SSO Settings

If the SSO Settings option is enabled, users can automatically log in to ADSelfService Plus by simply logging in to their Windows machine or through a third-party identity provider.

1. NTLM Authentication
2. SAML Authentication

Note:

SSO to ADSelfService Plus is not supported for logins from mobile apps or mobile browsers. 

1. NTLM Authentication:

In this method of authentcation, users log in to the ADSelfService Plus web console using the credentials they used to log in to the machine. To enable NTLM authentication, follow the steps below.

• Navigate to Admin → Customize → Logon Settings → Single sign-On.
• Click the Enable SSO checkbox to enable SSO in ADSelfService Plus.
• Select NTLM Authentication.
• To use the NTLM authentication service, a computer account not associated with a physical computer in your network has to be created in AD with a specific password that meets the password policy in AD. Click  Configure Now to provide the details of the computer account. NTLM authentication is domain-based, so this type of authentication can be enabled for a select set of domains of your choice.



• If you already have such a computer account, type the Computer Name and it's Password in the fields provided. You can also create a new computer account by providing the required details and clicking the Create this computer account in the domain checkbox. Enable or disable the computer accounts by clicking the enable/disable button.



• Click Save.
• If you've installed ADSelfService Plus on a machine that does not belong to the domain you've chosen, click the Advanced button and specify the DNS Server and DNS Site of the domain.

A. Finding the IP address of the DNS servers

• From a machine that belongs to the domain you've selected, open the command prompt, type “ipconfig /all”, and press enter.
• Enter the IP address displayed under the DNS Servers in the respective field in ADSelfService Plus.

B. Finding the DNS site

• Navigate to Active Directory Sites and Services.
• Enter the DNS Site containing the domain controller of the selected domain in the respective field in ADSelfService Plus.

C. Adding sites to the local intranet zone

There are two ways to apply the required configuration:

• Using a group policy
• Manual configuration

Method 1: Using a group policy (supported on Google Chrome and Internet Explorer)

1. Create a new Group Policy Object and navigate to User Configuration → Administrative Templates → Windows Components → Internet Explorer → Internet Control Panel → Security Page → Sites to Zones Assignment list. Select Enable.
2. Click Show to display the zone assignments. Enter the access URL in Value name and relate it to the trusted sites by entering "1" in Value, then click OK.
3. Navigate to User Configurations → Administrative Templates → All Settings → Logon options. Select Enable.
4. From the Logon options list, click Automatic logon only in Intranet zone, then OK.

Method 2: Manual configuration

• Navigate to Settings → Advanced drop-down → System module → Open proxy settings.
• Click the Security tab and select the Local intranet icon.
• Click the Sites button, enter the access URL of ADSelfService Plus in the required field, and click Add.

• Navigate to Tools → Internet Options → Security.
• Click the Security tab and select the Local intranet icon.
• Click the Sites button, enter the access URL of ADSelfService Plus in the required field, and click Add.

• Type "about:config" in the address bar and hit the enter key to display the list of preferences. If there's a warning message displayed, click  I accept the risk to proceed.
• Navigate to the network.automatic-ntlm-auth.trusted-urls preference.
• Double-click the preference and enter the access URL of ADSelfService Plus (e.g. selfservice-5994:8888).
• Click OK.

2. SAML Authentication:

In this method of authentication, users log in to the ADSelfService Plus web console using the credentials of a SAML-based identity provider.

After enabling the SAML-based SSO option, every time a user attempts to access ADSelfService Plus' web console, the IdP receives the authentication request. IdP authenticates the user, and after successful authentication, the user will be automatically logged in to the ADSelfService Plus portal. If the user is already logged in to the identity provider, when that user tries to access ADSelfService Plus, they will be granted access automatically.

Prerequisites:

1. Log in to ADSelfService Plus web console as an administrator. Navigate to Admin → Customize → Logon settings → Single sign-On. Click the Enable SSO checkbox and the SAML Authentication button. Copy the ACS URL/Recipient URL and the Relay State URL.

   

2. The SAML-based identity provider that you intend to use must have ADSelfService Plus as one of its supported SAML applications. If it is not supported by default, you can add ADSelfService Plus as a new application in your identity provider. Find the steps to add a new application in Okta, OneLogin, ADFS and Line Works by clicking on the respective links. For other identity providers, contact their support team for further assistance.

3. Log in to your identity provider with admin credentials, and navigate to ADSelfService Plus from the list of applications provided. Either download the Metadata in XML format, or get the required data by copying the Issuer URL/Entity ID, IdP Login URL, IdP Logout URL, and X509-certificate. You'll need this information while configuring ADSelfService Plus for logon SSO.

Service Provider Configuration (ADSelfService Plus)

1. Navigate to Admin → Customize → Logon settings → Single sign-On.
2. Check the Enable SSO checkbox to enable SSO in ADSelfService Plus.
   
   
3. Click the SAML Authentication button to enable SAML configuration in your domain.
4. Select the identity provider of your choice in the Select IdP drop-down. If you have selected Custom SAML from the drop-down, you must type in the IdP name and upload IdP logo in the respective fields.

5. There are two SAML Configuration Modes: Upload Metadata File and Manual Configuration.

   1. Select Upload Metadata File if you have downloaded the IdP metadata file from the identity provider. 
   • Click Browse to upload the IdP metadata file.

   

   2. Select Manual Configuration to manually configure the URLs and certificates.

      • Enter the Issuer URL/Entity ID URL obtained from the identity provider in the respective field (Refer step 3 of Prerequisites).

      • In the IdP Login URL, enter the Login URL obtained from the identity provider (Refer step 3 of Prerequisites).

      • In the space provided for X.509-Certificate, enter the public certificate key fetched from the identity provider (Refer step 3 of Prerequisites).

      

      Important: By default, ADSelfService Plus utilizes the same SAML authentication configuration for SSO during login and multi-factor authentication (MFA) during password self-service. This means that the SAML configurations you complete for logon SSO settings will automatically be used for MFA if the latter is enabled.
6. Select the Sign SAML logout Request option to sign the logout request which goes from ADSelfService Plus to the SAML-based identity provider. 
7. Select the Sign SAML Logout Response option to sign the logout response that goes from ADSelfService Plus to the SAML-based identity provider.
8. Click Save.