SAML Authentication FAQs

SAML Authentication FAQs

Listing here the FAQ's regarding SAML Authentication.

1. Despite having valid login credentials, why am I added as a new user in ServiceDesk Plus when logging in using SAML?

 

When you log in using SAML, the IdP provides a login name in the SAML response. This login name is generated based on the NameID attribute configured in the IdP. Now, the new users will be added to SDP under below two scenarios. ( You can disable dynamic user addition settings in the Self-Service Portal to prevent the addition of new users ).
  • User is not associated with any domain in SDP - In this case, the nameid value in SAML response doesn't match any username in the SDP application. So, a new user will get created in the application.
  • User is associated with a particular domain in SDP - In this case, the nameid value isn't in the format "domainname\username" in the SAML response. Even if it is in the format, if the domain name is not in an upper case then the matching won't happen.  So, configure the nameid attribute to return in the format "DOMAINNAME\username". For example, if Peter is a user with login name peter in the Zylker domain, then the IdP should return Zylker\peter as nameid value in the SAML response. 
2. How to fix alignment issues in the login page after enabling SAML as shown in the below image?


  • Go to Admin >> Self-Service Portal Settings.  

  • Click Customize now under Login Page customization.

In the HTML editor, add the below classes as shown in the screenshot. These classes will also be available under <server_home>\custom\login\default.html

  1.  .sign-line{  

      text-align: center; 

      display: block; 

      border-bottom: 1px solid #ccc; 

      margin:10px 0; 

     } 

     .or-ctr{ 

      background: #fff; 

      position: relative; 

      top: 8px; 

      padding: 0 4px; 

      font-size: 12px; 

      color: #727272; 

     } 

     .sign-saml{ 

      color: #009adb; 

      text-decoration: none; 

     }

 


  • Click Save and check to see if the link now appears aligned.

3. Do we support additional attributes in the SAML response for login?
  • We don't use the additional attributes in the SAML response for any purpose. We also don't have plans to use them in near future. We use only the name-id attribute ( the default & mandatory attribute ) in the SAML response for login.
4. Do we support email address formats?

There are two different things called nameid-format and value of name-id attribute. 
  • By default, we use transient nameid-format. It is the format that is being sent in the samlAuthNRequest ( the initial request sent from SDP to your IdP in ServiceDesk Plus initiated login ). Some of the IdPs don't validate the nameid-format sent from the SP ( here SDP ), so that, even if you have configured any other nameid-format in IdP ( say email address ), it will return a successful, valid SAML response. But some of the IdPs don't. ( Say, ADFS won't allow successful login if the nameid-format differs in the Relaying Party Trusts configuration and in the samlAuthNRequest ). 
  • Whereas, the nameid attribute carries the value of the configured data irrespective of the configured nameid-format. Say, if you have configured the nameid-format as "emailaddress" and nameid attribute value as "userprincipalname", then the nameid attribute value in the SAML response will be userprincipalname of the user rather being the email address of the user. ( Again, we have exceptional behavior in some IdPs, say in Azure, if the nameid-format is "transient", it would return the random string in the SAML response. We have a workaround for this ).

5. My IdP can't return the expected "domain\username" the format in the SAML response. Is it possible to match the users based on the email address?

As of now, we don't support email address / UPN based logins. So, we can't match users based on the email addresses. This will be taken as a new feature in SAML. 

6. Do we support encrypted SAML response?

No. We don't support encrypted SAML response. We don't have plans to support it in near future. 

7. How can we check the SAML response?

We can make use of the extension "SAML tracer" to analyze the SAML response. It is available in both Chrome and Firefox browsers. There are two servlet URLs ( as we could see in the SAML configuration page ) to which the IdP shall return the response. One is ACS URL ( /SamlResponseServlet ) and another one is SLS URL ( /SamlLogoutResponseServlet ). You can check these two URLs in the tracer window and check the SAML tab for the response. You can also check the <saml:nameid> node's value in the SAML response XML. Check the link to know about How to check the saml response?

Important Links :

SAML admin guide - https://help.servicedeskplus.com/saml-authentication ( This covers the configuration instructions for Okta, OneLogin, ADFS IdPs, FAQs, Troubleshooting steps ).

Workaround for Azure environment :


For logout - Please contact our support for this workaround ( mail us to support@servicedeskplus.com ).


              New to ADManager Plus?

                New to ADSelfService Plus?