Motadata Docs

ADFS

ServiceOps offers support for SAML 2.0, which facilitates integration for Single Sign-On. ServiceOps acts as the Service Provider (SP) and it integrates with Identity Providers (IdP) using SAML 2.0. The integration basically involves supplying details about SP to IdP and vice-versa. ​Once you integrate ServiceOps with an IdP, the users simply have to sign-in to IdP and then, they can automatically sign-in to ServiceOps from the respective identity provider’s GUI without having to provide credentials again. ​ServiceOps supports integration with ADFS.

To configure SSO with the ADFS service, follow the below steps:

  1. Sign-in to the ServiceOps portal as a Technician.
Sign-In Page
Sign-In Page
  1. Navigate to Settings > Admin > Organization > System Preference > Application Settings tab, and the following page appears.Verify that the Base URL (3) is the same as the portal URL. If it has default IP Address, update it, and click Update (4) as shown below.
System Preference
System Preference
  1. Navigate to Settings > Admin > Users > SSO Configuration and the below page appears.
SSO Configuration Page
SSO Configuration Page
  1. Enable the SSO functionality, and the following parameters appear. The parameters are available only if the SSO functionality is enabled. By default, it is disabled. In this, the IDP details of the ADFS server are to be configured in the ServiceOps. Also, set the ServiceOps SP details in the ADFS.
SSO Configurations
SSO Configurations
  1. Provide the following details:
    Parameter Description
    Enforce to authenticate with Single Sign-On only (Refer Note) This parameter indicates that the users created in the system must be authenticated and allowed via SSO Login only. If enabled, the Login button (for local authentication) will be hidden for all the users. Also, the parameter Excluded Technicians will be available for configuration. By default, it is disabled.

    Note: Once the SSO is enabled, the user can only login via SSO using valid configurations and credentials.
    Auto Create User Enable if the user is to be created automatically, if not available in the system. By default, disabled.
    Excluded Technicians Select the technicians to exclude from using the Single Sign-On functionality. You can select multiple technicians. Also, you can search for the desired technician. Here, chosen technicians having Local Authentication mode will be allowed to use SSO login mechanism.
    IDP Entity ID Enter the Entity ID of the IDP. It is a mandatory field.
    IDP Login URL Enter the login URL of the IDP on which the user will get redirected. It is a mandatory field.
    IDP Logout URL Enter the logout URL of the IDP on which the user will be redirected once signing-out from the ServiceOps portal. If not provided, the user will remain on the same page. This field is optional.
    IDP Security Certificate Enter the certificate that IDP provides for integration. The response sent by the IDP is validated using it.
    SP Entity ID It displays the entity ID of the Service Provider.
    Assertion Consumer URL It displays the endpoint of the ServiceOps application where the IDP posts the SAML responses.
    SP Single Logout URL It displays the URL to which the user gets redirected after sign-out.
    SP Public Key It is provided by the Service Provider.
    SP Private Key It is provided by the Service Provider.
    SP Metadata File Download the metadata file provided by the Service Provider. It contains all the details about the interaction of the Service Provider and the SAML enabled entity.

Notes:

  • Super admin (Tenant registered User) is always allowed to login normally without SSO even if not added in the exclusion list.
  • The Login button is always visible whether this option is enabled or not.(If any super admin user wants to update/configure, then one can login and update).
  • If this option is enabled, no one can login using “Login” button. Also, an error message “You are not allowed to Login from here. Try login from Single Sign on Login page.” is displayed. (Except Tenant user).
  1. Click Update, and a confirmation message “SSO Configuration has been updated successfully” will appear.
  2. In the ADFS server, open the Server Manager application in your machine and navigate to Tools > AD FS Management tab. The following page appears.
    Note: Here, Server Manager v6.3.9600.16384 and Windows Server v2012 R2 is used.
ADFS Management
ADFS Management
  1. Right-click Service and choose the Edit Federation Service Properties option. The following window appears. Copy the Federation Service identifier and paste it into the IDP Entity ID field of ServiceOps.
Federation Service Properties
Federation Service Properties
Federation Service Properties
Federation Service Properties
  1. Click the Endpoints folder and search for FederationMetadata.xml in the Metadata section below:
Endpoints Page
Endpoints Page

Now, go to the URL path and open the XML file in any editor. Copy the highlighted Single Logout Service URL and Certificate from here and use them in the ServiceOps.

Federationmetadata.xml File
Federationmetadata.xml File

SAML Settings

  1. Add Relying Party Trusts
    • Navigate to Trust Relationships > Relying Party Trusts > Add Relying Party Trust, and a wizard opens.
Adding Rely Party Trust
Adding Rely Party Trust
  • Click Start.
Adding Rely Party Trust Wizard
Adding Rely Party Trust Wizard
  • Select Data Source. Here, the manual option is selected, as shown below. Click Next.
Select Data Source
Select Data Source
  • Enter the display name and click Next.
Specify Display Name
Specify Display Name
  • Choose the profile and click Next.
Choose Profile
Choose Profile
  • Configure Certificate using the Browse button and click Next.
Configure Certificate
Configure Certificate
  • Configure the URL.Enable the option Enable Support for the SAML 2.0 Web SSO Protocol.Enter the Relying Party SAML 2.0 SSO service URL. The URL format should be as per the example provided below.
Configure URL
Configure URL

You can get the Relying party SAML 2.0 SSO service URL and Relying party trust identifier (SP Entity ID) details from the ServiceOps Home page > Admin > Users > SSO Configuration page.

ServiceOps SAML Settings
ServiceOps SAML Settings
  • Configure the identifiers.
    Enter the SP Entity ID of ServiceOps and click Add. Once done, click Next.
Configure Identifiers
Configure Identifiers
  • Configure Multi-factor Authentication (optional). Click Next.
Configure Multi-factor Authentication
Configure Multi-factor Authentication
  • Choose Issuance Authorization Rules and click Next.
Choose Issuance Authorization Rules
Choose Issuance Authorization Rules
  • Review the settings and click Next. If any changes are required, click Previous and make the editions.
Ready to Add Trust
Ready to Add Trust
  • Once done, click Close, and the relying party trust gets successfully added to the AD FS database.
Finish
Finish
  1. Edit Claim Rules. If the option to open the Edit Claim Rules dialog is enabled, the Edit Claim Rules window will appear as shown below. You can also open this later by right-clicking on the Relying Party Trusts instance. You can edit the claim rules to enable proper communication with the Motadata instance. To edit,
    • In the Issuance Transform Rules tab, click the Add Rule button below:
Edit Claim Rules
Edit Claim Rules
  • Select the Claim rule template as Send LDAP Attributes as Claims and click Next.
Select Claim Rule Template
Select Claim Rule Template
  • Configure Rule.
    • Configure the Claim rule name.
    • Set the Attribute store to Active Directory.
    • Map the LDAP attributes to outgoing claim types using the dropdown list. Here, E-Mail Addresses and Given Name are set as LDAP Attributes. While E-Mail Address and Name are set as Outgoing Claim Type. You can configure other fields as well.
Edit Rule
Edit Rule
  • Once done, click Finish, and the rule gets created.
  • Now, again click Add Rules to add another rule.
  • Select the Claim rule template as Transform an Incoming Claim and click Next.
Select Claim Rule Template
Select Claim Rule Template
  • Enter the Claim rule name.
  • Set the Incoming claim type to the Outgoing Claim Type in the previous rule. For example: E-Mail Address.
  • Set the Outgoing claim type to Name ID and the Outgoing name ID format to Email.
    Note: These values must match the Name ID policy you define during SAML 2.0 configuration.
  • Select Pass through all claim values.
Edit Rule
Edit Rule
  1. Configure the SAML Logout Endpoint.
    • Right-click on the Relying Party Trusts and select Properties.
    • Select the Endpoints tab and click Add SAML.
Add SAML
Add SAML
  • Select the Endpoint type as SAML Logout. Next, specify the Trusted and Response URL. Again, you can get these details from ServiceOps.
Adding SAML Logout Endpoint
Adding SAML Logout Endpoint
  • Once done, click OK, and the following screen appears.
SAML Logout Endpoint
SAML Logout Endpoint
  • Click Apply and OK to bring the changes into effect.
  1. Open the ServiceOps Portal and sign-in using the SSO login button, as shown below:
ServiceOps Portal
ServiceOps Portal
  1. You will be redirected to the AD FS Server Sign-in page, as shown below.
AD Server Sign-in Page
AD Server Sign-in Page
  1. Sign-in to the AD FS Server, and you will be redirected to the ServiceOps portal as shown below:
Redirection from ADFS to the ServiceOps Portal
Redirection from ADFS to the ServiceOps Portal
  1. To sign-out, click on the username, and click Sign-Out. You will be redirected to the AD FS Server page again or remain on the portal as per the configured SAML logout URL.
Signing-Out from the ServiceOps Portal
Signing-Out from the ServiceOps Portal

On this Page