ServiceDesk Plus SAML Single Sign-On (SSO)

ServiceDesk Plus is Help Desk Software with integrated asset & project management from ManageEngine.

ServiceDesk Plus offers both IdP-initiated SAML SSO (for SSO access through the user portal or CyberArk mobile applications) and SP-initiated SAML SSO (for SSO access directly through the ServiceDesk Plus web application). You can configure ServiceDesk Plus for either or both types of SSO. Enabling both methods ensures that users can log in to ServiceDesk Plus in different situations such as clicking through a notification email.

ServiceDesk Plus requirements for SSO

Before you configure the ServiceDesk Plus web application for SSO, you need the following:

  • An active ServiceDesk Plus account with administrator rights for your organization.

  • A signed certificate.

  • You can either download one from the Identity Administration portal or use your organization’s trusted certificate.

  • Contact ServiceDesk Plus to request that they add pod0.idaptive.app to the domain in config_override.php.

Set up the certificates for SSO

To establish a trusted connection between the web application and CyberArk Identity, you need to have the same signing certificate in both the application and the application settings in the Identity Administration portal.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file on the application’s Trust page in the Identity Administration portal. You also upload the public key certificate in a .cer or .pem file to the web application.

ServiceDesk Plus specifications

Each SAML application is different. The following table lists features and functionality specific to ServiceDesk Plus.

Capability

Supported?

Support details

Web browser client

Yes

 

Mobile client

No

 

SAML 2.0

Yes

 

SP-initiated SSO

Yes

 

IdP-initiated SSO

Yes

 

Force user login via SSO only

Yes

 

Separate administrator login
after SSO is enabled

Yes

Only administrators can log in.

User or Administrator lockout risk

No

 

Automatic user provisioning

No

 

Multiple User Types

Yes

Admin user

End users

Self-service password

Yes

Users can reset their own passwords. Resetting another user’s password requires administrator rights.

Access restriction using a corporate IP range

Yes

You can specify an IP Range in the Identity Administration portal Policy page to restrict access to the application.

Configure ServiceDesk Plus for single sign-on

The following steps are specific to this application and are required in order to enable SSO. For information on optional configuration settings available in the Identity Administration portal, see Configure optional application settings.

To configure ServiceDesk Plus for SSO:

  1. In the Identity Provider Configuration area of the Trust page, expand the certificate area and select the certificate that you want to use for the application, then click Download.

  2. On the Identity Administration portal's Settings page, specify the following settings:

    Option

    Description

    Name

    The name of the application as you want it to appear in your user's User Portal.

    Description

    A description of the application that appears when users hover over the icon in the User Portal.

    Category

    The Category field specifies the default grouping for the application in the user portal. Users have the option to create a tag that overrides the default grouping in the user portal.

    Logo

    The logo for the application as you want it to appear in your user's User Portal.

    Application ID

    Configure this field if you are deploying a mobile application that uses the CyberArk mobile SDK. CyberArk Identity uses the Application ID to provide single sign-on to mobile applications. Note the following:

    The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field.

    There can only be one SAML application deployed with the name used by the mobile application.

    The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters.

    Show in User app list

    Select Show in User app list to display this web application in the user portal. (This option is selected by default.)

    If this web application is added only to provide SAML for a corresponding mobile app, deselect this option so the web application won’t display for users in the user portal.

    On enrolled mobile devices, open this application in the built-in browser (required for Derived Credential login)

    Refer to CyberArk-issued derived credentials for more information.

  3. Open a new tab in your web browser.

    It is helpful to open the web application and the Identity Administration portal simultaneously to copy and paste settings between the two browser windows.
  4. In your web browser, go to the following URL and sign in:

    https://sdpondemand.manageengine.com
  5. Click your username at the top of the screen, then select My Account.

    The Accounts home page appears.

  6. Click Preferences, then select the SAML Authentication tab.

  7. Select Enabled from the Status drop-down menu.
  8. Click Edit.
  9. In the Identity Provider Configuration area of the Trust page, copy the Login and Logout URLs from the Identity Administration portal and paste them into the ServiceDesk Plus Login URL and Logout URL fields.

    The Logout URL is also used for the ServiceDesk Change Password URL field.

  10. In the ServiceDesk tab, click Get key from file, then choose the certificate that you downloaded earlier and upload it to ServiceDesk.

  11. Save your SAML Authentication configuration in ServiceDesk.
  12. Save your configuration in the Identity Administration portal.