How to Configure SAML for Hybrid Azure AD in SDP

How to Configure SAML for Hybrid Azure AD in SDP

This article provides a workaround for older SDP builds (below 11200) alone that did not support EmailAddress as the NameID format. Moreover, this workaround is applicable only for environments that sync their On-Premise AD users to their Azure using Azure AD Connect.

However, we strongly recommend upgrading the application to make use of the Email Address and UPN-based login methods which are simpler alternatives that work seamlessly with both Cloud and Hybrid AAD.

Please refer to our new article for more details:

This article deals with Configuring Azure AD as IdP for ServiceDesk Plus using SAML protocol. SDP expects the NameID value in SAML response in the format domain\username ( If a user is associated with the domain ) or simply username ( If the user is not associated with any domain ).

Requisites :

1. On-Premise AD users synced to Azure AD using Azure AD Connect.
2. Extension attributes of the On-Prem user should also be synced.

Workaround :

Configure Azure using SAML protocol in SDP. ( Configure ACS URL, Logout URL of SDP in your Azure. Configure Login, Logout URL, and certificate - Base64 format of Azure in SDP ). After configuring the above things, please follow the below steps.

1. Create value for the user extensionAttribute15 attribute for every user in the appropriate OUs. The value should be DOMAIN\sAMAccountName. Say, the domain name of the users in SDP is SDP.LOCAL, then we have to create the value of extensionAttribute15 as "SDP.LOCAL\sAMAccountName" so that SDP can identify the user. Please use the attached script file ( createExtensionAttribute.ps1 ) to write values for all the users' extensionattribute in the specified OU. You need to enter the distinguished name of the OU ( CN=Users,DC=sdp,DC=local in this case ) and also should enter the domain name as configured in SDP ( SDP.LOCAL as in this case ). After this, please run the sync manually to take these changes into effect.

2. We need to edit the Unique User Identifier ( NameID ) claim in the Azure portal. The name identifier format should be Persistent and the source attribute should be user.extensionattribute15. Then save the settings.

Select the format as Persistent and Source attribute as user.extensionattribute15
Note: The extensionAttribute15 is chosen here for an example. If you are using that attribute for some other purpose, please select some other extensionattribute. Modify the same in the Powershell script and also select the appropriate attribute in the above Azure claim.

3. Now, Go to the application's database ( PGSQL or MSSQL ) and run the below update query.

update samlsp set name_id_format='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent';

4. Restart the SDP application and try logging in using SAML.

          • Related Articles

          • How to configure SAML with Azure AD

            This guide will help us configure SAML for users who want to use Azure AD as their IdP and also give you insights on a few issues that you might run into while configuring SAML in an Azure Environment. In an ideal environment, customers will have an ...
          • Azure DevOps Integration <--> ServiceDeskPlus

            Below integration will work from Build Number: 11120 and above. Feature: SDP <--> Azure DevOps Integration (Plugin Model)   Download the attached zip and extract it   SDP --> Azure DevOps   Create a new work-item in Azure DevOps when a request is ...
          • How to get SAML tracer output for a SAML based login-attempt?

            You can use your favourite SAML tracer browser plugin. Here we used SAML-tracer in a chromium-based browser. To provide us with SAML tracer output of SAML login attempt, please follow the steps below. 1. Go to SDP's login screen and click on SAML ...
          • Problem while creating the computer account for SSO

            Once the SSO configurations are done. It will try to create the computer account in Domain controller using the VBScript. If the script execution is being blocked. We need to copy and execute the same under DC. To Create and set password for a new ...
          • How to automate AD user creation using Custom Triggers

            This post described the use of a python script to automate AD user creation from request. This script can be configured under Request custom triggers and you will find more information about this here. Integrating ServiceDesk Plus with ADManager Plus ...