How to Configure SAML for Hybrid Azure AD in SDP

How to Configure SAML for Hybrid Azure AD in SDP

This article provides a workaround for older SDP builds (below 11200) alone that did not support EmailAddress as the NameID format. Moreover, this workaround is applicable only for environments that sync their On-Premise AD users to their Azure using Azure AD Connect.

However, we strongly recommend upgrading the application to make use of the Email Address and UPN-based login methods which are simpler alternatives that work seamlessly with both Cloud and Hybrid AAD.

Please refer to our new article for more details:



This article deals with Configuring Azure AD as IdP for ServiceDesk Plus using SAML protocol.  SDP expects the NameID value in SAML response in the format domain\username ( If a user is associated with the domain ) or simply username ( If the user is not associated with any domain ).

Requisites :

1. On-Premise AD users synced to Azure AD using Azure AD Connect.
2. Extension attributes of the On-Prem user should also be synced.

Workaround :

Configure Azure using SAML protocol in SDP. ( Configure ACS URL, Logout URL of SDP in your Azure. Configure Login, Logout URL, and certificate - Base64 format of Azure in SDP ). After configuring the above things, please follow the below steps.

1. Create value for the user extensionAttribute15 attribute for every user in the appropriate OUs. The value should be DOMAIN\sAMAccountName . Say, the domain name of the users in SDP is SDP.LOCAL, then we have to create the value of extensionAttribute15 as " SDP.LOCAL\sAMAccountName " so that SDP can identify the user. Please use the attached script file ( createExtensionAttribute.ps1 ) to write values for all the users' extensionattribute in the specified OU. You need to enter the distinguished name of the OU ( CN=Users,DC=sdp,DC=local in this case ) and also should enter the domain name as configured in SDP ( SDP.LOCAL as in this case ). After this, please run the sync manually to take these changes into effect.

2. We need to edit the Unique User Identifier ( NameID ) claim in the Azure portal. The name identifier format should be Persistent and the source attribute should be user.extensionattribute15 . Then save the settings.

Select the format as Persistent and Source attribute as user.extensionattribute15
Note: The extensionAttribute15 is chosen here for an example. If you are using that attribute for some other purpose, please select some other extensionattribute. Modify the same in the Powershell script and also select the appropriate attribute in the above Azure claim.

3. Now, Go to the application's database ( PGSQL or MSSQL ) and run the below update query.


    

update samlsp set name_id_format='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent';



4. Restart the SDP application and try logging in using SAML.





                    New to ADSelfService Plus?

                      • Related Articles

                      • How to configure SAML with Azure AD

                        This guide will help us configure SAML for users who want to use Azure AD as their IdP and also give you insights on a few issues that you might run into while configuring SAML in an Azure Environment. In an ideal environment, customers will have an ...
                      • Login diectly with SAML / Query to enable AD or Local Auth when there is an issue with SAML

                        Issue: When users have AD and/or local authentication enabled along with SAML, the login page is shown when a link from an email is clicked and users need to click "Login with SAML" again. Workaround 1: You can bookmark, <sdp_url>/SamlRequestServlet ...
                      • Azure DevOps Integration

                        Feature:  Azure DevOps Integration <-->  ServiceDeskPlus (Plugin Model) --> Create a new work-item in Azure DevOps when a request is created in SDP --> Update SDP request status when a Azure DevOps work-item status is updated --> Updating Comments ...
                      • SAML | Multiple Login URLs for SAML Response

                        Issue: Even if SDP can be accessed with multiple URLs like internal.servicedesk.com and external.servicedesk.com, the SAML response is always received at the same URL that is configured in Alias URL. Fix: The acs_url column in the SAMLSP table can be ...
                      • prod and test instance has same entity id for SAML

                        The issue: When restoring backup from production instance to create a test instance, the entity ID in SAML configuration is same as the production instance. Hence not able to configure SAML in test instance. Workaround: To change the application URL, ...