How to Configure SAML for Hybrid Azure AD in SDP

How to Configure SAML for Hybrid Azure AD in SDP

This article provides a workaround for older SDP builds (below 11200) alone that did not support EmailAddress as the NameID format. Moreover, this workaround is applicable only for environments that sync their On-Premise AD users to their Azure using Azure AD Connect.

However, we strongly recommend upgrading the application to make use of the Email Address and UPN-based login methods which are simpler alternatives that work seamlessly with both Cloud and Hybrid AAD.

Please refer to our new article for more details:



This article deals with Configuring Azure AD as IdP for ServiceDesk Plus using SAML protocol. SDP expects the NameID value in SAML response in the format domain\username ( If a user is associated with the domain ) or simply username ( If the user is not associated with any domain ).

Requisites :

1. On-Premise AD users synced to Azure AD using Azure AD Connect.
2. Extension attributes of the On-Prem user should also be synced.

Workaround :

Configure Azure using SAML protocol in SDP. ( Configure ACS URL, Logout URL of SDP in your Azure. Configure Login, Logout URL, and certificate - Base64 format of Azure in SDP ). After configuring the above things, please follow the below steps.

1. Create value for the user extensionAttribute15 attribute for every user in the appropriate OUs. The value should be DOMAIN\sAMAccountName. Say, the domain name of the users in SDP is SDP.LOCAL, then we have to create the value of extensionAttribute15 as "SDP.LOCAL\sAMAccountName" so that SDP can identify the user. Please use the attached script file ( createExtensionAttribute.ps1 ) to write values for all the users' extensionattribute in the specified OU. You need to enter the distinguished name of the OU ( CN=Users,DC=sdp,DC=local in this case ) and also should enter the domain name as configured in SDP ( SDP.LOCAL as in this case ). After this, please run the sync manually to take these changes into effect.

2. We need to edit the Unique User Identifier ( NameID ) claim in the Azure portal. The name identifier format should be Persistent and the source attribute should be user.extensionattribute15. Then save the settings.

Select the format as Persistent and Source attribute as user.extensionattribute15
Note: The extensionAttribute15 is chosen here for an example. If you are using that attribute for some other purpose, please select some other extensionattribute. Modify the same in the Powershell script and also select the appropriate attribute in the above Azure claim.

3. Now, Go to the application's database ( PGSQL or MSSQL ) and run the below update query.


update samlsp set name_id_format='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent';



4. Restart the SDP application and try logging in using SAML.