Versions Compared

Old Version 10

changes.mady.by.user Richard Graves

Saved on

compared with

New Version Current

changes.mady.by.user sneha.tripathi

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Single Sign-On allows organizations to use their already defined domain authentication and not require users to create a unique username/password for Serviceaide Intelligent Service Management.

...

To enable and configure Single Sign-On, perform the following tasks:

  1. Validate Prerequisites 
  2. Export Identity Provider Certificates
  3. Configure SAML Single Sign-On in CSM
  4. Add CSM As a Trusted Service Provider in the Identity Provider
  5. Configure Identity Provider to Send User Identifier As Name ID 

Note: User Identifier in Identity provider should match with the Name ID in ISM (Username)

Anchor
Validate Prerequisites
Validate Prerequisites
Prerequisites

Before you start the configurations, ensure that the following conditions are met:

...

Note: Do not modify any parameters on the application server or database server. Contact Support for assistance in such changes.

Anchor
ExportIdentityProviderCertificate
ExportIdentityProviderCertificate
Export Identity Provider Certificate

Federation servers use Public/Private Key pairs to add digital signature to all security tokens they produce. These keys validate the authenticity of the encrypted security token.

...

If the export is successful, the certificate is saved at the location that you specified. You can open the certificate in any text editor, like Notepad.

Anchor
ConfigureSAMLSingleSign
ConfigureSAMLSingleSign
Configure SAML Single Sign-On in Intelligent Service Management

You can add multiple SAML single sign-on configurations to Intelligent Service Management. This allows a single Intelligent Service Management system to support different organizations that may have a different SSO/SAML setup. To enable Single Sign-On, configure Intelligent Service Management to trust assertions that are sent by the IdP.

...

  1. Navigate to MANAGE> ADMINISTRATION> Tools> Slice Configuration> Single Sign On.
  2. To add an SSO configuration, click the + icon and perform the following actions:
    1. Enter the domain name, IdP login URL, and the redirect URL for logout. 
    2. Copy the entire text from your Signing Certificate and paste it into the Identity Provider Certificate text box.
    3. Enter the email domain in Email Domain Tags text field. The email domain helps decide the ticket URL for outbound communications and the logout URL of the logged in user. You can add multiple email domains separated by semicolon.
      Note: When multiple SSO configurations are set up, you can have only one email domain tag as empty.
  3. Create an entry with default Authorization domain information to support Organizations or domains that do not use SSO. 

Set Authorisation Domain to Default_<Slice number> and Email Domain Tags to specific domain or empty. 

This ensures that default URL (Non SSO URL) is sent in any communication sent out by the system.

Image Added 


Note:  Only one entry for default (Non SSO) URL should be created.                           

4. Save the SSO configuration

...

To edit an SSO, click the pencil icon.

5. To enable or disable an SSO, click Enable or Disable according to your choice.

After the Single Sign-On is configured in Intelligent Service Management, the metadata becomes available online. The URL to the metadata file varies for different instances of the application. Consider the following examples:

  • CSM3: https://csm3.serviceaide.com/NimsoftServiceDesk/servicedesk/sso/metadata/<domainname>
  • CSMStaging: https://csmstaging.serviceaide.com/NimsoftServiceDesk/servicedesk/sso/metadata/<domainname>

...

Note: Contact the support team for the metadata URL applicable to your application instance.

Anchor
AddCSMasTrustedServiceProvider
AddCSMasTrustedServiceProvider
Add Intelligent Service Management as Trusted Service Provider in the IdP

Add the metadata that is generated from Intelligent Service Management to your IdP to enable the SAML communication between them. For information about generating the metadata, see Configure SAML Single Sign-On in CSM.

Follow these steps on Microsoft ADFS 3.0:

  1. Log in to the IdP server and navigate to Administrative Tools> ADFS 3.0 Management> Relying Party Trusts> Add Relying Party Trust.
  2. Follow the instructions in the Add Relying Party Trust wizard to add the metadata.

Verify that the following conditions are met:

  1. The Permit all users to access this relying party option is selected.
  2. An entry for Intelligent Service Management is displayed in the Endpoints tab.
  3. The Secure Hash Algorithm (SHA) value under the Advanced tab is set to SHA-1.
  4. On the Finish page, select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes. The Edit Claim Rules dialog helps you set the attributes for identifying a user.
  5. Add user identification attributes in the Edit Claim Rules dialog. For more information about claim rules, see Configure Identity Provider To Send User Identifier As Name ID.

Intelligent Service Management is added as a trusted service provider in your IdP.

...

Intelligent Service Management is added as a trusted service provider in your IdP.

Anchor
ConfigureIdentityProvider
ConfigureIdentityProvider
Configure Identity Provider to Send User Identifier as Name ID

After configuring your IdP and Intelligent Service Management to trust assertions, set up the attribute statement for SAML assertion. This attribute statement is used to identify a user. You can use a unique identifier to identify each user, like Principle Name, or Email ID.

...

  1. Access the Edit Claim Rules dialog as instructed in Add CSM as Trusted Service Provider in the IdP.
  2. Click Issuance Transform Rules, Add Rules. Select the rule template Send LDAP Attributes as Claim and click Next.
  3. Configure the claim rule:
    1. Specify a name for the rule. For example, Send Principle as Name ID.
    2. Select the location for storing this rule. For example, Active Directory.
    3. Map the LDAP attributes to outgoing claim type. For example, LDAP Attribute - User Principle Name and Outgoing Claim Type - Name ID.
    4. Click Finish and confirm that the new rule is displayed in the Issuance Transform Rules tab.
    5. Click Apply and then click OK.

...