How to Configure SAML for Hybrid Azure AD in SDP
This article provides a workaround for older SDP builds (below 11200) alone that did not support EmailAddress as the NameID format. Moreover, this workaround is applicable only for environments that sync their On-Premise AD users to their Azure using Azure AD Connect.
However, we strongly recommend upgrading the application to make use of the Email Address and UPN-based login methods which are simpler alternatives that work seamlessly with both Cloud and Hybrid AAD.
Please refer to our new article for more details:
This article deals with Configuring Azure AD as IdP for ServiceDesk Plus using SAML protocol.
SDP expects the NameID value in SAML response in the format domain\username ( If a user is associated with the domain ) or simply username ( If the user is not associated with any domain ).
Requisites :
1. On-Premise AD users synced to Azure AD using Azure AD Connect.
2. Extension attributes of the On-Prem user should also be synced.
Workaround :
Configure Azure using SAML protocol in SDP. ( Configure ACS URL, Logout URL of SDP in your Azure. Configure Login, Logout URL, and certificate - Base64 format of Azure in SDP ). After configuring the above things, please follow the below steps.
1. Create value for the user
extensionAttribute15
attribute for every user in the appropriate OUs. The value should be
DOMAIN\sAMAccountName
. Say, the domain name of the users in SDP is SDP.LOCAL, then we have to create the value of
extensionAttribute15
as "
SDP.LOCAL\sAMAccountName
" so that SDP can identify the user. Please use the attached script file ( createExtensionAttribute.ps1 ) to write values for all the users' extensionattribute in the specified OU. You need to enter the
distinguished name of the OU
( CN=Users,DC=sdp,DC=local in this case ) and also should enter the
domain name
as configured in SDP ( SDP.LOCAL as in this case ). After this, please run the sync manually to take these changes into effect.
2. We need to edit the Unique User Identifier ( NameID ) claim in the Azure portal. The name identifier format should be
Persistent
and the source attribute should be
user.extensionattribute15
. Then save the settings.
Note: The extensionAttribute15 is chosen here for an example. If you are using that attribute for some other purpose, please select some other extensionattribute. Modify the same in the Powershell script and also select the appropriate attribute in the above Azure claim.
3. Now, Go to the application's database ( PGSQL or MSSQL ) and run the below update query.
update samlsp set name_id_format='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent';
4. Restart the SDP application and try logging in using SAML.
New to ADSelfService Plus?
Related Articles
How to configure SAML with Azure AD
This guide will help us configure SAML for users who want to use Azure AD as their IdP and also give you insights on a few issues that you might run into while configuring SAML in an Azure Environment. In an ideal environment, customers will have an ...How to configure SAML with Azure AD
This guide will help us configure SAML for users who want to use Azure AD as their IdP and also give you insights on a few issues that you might run into while configuring SAML in an Azure Environment. In an ideal environment, customers will have an ...Configuring SAML with Azure (New)
Step 1: Open the Azure Portal--->Enterprise Applications. Step 2: Select the created Enterprise Application and get started with Set up Single Sign-On. Step 3: Edit the basic SAML Configuration. Step 4: Copy the Entity ID from SDPMSP and place the ...Configuring SAML with ADFS
Step 1: Open the ADFS management application Step 2: Right-click Relying Party trust and choose Add Relying Party Trust. The Add Relying Party Trust Wizard opens. Step 3: Choose Claims Aware and click Start Step 4: Choose Enter data about the relying ...SAML FAQ's
Please find the list of frequently asked queries in SAML 1. I have enabled SAML but still could not find a way to log in using SAML Since the application has multi-tenant feature there are certain security added to the SAML login. In a SAML ...