How to Configure SAML for Hybrid Azure AD in SDP

How to Configure SAML for Hybrid Azure AD in SDP

This article provides a workaround for older SDP builds (below 11200) alone that did not support EmailAddress as the NameID format. Moreover, this workaround is applicable only for environments that sync their On-Premise AD users to their Azure using Azure AD Connect.

However, we strongly recommend upgrading the application to make use of the Email Address and UPN-based login methods which are simpler alternatives that work seamlessly with both Cloud and Hybrid AAD.

Please refer to our new article for more details:



This article deals with Configuring Azure AD as IdP for ServiceDesk Plus using SAML protocol.  SDP expects the NameID value in SAML response in the format domain\username ( If a user is associated with the domain ) or simply username ( If the user is not associated with any domain ).

Requisites :

1. On-Premise AD users synced to Azure AD using Azure AD Connect.
2. Extension attributes of the On-Prem user should also be synced.

Workaround :

Configure Azure using SAML protocol in SDP. ( Configure ACS URL, Logout URL of SDP in your Azure. Configure Login, Logout URL, and certificate - Base64 format of Azure in SDP ). After configuring the above things, please follow the below steps.

1. Create value for the user extensionAttribute15 attribute for every user in the appropriate OUs. The value should be DOMAIN\sAMAccountName . Say, the domain name of the users in SDP is SDP.LOCAL, then we have to create the value of extensionAttribute15 as " SDP.LOCAL\sAMAccountName " so that SDP can identify the user. Please use the attached script file ( createExtensionAttribute.ps1 ) to write values for all the users' extensionattribute in the specified OU. You need to enter the distinguished name of the OU ( CN=Users,DC=sdp,DC=local in this case ) and also should enter the domain name as configured in SDP ( SDP.LOCAL as in this case ). After this, please run the sync manually to take these changes into effect.

2. We need to edit the Unique User Identifier ( NameID ) claim in the Azure portal. The name identifier format should be Persistent and the source attribute should be user.extensionattribute15 . Then save the settings.

Select the format as Persistent and Source attribute as user.extensionattribute15
Note: The extensionAttribute15 is chosen here for an example. If you are using that attribute for some other purpose, please select some other extensionattribute. Modify the same in the Powershell script and also select the appropriate attribute in the above Azure claim.

3. Now, Go to the application's database ( PGSQL or MSSQL ) and run the below update query.


    

update samlsp set name_id_format='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent';



4. Restart the SDP application and try logging in using SAML.





                New to ADManager Plus?

                  New to ADSelfService Plus?

                    • Related Articles

                    • How to configure SAML with Azure AD

                      This guide will help us configure SAML for users who want to use Azure AD as their IdP and also give you insights on a few issues that you might run into while configuring SAML in an Azure Environment. In an ideal environment, customers will have an ...
                    • Login diectly with SAML / Query to enable AD or Local Auth when there is an issue with SAML

                      Issue: When users have AD and/or local authentication enabled along with SAML, the login page is shown when a link from an email is clicked and users need to click "Login with SAML" again. Workaround 1: You can bookmark, <sdp_url>/SamlRequestServlet ...
                    • Azure DevOps Integration

                      Feature:  Azure DevOps Integration <-->  ServiceDeskPlus (Plugin Model) --> Create a new work-item in Azure DevOps when a request is created in SDP --> Update SDP request status when a Azure DevOps work-item status is updated --> Updating Comments ...
                    • SAML | Multiple Login URLs for SAML Response

                      Issue: Even if SDP can be accessed with multiple URLs like internal.servicedesk.com and external.servicedesk.com, the SAML response is always received at the same URL that is configured in Alias URL. Fix: The acs_url column in the SAMLSP table can be ...
                    • How to get SAML tracer output for a SAML based login-attempt?

                      You can use your favourite SAML tracer browser plugin. Here we used SAML-tracer in a chromium-based browser. To record the SAML tracer output: Go to ServiceDesk Plus's login screen Click on SAML Tracer Extension to open up the SAML Tracer window. Now ...