Skip to main content
Version: 8.5.X

ADFS

ServiceOps offers support for SAML 2.0, which facilitates integration for Single Sign-On. ServiceOps acts as the Service Provider (SP) and it integrates with Identity Providers (IdP) using SAML 2.0. The integration basically involves supplying details about SP to IdP and vice-versa. ​Once you integrate ServiceOps with an IdP, the users simply have to sign-in to IdP and then, they can automatically sign-in to ServiceOps from the respective identity provider’s GUI without having to provide credentials again. ​ServiceOps supports integration with ADFS.

Prerequisites

  • Valid SSL Certificate
  • Ensure ADFS service is in running state
  • Host entry of the AD Server must be made in the machine where the ServiceOps Server is installed.

Steps for Windows Server 2022

To configure SSO with the ADFS service, follow the below steps:

Step 1: Sign-in to the ServiceOps portal as a Technician.

Step 2: Navigate to Settings > Admin > Organization > System Preference > Application Settings tab. Verify that the Base URL is the same as the portal URL. If it has the default IP Address, update it.

Step 3: Navigate to Settings > Admin > Users > SSO Configuration > Identity Providers and click Add Identity Provider. The following popup appears.

Step 4: Provide the following details. In this, the IDP details of the ADFS server are to be configured in the ServiceOps while the SP details in the ADFS.

Parameter                     Description
NameEnter the name of the identity provider.
Identity ProviderTo set the ADFS login button, select the Identity Provider as Other. If Other is selected, you can set the IDP Logo and IDP Login Button Text. Once configured, the respective login button will appear on the Login page.
Auto Create UserEnable if the user is to be created automatically, if not available in the system. By default, disabled.
IDP Entity IDEnter the Entity ID of the IDP from the AD FS server. It is a mandatory field. You can get these details from the AD FS server.
IDP Login URLEnter the login URL of the IDP on which the user will get redirected. It is a mandatory field. You can get this from the AD FS server.
IDP Logout URLEnter the logout URL of the IDP on which the user will be redirected once signing-out from the ServiceOps portal. If not provided, the user will remain on the same page. This field is optional.

Syntax: https://{domain}/adfs/ls/?wa=wsignoutcleanup1.0

For example: https://info.serviceopsadfs.local/adfs/ls/?wa=wsignoutcleanup1.0

IDP Security CertificateEnter the certificate that IDP provides for integration. The response sent by the IDP is validated using it.
SP Entity IDIt displays the entity ID of the Service Provider. You have to configure this in the AD FS server.
Assertion Consumer URLIt displays the endpoint of the ServiceOps application where the IDP posts the SAML responses. You have to configure this in the AD FS server.
SP Single Logout URLIt displays the URL to which the user gets redirected after sign-out. You have to configure this in the AD FS server.
SP Public KeyIt is provided by the Service Provider.
SP Private KeyIt is provided by the Service Provider.
MappingsMap additional fields required for more details. Using this, whenever the values of the mapped fields are changed in the respective provider, they will automatically get updated in ServiceOps.

Note: Field Mapping is unsupported for Multi-Select Drop Down, Checkbox, Date Field, and Dependent (Custom Type) field types.

Step 5: Click Add, and the provider will be displayed on the list page.

Step 6: In the ADFS server, open the Server Manager application in your machine and navigate to the Tools > AD FS Management tab. The following page appears.

ADFS Management

Step 7: Right-click the AD FS folder and choose the Edit Federation Service Properties option. The following window appears. Copy the Federation Service identifier and paste it into the IDP Entity ID field of ServiceOps.

note

Ensure the ADFC service is in running state.

Federation Service Properties

Federation Service Properties

Step 8: Click the Endpoints folder and search for FederationMetadata.xml in the Metadata section below:

Endpoints Page

Now, go to the URL path and open the XML file in any browser as shown below. The URL's format is:

Syntax: https://{server}/federationmetadata/2007-06/federationmetadata.xml

Example: https://info.serviceopsadfs.local/federationmetadata/2007-06/federationmetadata.xml

Copy the highlighted Entity ID, Certificate, and Single Logout URL from here and use them in the ServiceOps.

Federationmetadata.xml File

Federationmetadata.xml File

SAML Settings Step 9: Add Relying Party Trusts

  • Navigate to Relying Party Trusts > Add Relying Party Trust, and a wizard opens.

Adding Rely Party Trust

  • Select Claims Aware option and click Start.

Adding Rely Party Trust Wizard

  • Select Data Source. Here, the manual option is selected, as shown below. Click Next.

Select Data Source

  • Enter the display name and click Next.

Specify Display Name

  • in Configure Certificate click Next.

Configure Certificate

  • Configure the URL. Enable the option Enable Support for the SAML 2.0 Web SSO Protocol. Enter the Relying Party SAML 2.0 SSO service URL.

Configure URL

You can get the Relying party SAML 2.0 SSO service URL and Relying party trust identifier (SP Entity ID) details from the ServiceOps Home page > Admin > Users > SSO Configuration page.

ServiceOps SAML Settings

  • Configure the identifiers. Enter the SP Entity ID of ServiceOps and click Add. Once done, the Next button will get enabled. Click on it.

Configure Identifiers

  • Choose Access Control Policy as Permit Everyone and click Next.

Choose Access Control Policy

  • Review the settings and click Next. If any changes are required, click Previous and make the editions.

Ready to Add Trust

  • Once done, click Close, and the relying party trust gets successfully added to the AD FS database.

Finish

Step 10: Edit Claim Issuance Policy. If the option to open the Edit Claim Issuance Policy dialog is enabled, the Edit Claim Issuance Policy window will appear as shown below. You can also open this later by right-clicking on the Relying Party Trusts instance. You can edit the policy to enable proper communication with the ServiceOps ADFS instance. To edit,

  • In the Issuance Transform Rules tab, click the Add Rule button below:

Edit Claim Rules

  • Select the Claim rule template as Send LDAP Attributes as Claims and click Next.

Select Claim Rule Template

  • Configure Rule.
    • Configure the Claim rule name.
    • Set the Attribute store to Active Directory.
    • Map the LDAP attributes to outgoing claim types using the dropdown list. Here, E-Mail Addresses and Given Name are set as LDAP Attributes. While E-Mail Address and Name are set as Outgoing Claim Type. You can configure other fields as well.

Edit Rule

  • Once done, click Finish, and the rule gets created.
  • Now, again click Add Rules to add another rule.
  • Select the Claim rule template as Transform an Incoming Claim and click Next.

Select Claim Rule Template

  • Enter the Claim rule name.
  • Set the Incoming claim type to the Outgoing Claim Type in the previous rule. For example: E-Mail Address.
  • Set the Outgoing claim type to Name ID and the Outgoing name ID format to Email.
note

These values must match the Name ID policy you define during SAML 2.0 configuration.

  • Select Pass through all claim values.

Edit Rule

  • Click Apply and OK.

Step 11: Configure the SAML Logout Endpoint.

  • Right-click on the Relying Party Trusts and select Properties.
  • Select the Endpoints tab.
  • In the SAML Assertion Consumer Endpoints section, edit the URL, and set its index as 1.

Edit Rule

  • Add another SAML URL using the Add SAML button and the window appears.

Edit Rule

  • Select the Endpoint type as SAML Logout and Binding as Redirect. Next, specify the Trusted and Response URL. Again, you can get these details from ServiceOps.

Adding SAML Logout Endpoint

  • Once done, click OK, and the following screen appears.

SAML Logout Endpoint

  • Click Apply and OK to bring the changes into effect. The SSO is now configured.

Step 12: You can verify this, by opening the ServiceOps Portal, and signing-in using the SSO Login button as shown below.

ServiceOps Portal

Step 13: You will be redirected to the AD FS Server Sign-in page, as shown below.

AD Server Sign-in Page

Step 14: Sign-in to the AD FS Server, and you will be redirected to the ServiceOps portal as shown below:

Redirection from ADFS to the ServiceOps Portal

Step 15: To sign-out, click on the username, and click Sign-Out. You will be redirected to the AD FS Server page again or remain on the portal as per the configured SAML logout URL.

Signing-Out from the ServiceOps Portal

Steps for Windows Server 2012

To configure SSO with the ADFS service, follow the below steps:

Step 1: Sign-in to the ServiceOps portal as a Technician.

Step 2: Navigate to Settings > Admin > Organization > System Preference > Application Settings tab. Verify that the Base URL is the same as the portal URL. If it has the default IP Address, update it.

Step 3: Navigate to Settings > Admin > Users > SSO Configuration > Identity Providers and click Add Identity Provider. The popup appears.

Step 4: Provide the details as shown in the above Windows Server 2022 section. In this, the IDP details of the ADFS server are to be configured in the ServiceOps while the SP details in the ADFS.

Step 5: Click Add, and the provider will be displayed on the list page.

Step 6: In the ADFS server, open the Server Manager application in your machine and navigate to the Tools > AD FS Management tab. The following page appears.

note

Here, Server Manager v6.3.9600.16384 and Windows Server v2012 R2 is used.

ADFS Management

Step 7: Right-click Service and choose the Edit Federation Service Properties option. The following window appears. Copy the Federation Service identifier and paste it into the IDP Entity ID field of ServiceOps.

Federation Service Properties

Federation Service Properties

Step 8: Click the Endpoints folder and search for FederationMetadata.xml in the Metadata section below:

Endpoints Page

Now, go to the URL path and open the XML file in any browser as shown below. The URL's format is:

Syntax: https://{server}/federationmetadata/2007-06/federationmetadata.xml

Example: https://info.serviceopsadfs.local/federationmetadata/2007-06/federationmetadata.xml

Copy the highlighted Entity ID, Certificate, and Single Logout URL from here and use them in the ServiceOps.

Federationmetadata.xml File

Federationmetadata.xml File

SAML Settings

Step 9: Add Relying Party Trusts

  • Navigate to Trust Relationships > Relying Party Trusts > Add Relying Party Trust, and a wizard opens.

Adding Rely Party Trust

  • Click Start.

Adding Rely Party Trust Wizard

  • Select Data Source. Here, the manual option is selected, as shown below. Click Next.

Select Data Source

  • Enter the display name and click Next.

Specify Display Name

  • Choose the profile and click Next.

Choose Profile

  • Configure Certificate using the Browse button and click Next.

Configure Certificate

  • Configure the URL. Enable the option Enable Support for the SAML 2.0 Web SSO Protocol. Enter the Relying Party SAML 2.0 SSO service URL. The URL format should be as per the example provided below.

Configure URL

You can get the Relying party SAML 2.0 SSO service URL and Relying party trust identifier (SP Entity ID) details from the ServiceOps Home page > Admin > Users > SSO Configuration page.

ServiceOps SAML Settings

  • Configure the identifiers. Enter the SP Entity ID of ServiceOps and click Add. Once done, click Next.

Configure Identifiers

  • Configure Multi-factor Authentication (optional). Click Next.

Configure Multi-factor Authentication

  • Choose Issuance Authorization Rules and click Next.

Choose Issuance Authorization Rules

  • Review the settings and click Next. If any changes are required, click Previous and make the editions.

Ready to Add Trust

  • Once done, click Close, and the relying party trust gets successfully added to the AD FS database.

Finish

Step 10: Edit Claim Rules. If the option to open the Edit Claim Rules dialog is enabled, the Edit Claim Rules window will appear as shown below. You can also open this later by right-clicking on the Relying Party Trusts instance. You can edit the claim rules to enable proper communication with the Motadata instance. To edit,

  • In the Issuance Transform Rules tab, click the Add Rule button below:

Edit Claim Rules

  • Select the Claim rule template as Send LDAP Attributes as Claims and click Next.

Select Claim Rule Template

  • Configure Rule.
    • Configure the Claim rule name.
    • Set the Attribute store to Active Directory.
    • Map the LDAP attributes to outgoing claim types using the dropdown list. Here, E-Mail Addresses and Given Name are set as LDAP Attributes. While E-Mail Address and Name are set as Outgoing Claim Type. You can configure other fields as well.

Edit Rule

  • Once done, click Finish, and the rule gets created.
  • Now, again click Add Rules to add another rule.
  • Select the Claim rule template as Transform an Incoming Claim and click Next.

Select Claim Rule Template

  • Enter the Claim rule name.
  • Set the Incoming claim type to the Outgoing Claim Type in the previous rule. For example: E-Mail Address.
  • Set the Outgoing claim type to Name ID and the Outgoing name ID format to Email.
note

These values must match the Name ID policy you define during SAML 2.0 configuration.

  • Select Pass through all claim values.

Edit Rule

Step 11: Configure the SAML Logout Endpoint.

  • Right-click on the Relying Party Trusts and select Properties.
  • Select the Endpoints tab and click Add SAML.

Add SAML

  • Select the Endpoint type as SAML Logout. Next, specify the Trusted and Response URL. Again, you can get these details from ServiceOps.

Adding SAML Logout Endpoint

  • Once done, click OK, and the following screen appears.

SAML Logout Endpoint

  • Click Apply and OK to bring the changes into effect. The SSO is now configured.

Step 12: You can verify this, by opening the ServiceOps Portal, and signing-in using the SSO Login button as shown below.

ServiceOps Portal

Step 13: You will be redirected to the AD FS Server Sign-in page, as shown below.

AD Server Sign-in Page

Step 14: Sign-in to the AD FS Server, and you will be redirected to the ServiceOps portal as shown below:

Redirection from ADFS to the ServiceOps Portal

Step 15: To sign-out, click on the username, and click Sign-Out. You will be redirected to the AD FS Server page again or remain on the portal as per the configured SAML logout URL.

Signing-Out from the ServiceOps Portal