SAML with ICAM as IdP in ServiceDesk Plus

SAML with ICAM as IdP in ServiceDesk Plus


  1. The SAML NameID policy must either be unspecified (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified) or emailAddress (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress).
  2. WantAssertionsSigned="true" AND AuthnRequestsSigned="true" must be set in the metadata.
  3. The entityID must be set to the URL of your application endpoint (ex. entitiyID=https://www.servicedesk.mywebsite.com/authenticate)
  4. Document your metadata using the ContactPerson element. Minimal coverage should include the Line Office name and current point of contact with email address and phone number. Append the ContactPerson information between the </SPSSODescriptor> and </EntityDescriptor> tags in your metadata file. An example is below.
  </SPSSODescriptor>
  <ContactPerson contactType="technical OR administrative OR support">
    <Company>Line Office</Company>
    <GivenName>First Name of POC</GivenName>
    <SurName>Last Name of POC</SurName>
    <EmailAddress>Email Address of POC</EmailAddress>
    <TelephoneNumber>Phone Number of POC</TelephoneNumber>
  </ContactPerson>
</EntityDescriptor>

  1. The Name ID format can be changed in the SAML settings page.
  2. WantAssertionsSigned="true" is already set. Run the below query to set AuthnRequestsSigned="true" 
update samlsp set auth_request_signed=True;
  1. To send sigAlg and other signing parameters as request parameters,
update samlidp set binding='REDIRECT';
  1. Entity ID can be modified with the below query:
update samlsp set entity_id='https://your-app-url/SamlResponseServlet';
  1. Restart SDP service after these changes and download the metadata file. You can manually make the required changes related to Contact Person by editing this metadata file.

                    New to ADSelfService Plus?

                      • Related Articles

                      • How to configure SAML with Azure AD

                        This guide will help us configure SAML for users who want to use Azure AD as their IdP and also give you insights on a few issues that you might run into while configuring SAML in an Azure Environment. In an ideal environment, customers will have an ...
                      • How to get SAML tracer output for a SAML based login-attempt?

                        You can use your favourite SAML tracer browser plugin. Here we used SAML-tracer in a chromium-based browser. To record the SAML tracer output: Go to ServiceDesk Plus's login screen Click on SAML Tracer Extension to open up the SAML Tracer window. Now ...
                      • SAML | Multiple Login URLs for SAML Response

                        Issue: Even if SDP can be accessed with multiple URLs like internal.servicedesk.com and external.servicedesk.com, the SAML response is always received at the same URL that is configured in Alias URL. Fix: The acs_url column in the SAMLSP table can be ...
                      • InResponseTo attribute in SAML Response is missing

                        Issue: Every SAML request has an ID and every SAML response should return this ID with the name InResponseTo. Most of the popular IDPs return this is now required to be verified. Response without InResponseTo: Expected Response: Solution: If your ...
                      • How to Configure SAML for Hybrid Azure AD in SDP

                        This article provides a workaround for older SDP builds (below 11200) alone that did not support EmailAddress as the NameID format. Moreover, this workaround is applicable only for environments that sync their On-Premise AD users to their Azure using ...