Single Sign on Login page.” is displayed. (Except Tenant user).

Click Update, and a confirmation message “SSO Configuration has been updated successfully” will appear.
In OKTA, navigate to Applications > Applications > Browse App Catalog > General tab, and the following page will appear:

Edit the SAML Settings and navigate to Configure SAML tab, as shown below:

Configure the following details:

Single sign on URL
Audience URI (SP Entity ID)

To access these details, navigate to ServiceOps Home page > Admin > Users > SSO Configuration page.

Open the ServiceOps Portal and sign-in using the SSO login button, as shown below:

You will be redirected to the OKTA sign-in page, as shown below:

Sign-in to OKTA, and you will be redirected to the ServiceOps portal as shown below:

Redirection from OKTA to the ServiceOps Portal

To sign-out, click on the username and click Sign-Out. You will be redirected to the OKTA page again or remain on the portal as per the configured SAML logout URL.

To import users, click the User Import Configuration button, and a popup appears:
Enter the following details:
- Enable the functionality. By default, it is disabled.
- SSO Provider: Select the provider of SSO functionality.
- Domain URL: Enter the domain URL of the OKTA client.
- Group Filter: Enter the Group Filter whose users you want to import from OKTA.
- Add Notification Email: Add the email address of the users who should be notified about the import.

In the Configuration tab, configure the following parameters:
- API Key: Enter the OKTA client’s API Key (API Token). To generate the token,
1. In the OKTA client, click the menu icon, and navigate to the Security > API > Tokens tab.

Click Create Token button, and a popup appears.

Enter a name for the token and click Create Token. A popup displaying the created token appears as shown below:

Copy the token and use it in the API Key field.
Notes:
- The token appears only once at the time of creation. Hence, it is recommended to save the token locally for future use.
- Tokens are valid for 30 days from creation or last use, so the validity automatically gets refreshed with each API call. Tokens that remain unused for 30 days expire.

In the Mapping tab, map the fields that you want to import as shown below. Custom fields should be prefixed with the word profile. For Example: profile.email.

In the Schedule tab, enable the scheduler, select the schedule type, and select the date and time you want the users to be imported automatically.

Once all the details are filled, click Save. You can also check the connectivity by clicking the Test Connection button.
Once the connection is successful, click the Import Users button, and the imported users get added as requesters in the ServiceOps as shown below:

Here, you can also click the Show History button to view the User Import Configuration history.

Written By

Rosy Cordeiro

Rosy Cordeiro is a seasoned documentation expert with over a decade of experience spanning ITSM, Telecom, and Security domains. Throughout her career, she has worked with diverse teams, collaborating with SMEs, engineers, and developers to create technical documents for several projects in the sectors like banking, education, security etc.

SSO Configuration

Single Sign-On (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials. Many protocols and standards are available when identifying and working with the SSO. These include:

SAML, OAuth, OIDC, Kerberos, and Smart Card Authentication.

SAML

SAML is an open standard that encodes text into machine language and enables the exchange of identification information. It has become one of the core standards for SSO and is used to help application providers ensure their authentication requests are appropriate. In addition, SAML 2.0 is specifically optimized for use in web applications, enabling the transmission of information through a web browser.

Here, the Identity and Service Provider plays a vital role as they are the central management system for authentication.

Identity Provider(IDP): A centralized management system or repository responsible for authenticating the user and passing the details to the Service Provider.

Service Provider(SP): The owner of the Applications whose services the user will use. It trusts the IDP and uses it for authenticating.

Note: The SSO functionality is applicable from version 7.3 and above.

SSO Flow

Initially, the user requests a SAML SSO to access the Service Provider’s (SP) service. Next, the SP asks the IDP for authentication, where the IDP checks the user’s existence and replies to the SP. The communication between the SP and IDP takes place in the SAML data format.

Authentication Flow

The Service Provider (SP) initiates the sign-in flow when the user tries to access or sign-in directly on the service provider’s site. If the user has an inactive session with the SP, the user will get redirected to the IDP for authentication. Thus, the user will get redirected to the SP on successful login.
The Identity Provider (IDP) initiates the sign-in flow when the user goes to the IDP and views a list of SPs he has to access. Thus, on choosing an SP from that list, the user will get redirected to that SP.

Motadata ServiceOps supports SAML based SSO integration that includes the following services:

OKTA
Azure AD
ADFS
One-Login
WSO2
Key Cloak

Written By

Rosy Cordeiro

Rosy Cordeiro is a seasoned documentation expert with over a decade of experience spanning ITSM, Telecom, and Security domains. Throughout her career, she has worked with diverse teams, collaborating with SMEs, engineers, and developers to create technical documents for several projects in the sectors like banking, education, security etc.

Self Service Settings

Generally employees tend to raise the most common and frequent requests to the IT teams like Reset Password or Unlock Account. Such requests need to be addressed on priority as it affects the employee’s productivity. Thus, to automate the resolution of such requests without the involvement of a Technician, ServiceOps provides a very sensible resolution to it. The Active Directory Self Service process is the solution to this. It allows the organization’s employees to reset the password of their AD accounts or unlock their AD accounts from anywhere. They only have to answer some security questions.

LDAP users can use this functionality for an easier password change request.

Click on the Self Service Settings button and a popup appears. Enable the AD Self Service functionality and a list of questions appears. Also, you can add, edit, or delete a question from here. Once this is enabled, the Active Directory Self Service option appears on the Login page of the Support Portal. Here, you can reset password or unlock your account using this service. For more details, refer to the Support User Guide.

Add your own questions for setting. Here, minimum 2 questions are mandatory.

To add a question, click the Add Question button.

Enter the Question and click Add. The question appears in the list.

Written By

Rosy Cordeiro

Rosy Cordeiro is a seasoned documentation expert with over a decade of experience spanning ITSM, Telecom, and Security domains. Throughout her career, she has worked with diverse teams, collaborating with SMEs, engineers, and developers to create technical documents for several projects in the sectors like banking, education, security etc.

LDAP Configurations

Motadata allows you to upload a list of Requesters through an LDAP request. LDAP is a protocol that the enterprises use to access a distributed directory of their employees. The email clients and other contact search programs mostly use this LDAP.

Motadata establishes a connection with the distributed directory information system using the provided information, and it makes queries using the LDAP protocol. It fetches the employee details from the server into the Motadata ServiceOps.

To view the LDAP Configurations page, navigate to the Admin > Users > LDAP Configurations and the page appears.

The page provides the following features:

Self Service Settings: You can configure the self service settings.
Create LDAP Configurations: You can create the LDAP configuration.
Grid: Displays the details of the LDAP configurations.
Schedule Enabled: You can enable or disable the schedule.
Show History: You can view the LDAP history.
Import Users: You can import the LDAP users into ServiceOps.
Create Schedule: You can create a schedule based on which the LDAP users will get synchronized.
Edit: You can edit the configurations.
Delete: You can delete the configuration if required.

Create LDAP Configurations

To configure LDAP,

Click the Create LDAP Configurations button and the popup appears.

In the Configuration tab, enter the following details:

Parameter	Description
Name	Enter the name of the LDAP configuration.
URL	Enter the URL of the LDAP server which begins with “ldap://” followed by the IP Address and Port Number. For Example: ldap://111.111.0.11:920
Base DN	A DN is a sequence of relative Distinguished Names connected by commas. It is the point from where a server will start looking for users in the Active Directory. You can add multiple Base DNs using +Add Base DN button. For Example: If the server has an origin as Motadata with the server Flotomate, mention the DN as shown in the above figure.
User ID	Enter the user ID of the LDAP user.
Password	Enter the password.
Group Base	Enter the group base using which you can import the users of a particular group.
Emails	Enter the email address of the users to whom you want to send the notifications about the LDAP process completion.
Server Type	Select the server type as Microsoft AD or Open LDAP.
Block missing users	Enable the flag if you want the missing users to be blocked. If disabled, the missing users will be deleted.

In the Mapping tab, map the attributes with the server name. You can map the following details:
- First Name
- Last Name
- Email
- Contact Number
- Location
- Department
- Logon Name
- Manager
Note: All mapping fields should be same as the server, or the connection will not be established.
Once all the details are filled, click Test Connection to verify the connectivity between the LDAP Server and ServiceOps.
Click Create to save the LDAP server. The credentials required for the LDAP configuration are of the LDAP Admin. In case, the credentials are not available then a new user can be created in their Active Directory.

Show History

Click the Show History icon in the Actions column to view the LDAP history and a popup appears. It displays the details like created date, total fetched users, total created users, total failed users, total deleted users, and total updated users. You can also click on the Total Failed Users link to view the reason of failure for the LDAP users not imported as shown below.

Import Users

Click the Import Users icon in the Actions column to import the users from the LDAP server to ServiceOps. Once clicked, the imported users get added as requesters in the ServiceOps as shown below.

Create Schedule

Scheduling allows you to periodically import employee details from the server. This feature helps you to keep the Requesters list up to date.

To create a schedule,

From the list page, click the Create Schedule icon in the Actions column.
In the Schedule for LDAP popup, click Create Schedule.
Select the Schedule Type. The options are:
- Once: If selected the schedule will run only once as per the start date selected in the Start At field.
- Daily: If selected the schedule will run daily as per the Start At and Time selected. The Start At field depicts the date and time when the schedule should start.
- Weekly: If selected the schedule will run weekly as per the Start At, Day, and Time selected. The Start At field depicts the date when the schedule should start. Day depicts the day on which the schedule should run.
- Monthly: If selected the schedule will run once in a month as per the Start At, Date, Time, and Month(s) selected. The Start At field depicts the date when the schedule should start. Date is the date of the month on which the schedule should run.
Once done, click Save to save the schedule.

Once the schedule is created, you can also edit or delete it if required as shown below.

Written By

Rosy Cordeiro

Rosy Cordeiro is a seasoned documentation expert with over a decade of experience spanning ITSM, Telecom, and Security domains. Throughout her career, she has worked with diverse teams, collaborating with SMEs, engineers, and developers to create technical documents for several projects in the sectors like banking, education, security etc.

Roles

Roles are a set of permissions that help specifying what a technician or requester can view or do within the Support Portal. Based on these roles the user can access or perform the required tasks. You can assign roles based on the certain factors like module, department, user type, etc. A super admin can create multiple roles and assign them to technicians or requests based on the requirement.

This page enables you to view and centrally manage the permissions of all the users without the need of assigning them individually.

To view the Roles page, navigate to Admin > Users > Roles and the page appears.

Here, you can view a list of default and custom roles. Also, you can create custom roles, edit them, and set a particular role as default.

To set a role as default, click the toggle button next to the desired role in the Actions column . Its color will turn green. Now, once the default role is set, whenever a requester is converted to technician, this role will be assigned, else Request Specialist Technician role is assigned.

For example: If the Service Desk Technician role is set as default, when a requester is converted to technician, this role will get assigned automatically. Else, the Request Specialist Technician role will get assigned.

Default Roles

The default roles are:

Super Admin
Service Desk Technician
Request Specialist Technician
Problem Specialist Technician
Change Specialist Technician

Release Specialist Technician
Asset Specialist Technician
Contract Manager
Purchase Manager
Project Manager
Patch Manager

Create Roles

To create a custom role,

Click the Create Role button and the page appears.
Enter the Name and Description of the role.
In the Permissions tab, select the required permissions for the different modules that you want to assign to this role.

In the Users tab, add the users to whom you want to assign the role.
To add users, click the Add User link, and a popup appears.

Select the required users and click Add. The users get added to the list as shown below.

Once done, click Create Role, and a confirmation message appears.

Edit Roles

To edit the role, click the Edit icon on the list page, and the below page appears.

Here, you can make the required changes, and click the Update Role button. For default roles, you cannot edit the permissions, but you can add or remove the users.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

DFITTM PLATFORM

MotaStore

Digital Transformation

Featured reads

Integrating Service Desk with Endpoint Management System

Featured reads

Integrating Service Desk with Endpoint Management System

Featured reads

Integrating Service Desk with Endpoint Management System

Written By

Rosy Cordeiro

Rosy Cordeiro

Key Cloak

Written By

Rosy Cordeiro

Rosy Cordeiro

WSO2

Written By

Rosy Cordeiro

Rosy Cordeiro

One Login

Written By

Rosy Cordeiro

Rosy Cordeiro

ADFS

SAML Settings

Written By

Rosy Cordeiro

Rosy Cordeiro

Azure AD

Written By

Rosy Cordeiro

Rosy Cordeiro

OKTA

Written By

Rosy Cordeiro

Rosy Cordeiro

SSO Configuration

SAML

SSO Flow

Authentication Flow

Written By

Rosy Cordeiro

Rosy Cordeiro

Self Service Settings

Written By

Rosy Cordeiro

Rosy Cordeiro

LDAP Configurations

Create LDAP Configurations

Show History

Import Users

Create Schedule

Written By

Rosy Cordeiro

Rosy Cordeiro

Roles

Default Roles

Create Roles

Edit Roles

DFIT^TM PLATFORM