This guide will help us
configure SAML for users who want to use Azure AD as their IdP and also
give you insights on a few issues that you might run into while
configuring SAML in an Azure Environment.
In an ideal
environment, customers will have an On-Premises AD which will Sync users to their O365 Portal or Azure Portal. The sync is carried out with the help of a tool called Azure AD Connect, and the admins can download this tool either from,
the tool is downloaded, the tool will be installed in the On-Premises
AD and configured in such a manner that it syncs up the users in the OP
AD to Azure AD.
Now that we have the Azure AD populated with users, the next step is to configure SAML for ServiceDesk Plus.
The Prerequisites that need to be met to configure SAML in SDP using Azure are listed below:
1. Access to SDP Application with SDAdmin privilege
2. Access to DC with Domain Admin Account
3. Access to Azure Portal with Global Admin Privilege
Step - 1:
The first step in the configuration part should be done on Azure front. We
will need to create an Enterprise Application called
ServiceDesk/ServiceDesk Plus/any name of your choice. If the application exists already in Azure, then the same can also be used. If the application already exists, please jump to Step - 2.
To create the Enterprise Application, login into the Azure Portal (https://portal.azure.com/#home
with Global Admin privilege and click on "View" button against "Manage
Azure Active Directory". This will load the Azure Active Directory(AAD)
In this section, choose Enterprise
Application from the Left Pane. The following screen will list all the applications that are connected to Azure AD. As ServiceDesk Plus does not have a direct integration to Azure Services, we will need to manually create it as an Enterprise Application.
Click on the New Application Button and choose Non-gallery Application in the following screen
provide a name for the Application (in our case ServiceDesk Plus) and click on Save. This will create the application and will show all the properties of the application.
Step - 2:
the Application is Created, the first step will be to add Users to the
Application. Click on Assign Users and groups and then click on Add
Users. This will give you the list of users in Azure AD. Now, select all the users who should be able to access ServiceDesk Plus via Azure SAML
and add them to the Application by clicking on the Assign button.
Step - 3:
that the Application is Created and Users are configured, we can proceed with configuring SAML. Click on "Setup single sign-on" and choose SAML in the following Page.
Step - 4:
Basic SAML Configuration section. In this section, we need to update
the "Identifier (Entity ID)", "Reply URL (Assertion Consumer Service
URL)" and "Logout Url". All the above 3 needs to be fetched from
ServiceDesk Plus Application's SAML Configuration Page available under
Admin / ESM Directory (If ESM is configured).
Step - 5:
User Attributes & Claims. Under the
User Attributes & Claims section, click on Edit to update the identifier.
Edit the Unique User Identifier ( NameID ) claim
in the Azure portal by double-clicking on the "Unique User Identifier (Name
ID)" and get to the edit mode. The name identifier format should be Email Address and the source attribute should be user.mail for email based authentication. If you want to associate users based on their UPN imported from the AD, then choose "Unspecified" as the NameID format and choose user.userprincipalname as the source attribute. Then save the settings.
Step - 6:
SAML Signing Certificate and Setting up ServiceDesk Plus. From the SAML
Signing Certificate section, download the SAML Certificate in Base64
format. Now, login into ServiceDesk Plus and navigate to the SAML
Configuration Page available under Admin / ESM Directory (If ESM is
configured). Once there, update the Login URL, Logout URL and
Certificate obtained from Azure AD under the "Configure Identity
Provider Details". Against the Name ID Format format option, please choose Email Address for email based login or "Unspecified" for UPN based login and save the settings.
After successfully saving the settings, you can enable SAML and users should be able to login using SAML Authentication via Azure AD.