Deploy SSO with SAML using AD FS

Configure SSO in Web Help Desk using Active Directory Federation Services (AD FS) to enable users who log in to the Microsoft Exchange server to be automatically logged in to Web Help Desk.

If you are using Windows Server 2008 R2, you must upgrade to AD FS 2.0. The default on Windows Server 2008 R2 is AD FS 1.0, which does not support SAML 2.0.

Before you begin

  1. Enable automatic AD logon through Microsoft Windows. Add the AD FS logon URL to the Local Intranet sites in Internet Explorer through Tools > Internet options or through your corporate group policy.
  2. Set up your SAML server. Use an identity repository (such as AD FS or Light Directory Access Protocol [LDAP] in the remote login URL for your SAML server.
  3. Enable SSL in your Web Help Desk installation. Use a trusted certificate or create your own certificate.

    When you create or generate a certificate, ensure that:

    • The certificates are generated in the proper order.
    • The Common Name (CN) certificate attribute only contains the fully-qualified domain name (FQDN) with no descriptions or comments. The exact value of this field is matched against the domain name of the server to verify its identity.

    See Working with Keys and Certificates for information about trusted certificates.

  4. Configure Web Help Desk and the AD FS settings separately.

    For information about configuring SSO with SAML using AD FS, see the AD FS 2.0 documentation located on the Microsoft TechNet website.

Configure Web Help Desk for AD FS

In the following settings, replace mydomain.com with your domain name.

  1. Log in to Web Help Desk as an administrator.
  2. Click Setup and select General > Authentication.
  3. Click the Authentication drop-down menu and select SAML 2.0.
  4. In the Sign-in page URL field, enter:

    https://adfs.<mydomain.com>/adfs/ls

    To bypass external authentication, add the following to your login URL:

    ?username=<username>&password=<password>

  5. Click Upload to apply a Verification certificate and enable SSL.

    Apply the same certificate used to sign the assertion in the of AD FS 2.0 Relying Party (RP) setting.

  6. In the Logout URL field, enter the following URL or leave this field blank to use the Web Help Desk default logout page:

    https://adfs.<mydomain.com>/adfs/ls

    Web Help Desk redirects the users to this page to log out.

Configure SAML 2.0 on the AD FS server

  1. Enter the following AD FS 2.0 RP settings:
    • Identifier: <mydomain.com>/helpdesk/WebObjects/Helpdesk.woa
    • Signature: enter the name of the certificate you uploaded to Web Help Desk in step 5 of the Web Help Desk SAML configuration instructions.
    • Endpoint: Binding: POST, URL: <server IP address>/helpdesk/WebObjects/Helpdesk.woa
    • Detail: Secure hash algorithm SHA-1
  2. Enter the following AD FS 2.0 Log Out settings:
    • Identifier: https://<mydomain.com us>/helpdesk/WebObjects/Helpdesk.woa
    • Signature: use the same certificate as in step one.
    • Endpoint: SAML Logout, Binding: POST, URL:
    • https://<ADFS_Server_fqdn>/<domain_name>/adfs/ls/?wa=wsignout1.0

    • Detail: Secure hash algorithm SHA-1
  3. Enter the following AD FS 2.0 Claim Mapping settings:
    • Attribute store: Active Directory
    • LDAP attribute: a user name or email address.
    • Outgoing claim type: NameID