SAML | Multiple Login URLs for SAML Response
Issue:
Even if SDP can be accessed with multiple URLs like internal.servicedesk.com and external.servicedesk.com, the SAML response is always received at the same URL that is configured in Alias URL.
Fix:
The acs_url column in the SAMLSP table can be modified to support multiple comma separated URLs and when the attached fjar is applied, it separates the URLs and allows the SAML response to be sent to any of those mentioned URLs.
Steps to apply:
1. Run the following query after connecting to the database by following the steps below:
Run the following query:
update samlsp set acs_url='https://<sdp_url_1>/SamlResponseServlet,https://<sdp_url_2>/SamlResponseServlet';
Note: Replace <sdp_url_1> amd <sdp_url_2> with your actual URLs.
Sample Query: update samlsp set acs_url='https://servicedesk:8080/SamlResponseServlet,https://servicedesk.zyler.com/SamlResponseServlet';
2. Apply the attached fjar
- Download the fjar file corresponding to your servicedesk version.
- Place the fjar file under <SDP_HOME>\fixes (if you have existing fjars, please consult with us before applying this)
- Restart the application.
3. Please ensure that your Identity Provider (Azure, OneLogin, etc) supports adding multiple URLs, and ensure to add them too.
New to ADSelfService Plus?
Related Articles
SAML | This Request will not be considered since passing more parameters to server might result in vulnerability issues.
Issue: After upgrade, customer might usually face this issue during SAML login: Trace: [14:14:03:012]|[10-02-2023]|[com.manageengine.mdh.MDHSettings]|[INFO]|[57303]: Service desk instance ID not found in Cookie| ...SAML Auto Login with ADFS (in Intranet)
Steps to enable Auto-logon: Step 1: In the AD FS server, under Authentication Methods, make sure that Windows Authentication is selected. Step 2: Run the below powershell query to check if "Chrome" is present in the supported WIA agents: ...InResponseTo attribute in SAML Response is missing
Issue: Every SAML request has an ID and every SAML response should return this ID with the name InResponseTo. Most of the popular IDPs return this is now required to be verified. Response without InResponseTo: Expected Response: Solution: If your ...prod and test instance has same entity id for SAML
The issue: When restoring backup from production instance to create a test instance, the entity ID in SAML configuration is same as the production instance. Hence not able to configure SAML in test instance. Workaround: To change the application URL, ...Login diectly with SAML / Query to enable AD or Local Auth when there is an issue with SAML
Issue: When users have AD and/or local authentication enabled along with SAML, the login page is shown when a link from an email is clicked and users need to click "Login with SAML" again. Workaround 1: You can bookmark, <sdp_url>/SamlRequestServlet ...