Implement Single Sign-On for Microsoft Azure

Single Sign-On allows organizations to use their already defined domain authentication and not require users to create a unique username/password for Serviceaide Intelligent Service Management.

You need administrator privileges in Intelligent Service Management to perform the tasks that are listed in this article.

Overview

To enable Single Sign-On between Intelligent Service Management and your (Identity Provider) IdP, establish a federation between these two systems. Configurations are required in both Intelligent Service Management and the IdP server for establishing the federation.

To enable and configure Single Sign-On, perform the following tasks:

Prerequisites

Before you start the configurations, ensure that the following conditions are met:

• Identity Provider server is configured and running
• Token Signing Certificate is available
• HTTPS/SSL is enabled on IIS server
• Intelligent Service Management is installed on a server that is HTTPS/SSL enabled.

Note: Do not modify any parameters on the application server or database server. Contact Support for assistance in such changes.

Export Identity Provider Certificate

Federation servers use Public/Private Key pairs to add digital signature to all security tokens they produce. These keys validate the authenticity of the encrypted security token.

Intelligent Service Management uses Signing Certificates to secure communications and establish trust.

Export the Public Key portion of the Signing Certificate from the IdP. Save the Signing Certificate on a local system that is accessible to Intelligent Service Management. Use the XML Metadata of the certificate when configuring Single Sign-On in Intelligent Service Management.

Note: Store the Signing Certificate in a Base64 encoded file in ADFS 3.0 and PEM file in Novell Access Manager.

Follow these steps on Microsoft Azure Active Directory

1. Log in to the portal.azure.com and navigate to Enterprise applications
2. Browse to the Active Directory > Enterprise Applications > New application > Non-gallery application section
3. Click Add, and then add an application from the gallery.
   
   
   

4. Or you can add an unlisted app by selecting the Non-gallery application tile from the app gallery if the required app is not found.

5. After specifying a name for your application, you can configure the single sign-on options and behavior.

Configure Single Sign-on

Adding an application in this manner provides a similar experience to the one available for pre-integrated applications.

1. Select Configure Single Sign-On or click Single sign-on from the application’s left-hand navigation menu.
   

   The next screen displays the options to configure single sign-on.
   
   
   

2. Navigate to SAML Signing Certificate section and select Certificate (Base64) to download the file.
   
   
   

3. Select Save File and specify the file location to download the file.
   

   If the export is successful, the certificate is saved at the location that you specified. You can open the certificate in any text editor, like Notepad.

Configure SAML Single Sign-On in Intelligent Service Management

You can add multiple SAML single sign-on configurations to Intelligent Service Management. This allows a single Intelligent Service Management system to support different organizations that may have a different SSO/SAML setup. To enable Single Sign-On, configure Intelligent Service Management to trust assertions that are sent by the IdP.

Follow these steps:

1. Navigate to MANAGE> ADMINISTRATION> Tools> Slice Configuration> Single Sign On.
2. To add an SSO configuration, click the + icon and perform the following actions:                 

1. Enter the domain name, IdP login URL, and optionally redirect URL for logout.
2. Copy the entire text from your Signing Certificate and paste it into the Identity Provider Certificate text box.
3. Enter the email domain in Email Domain Tags text field. The email domain helps decide the ticket URL for outbound communications and the logout URL of the logged in user. You can add multiple email domains separated by semicolon.
4. Add multiple SSO configurations if your organisation supports more than one email domains.
5. Create an entry with default Authorization domain information to support domains that do not use SSO.  Set Authorisation Domain to Default_<Slice number> and Email Domain Tags to specific domain or empty. This ensures that default URL (Non SSO URL) is sent in any communication sent out by the system.

                       Note:  Only one entry for default (Non SSO) URL should be created.                           

     3. Save the SSO configuration.

     4. To edit an SSO, click the pencil icon.

     5. To enable or disable an SSO, click Enable or Disable according to your choice.

6. For the Identity Provider Login URL,

Note: The value for Azure AD https://login.microsoftonline.com/{tenant-id}/saml2 

where {tenant-id} is replaced with your tenant ID. (Find it in the Azure portal under Azure Active Directory > Properties as Directory ID.)

After the Single Sign-On is configured in Intelligent Service Management, the metadata becomes available online. The URL to the metadata file varies for different instances of the application. Consider the following examples:

• CSM3: https://csm3.serviceaide.com/NimsoftServiceDesk/servicedesk/sso/metadata/<domainname>
• CSMStaging: https://csmstaging.serviceaide.com/NimsoftServiceDesk/servicedesk/sso/metadata/<domainname>

You can download the metadata from this location and can save it as an XML file. Use the information in this XML file and add Intelligent Service Management as a trusted partner in your IdP.

Note: Contact the support team for the metadata URL applicable to your application instance.

Add Intelligent Service Management as Trusted Service Provider in the IdP

Add the metadata that is generated from Intelligent Service Management to your IdP to enable the SAML communication between them. For information about generating the metadata, see Configure SAML Single Sign-On in CSM.

Follow these steps on Microsoft Azure Active Directory:

1. Login to the portal.azure.com and navigate to Enterprise applications and Browse to the Active Directory > Enterprise Applications >
2. Select the newly created Enterprise Application and navigate to Single Sign on section.
   
   
   

3. Import the metadata file captured in the earlier step, Identifier, Reply URL is populated as shown above.

4. Navigate to Users and groups to add users/assign the users to the application. (This step allows users to single sign on to the ISM application)

Intelligent Service Management is added as a trusted service provider in your IdP.

Configure Identity Provider to Send User Identifier as Name ID

After configuring your IdP and Intelligent Service Management to trust assertions, set up the attribute statement for SAML assertion. This attribute statement is used to identify a user. You can use a unique identifier to identify each user such as Principle Name and Email ID.

Follow these steps on Microsoft Azure Active Directory:

1. Log in to the portal.azure.com and navigate to Enterprise applications.
   
   
2. Map the User Identifier as ‘user.userprincipalname’

Single Sign-On is configured for Intelligent Service Management with Microsoft Azure Active Directory as the IdP.