Configure SAML Authentication

Configure SAML Authentication

Security Assertion Markup Language (SAML) is a sign-in method that enables users to bypass passwords during login. AssetExplorer Cloud offers support for SAML 2.0, which authenticates and authorizes login by integrating with federated identity management solutions. For example, you can allow users to log in to AssetExplorer Cloud with their Active Directory credentials.

SAML authentication consists of two entities: A Service Provider or SP (AssetExplorer Cloud) and an Identity Provider or IdP (ADFS, Okta).
 
How does SAML for AssetExplorer Cloud help you?
  1. Facilitate easy and secure access for users to their IT help desk using Active Directory integration/LDAP Authentication
  2. Help IT authenticate users and control application access centrally.
  3. Reduce password maintenance and security overheads for managing help desk users.
 

Enable SAML Authentication

Role Required: Organization Admin

Step 1: Domain Verification

Verify domains used by your organization.

Step 2: Subdomain or Custom Domain Configuration

Set up customized domain URLs or subdomains to access AssetExplorer using custom URLs. Ensure you add a CName alias that points to customer-sdpod-am1.csez.zohocorpin.com:3104.
 
Info
The CNAME URL to be directed to varies depending on the data center. 
 

Step 3: Identity Provider Installation

Install SAML 2.0 compliant identity provider on your network. All authentication requests will be forwarded to this Identity Provider. The Identity Provider can perform Active Directory/LDAP/custom authentication to validate the user.

Info
SAML Authentication is tested with AD FS 2.0 and AD FS 3.0 as Identity Provider.

If you are using other SAML 2.0 compliant Identity Provider:
  1. The authentication request sent from Zoho can be found here.
  2. The expected assertion response can be found here.

Step 4: SAML Configuration

  1. Go to ESM Directory > SAML Authentication, and fill out the fields under Configure SAML Authentication.
  2. Specify the identity provider's login URL & logout URL so that login and logout requests will be redirected accordingly.
  3. Provide the Identity Provider certificate to allow ManageEngine to decrypt the SAML responses sent by the identity provider.
  4. Click Save.

When organization users access AssetExplorer Cloud using the configured subdomain or a custom domain, they will be redirected to the Identity provider installed inside your network for authentication. After the authentication succeeds, users will be redirected to AssetExplorer Cloud and logged in.
Info
If SAML authentication is set up, organization users must access AssetExplorer Cloud only through the sub-domain or customized domain.

If you change your IdP URL, you must regenerate the certificate, update the login/logout URL for SAML configuration, and upload the new certificate.

SAML Authentication Request   

Assuming zylker.com is the verified domain and idp-w2k8 is the system where the Identity Provider is installed:
  1. <samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  2. xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  3. ID="_abe4735eceae4bd49afdb3f254dc5ea01359616"
  4. Version="2.0"
  5. IssueInstant="2013-01-31T07:18:15.281Z"
  6. ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  7. ProviderName="Zoho"
  8. IsPassive="false"
  9. Destination="https://idp-w2k8/adfs/ls"
  10. AssertionConsumerServiceURL="https://accounts.zoho.com/signin/samlsp/<orgid>"
  11. <saml:Issuer>zoho.com</saml:Issuer>
  12. <samlp:NameIDPolicy AllowCreate="true" />
  13. </samlp:AuthnRequest>
 

 Expected SAML Response   

  1. <?xml version="1.0" encoding="UTF-8"?> 
  2. <samlp:Response ID="_38563ef5-2341-4826-94f2-290fca589a51"
  3. Version="2.0"
  4. IssueInstant="2013-01-31T07:19:18.219Z"
  5. Destination="https://accounts.zoho.com/signin/samlsp/<orgid>" 
  6. Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" 
  7. InResponseTo="_abe4735eceae4bd49afdb3f254dc5ea01359616" 
  8. xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > 
  9. <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://idp-w2k8/adfs/services/trust</Issuer> 
  10. <samlp:Status> 
  11. <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> 
  12. </samlp:Status> 
  13. <Assertion ID="_c42ed101-0051-48ad-a678-8cb58dee03f6" 
  14. IssueInstant="2013-01-31T07:19:18.219Z" 
  15. Version="2.0" 
  16. xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >

  17. <Issuer>http://idp-w2k8/adfs/services/trust</Issuer> 
  18. <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
  19. <ds:SignedInfo> 
  20. <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
  21. <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 
  22. <ds:Reference URI="#_c42ed101-0051-48ad-a678-8cb58dee03f6"> 
  23. <ds:Transforms> 
  24. <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> 
  25. <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
  26. </ds:Transforms> 
  27. <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
  28. <ds:DigestValue>wlE4Jf0Z8Z+2OyWE69RRH81atZ8=</ds:DigestValue> 
  29. </ds:Reference> 
  30. </ds:SignedInfo> 
  31. <ds:SignatureValue>Y3izuExs6/EDebT9Q4U3qbL6Q==</ds:SignatureValue> 
  32. <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> 
  33. <ds:X509Data> 
  34. <ds:X509Certificate>MIIC7jCCAdagAwIBAgIQVsvKLeIHJYVEYQONFS3p3zANBgkqhkiG9w0BAQUFADAgMR4+zaLeWShiGw==</ds:X509Certificate> 
  35. </ds:X509Data> 
  36. </KeyInfo> 
  37. </ds:Signature> 
  38. <Subject> 
  39. <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user1@zylker.com</NameID> 
  40. <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> 
  41. <SubjectConfirmationData InResponseTo="_abe4735eceae4bd49afdb3f254dc5ea01359616" 
  42. NotOnOrAfter="2013-01-31T07:24:18.219Z" 
  43. Recipient=""https://accounts.zoho.com/signin/samlsp/<orgid>" /> 
  44. </SubjectConfirmation> 
  45. </Subject> 
  46. <Conditions NotBefore="2013-01-31T07:17:18.203Z" 
  47. NotOnOrAfter="2013-01-31T07:17:19.203Z" > 
  48. <AudienceRestriction> 
  49. <Audience>zoho.com</Audience> 
  50. </AudienceRestriction> 
  51. </Conditions> 
  52. <AuthnStatement AuthnInstant="2013-01-31T07:19:18.110Z" 
  53. SessionIndex="_c42ed101-0051-48ad-a678-8cb58dee03f6" > 
  54. <AuthnContext> 
  55. <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef> 
  56. </AuthnContext> 
  57. </AuthnStatement> 
  58. </Assertion> 
  59. </samlp:Response>

    • Related Articles

    • Configure Organization Details

      Record the essential details of your organization, such as address, contact details, time zone, and logo, in the organization Directory. Role Required: SDAdmin, Organization Admin Go to ESM Directory > Organization Details and provide the details ...
    • Configure Organization URLs

      Configure Organization URLs to accessAssetExplorer Cloud instances using custom domains. A custom domain will help you access a specific service desk instance through a URL that is part of your organization's domain. You can create multiple domains ...
    • Configure ESM Portal

      ESM Portal is the central console where users can access all asset desk instances available to them. The ESM Portal can be customized with a unique layout and widgets. Role Required: Organization Admin Customize ESM Portal Layout Go to ESM Directory ...
    • Import Users from Active Directory

      You can import users from the active directory to a centralized ESM directory and keep them periodically synced. If your organization manages user data in the Active Directory, it might be challenging to manually replicate the data in AssetExplorer ...
    • SCCM Integration

      Organizations using Microsoft SCCM to manage their workstations can now import the workstation data available in SCCM into AssetExplorer Cloud. SCCM integration prevents duplicate scanning of workstations and also imports previously scanned ...