Deploy SSO with SAML using AD FS
Configure SSO in Web Help Desk using Active Directory Federation Services (AD FS) to enable users who log in to the Microsoft Exchange server to be automatically logged in to Web Help Desk.
If you are using Windows Server 2008 R2, you must upgrade to AD FS 2.0. The default on Windows Server 2008 R2 is AD FS 1.0, which does not support SAML 2.0.
- Enable automatic AD logon through Microsoft Windows. Add the AD FS logon URL to the Local Intranet sites in Internet Explorer through Tools > Internet options or through your corporate group policy.
- Set up your SAML server. Use an identity repository (such as AD FS or Light Directory Access Protocol [LDAP] in the remote login URL for your SAML server.
- Enable SSL in your Web Help Desk installation. Use a trusted certificate or create your own certificate.
When you create or generate a certificate, ensure that:
- The certificates are generated in the proper order.
- The Common Name (CN) certificate attribute only contains the fully-qualified domain name (FQDN) with no descriptions or comments. The exact value of this field is matched against the domain name of the server to verify its identity.
See Working with Keys and Certificates for information about trusted certificates.
- Configure Web Help Desk and the AD FS settings separately.
For information about configuring SSO with SAML using AD FS, see the AD FS 2.0 documentation located on the Microsoft TechNet website.
In the following settings, replace
mydomain.com with your domain name.
- Log in to Web Help Desk as an administrator.
- Click Setup and select General > Authentication.
- Click the Authentication drop-down menu and select SAML 2.0.
- In the Sign-in page URL field, enter:
To bypass external authentication, add the following to your login URL:
- Click Upload to apply a Verification certificate and enable SSL.
Apply the same certificate used to sign the assertion in the AD FS 2.0 Relying Party (RP) setting.
- In the Logout URL field, enter the following URL or leave this field blank to use the Web Help Desk default logout page:
Web Help Desk redirects the users to this page to log out.
- Import the certificate into the Web Help Desk trust store (cacerts).
- Upload the certificate into the Web Help Desk Admin Console Stop Web Help Desk (Stop and start Web Help Desk).
Open a Run dialog box and execute:
Click File > Open Keystore file and navigate to:
- Select All Files, select cacerts, and then click Open.
Enter the following default password:
All common Certificate Authority (CA) certificates display in the file.
- Select Tools > Import Trusted Certificates.
Locate and select the exported file, and click Import.
If the Import Trusted Certificate window displays, click OK.
The exported certificate details display.
- Click OK, and then click Yes.
Enter a certificate name alias that displays in the list of common CA certificates, and click OK.
The certificate alias does not affect the setup.
The imported certificate displays in the list.
Select File > Save Keystore.
If you cannot save the file and an error message displays:
- Open Portecle as an Administrator by navigating to the location of the Portecle.bat file.
- Right-click the file and select Run as Administrator.
- Start Web Help Desk.
- Enter the following AD FS 2.0 RP settings:
- Identifier: <mydomain.com>/helpdesk/WebObjects/Helpdesk.woa
- Signature: enter the name of the certificate you uploaded to Web Help Desk in step 5 of the Web Help Desk SAML configuration instructions.
- Endpoint: Binding: POST, URL:
<server IP address>/helpdesk/WebObjects/Helpdesk.woa
- Detail: Secure hash algorithm SHA-1
- Enter the following AD FS 2.0 Log Out settings:
- Signature: use the same certificate as in step one.
- Endpoint: SAML Logout, Binding: POST, URL:
- Detail: Secure hash algorithm SHA-1
- Enter the following AD FS 2.0 Claim Mapping settings:
- Attribute store: Active Directory
- LDAP attribute: a user name or email address.
- Outgoing claim type: NameID