Security Assertion Markup Language (SAML) is a sign-in method that enables users to bypass passwords during login. AssetExplorer Cloud offers support for SAML 2.0, which authenticates and authorizes login by integrating with federated identity management solutions. For example, you can allow users to log in to AssetExplorer Cloud with their Active Directory credentials.
SAML authentication consists of two entities: A Service Provider or SP (AssetExplorer Cloud) and an Identity Provider or IdP (ADFS, Okta).
How does SAML for AssetExplorer Cloud help you?
- Facilitate easy and secure access for users to their IT help desk using Active Directory integration/LDAP Authentication
- Help IT authenticate users and control application access centrally.
- Reduce password maintenance and security overheads for managing help desk users.
Enable SAML Authentication
Role Required: Organization Admin
Step 1: Domain Verification
Step 2: Subdomain or Custom Domain Configuration
The CNAME URL to be directed to varies depending on the data center.
Step 3: Identity Provider Installation
Install SAML 2.0 compliant identity provider on your network. All authentication requests will be forwarded to this Identity Provider. The Identity Provider can perform Active Directory/LDAP/custom authentication to validate the user.
SAML Authentication is tested with AD FS 2.0 and AD FS 3.0 as Identity Provider.
If you are using other SAML 2.0 compliant Identity Provider:
- The authentication request sent from Zoho can be found here.
- The expected assertion response can be found here.
Step 4: SAML Configuration
- Go to ESM Directory > SAML Authentication, and fill out the fields under Configure SAML Authentication.
- Specify the identity provider's login URL & logout URL so that login and logout requests will be redirected accordingly.
- Provide the Identity Provider certificate to allow ManageEngine to decrypt the SAML responses sent by the identity provider.
- Click Save.
When organization users access AssetExplorer Cloud using the configured subdomain or a custom domain, they will be redirected to the Identity provider installed inside your network for authentication. After the authentication succeeds, users will be redirected to AssetExplorer Cloud and logged in.
If SAML authentication is set up, organization users must access AssetExplorer Cloud only through the sub-domain or customized domain.
If you change your IdP URL, you must regenerate the certificate, update the login/logout URL for SAML configuration, and upload the new certificate.
SAML Authentication Request
Assuming zylker.com is the verified domain and idp-w2k8 is the system where the Identity Provider is installed:
- <samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
- xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
- ID="_abe4735eceae4bd49afdb3f254dc5ea01359616"
- Version="2.0"
- IssueInstant="2013-01-31T07:18:15.281Z"
- ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
- ProviderName="Zoho"
- IsPassive="false"
- Destination="https://idp-w2k8/adfs/ls"
- AssertionConsumerServiceURL="https://accounts.zoho.com/signin/samlsp/<orgid>"
- <saml:Issuer>zoho.com</saml:Issuer>
- <samlp:NameIDPolicy AllowCreate="true" />
- </samlp:AuthnRequest>
Expected SAML Response
- <?xml version="1.0" encoding="UTF-8"?>
- <samlp:Response ID="_38563ef5-2341-4826-94f2-290fca589a51"
- Version="2.0"
- IssueInstant="2013-01-31T07:19:18.219Z"
- Destination="https://accounts.zoho.com/signin/samlsp/<orgid>"
- Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
- InResponseTo="_abe4735eceae4bd49afdb3f254dc5ea01359616"
- xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >
- <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://idp-w2k8/adfs/services/trust</Issuer>
- <samlp:Status>
- <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
- </samlp:Status>
- <Assertion ID="_c42ed101-0051-48ad-a678-8cb58dee03f6"
- IssueInstant="2013-01-31T07:19:18.219Z"
- Version="2.0"
- xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >
- <Issuer>http://idp-w2k8/adfs/services/trust</Issuer>
- <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:SignedInfo>
- <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
- <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
- <ds:Reference URI="#_c42ed101-0051-48ad-a678-8cb58dee03f6">
- <ds:Transforms>
- <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
- <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
- </ds:Transforms>
- <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
- <ds:DigestValue>wlE4Jf0Z8Z+2OyWE69RRH81atZ8=</ds:DigestValue>
- </ds:Reference>
- </ds:SignedInfo>
- <ds:SignatureValue>Y3izuExs6/EDebT9Q4U3qbL6Q==</ds:SignatureValue>
- <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
- <ds:X509Data>
- <ds:X509Certificate>MIIC7jCCAdagAwIBAgIQVsvKLeIHJYVEYQONFS3p3zANBgkqhkiG9w0BAQUFADAgMR4+zaLeWShiGw==</ds:X509Certificate>
- </ds:X509Data>
- </KeyInfo>
- </ds:Signature>
- <Subject>
- <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user1@zylker.com</NameID>
- <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
- <SubjectConfirmationData InResponseTo="_abe4735eceae4bd49afdb3f254dc5ea01359616"
- NotOnOrAfter="2013-01-31T07:24:18.219Z"
- Recipient=""https://accounts.zoho.com/signin/samlsp/<orgid>" />
- </SubjectConfirmation>
- </Subject>
- <Conditions NotBefore="2013-01-31T07:17:18.203Z"
- NotOnOrAfter="2013-01-31T07:17:19.203Z" >
- <AudienceRestriction>
- <Audience>zoho.com</Audience>
- </AudienceRestriction>
- </Conditions>
- <AuthnStatement AuthnInstant="2013-01-31T07:19:18.110Z"
- SessionIndex="_c42ed101-0051-48ad-a678-8cb58dee03f6" >
- <AuthnContext>
- <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
- </AuthnContext>
- </AuthnStatement>
- </Assertion>
- </samlp:Response>
Related Articles
Configure Organization Details
Record the essential details of your organization, such as address, contact details, time zone, and logo, in the organization Directory. Role Required: SDAdmin, Organization Admin Go to ESM Directory > Organization Details and provide the details ...
Configure Organization URLs
Configure Organization URLs to accessAssetExplorer Cloud instances using custom domains. A custom domain will help you access a specific service desk instance through a URL that is part of your organization's domain. You can create multiple domains ...
Configure ESM Portal
ESM Portal is the central console where users can access all asset desk instances available to them. The ESM Portal can be customized with a unique layout and widgets. Role Required: Organization Admin Customize ESM Portal Layout Go to ESM Directory ...
Import Users from Active Directory
You can import users from the active directory to a centralized ESM directory and keep them periodically synced. If your organization manages user data in the Active Directory, it might be challenging to manually replicate the data in AssetExplorer ...
SCCM Integration
Organizations using Microsoft SCCM to manage their workstations can now import the workstation data available in SCCM into AssetExplorer Cloud. SCCM integration prevents duplicate scanning of workstations and also imports previously scanned ...