<style>p { margin: 0; }span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left:0; padding-left:5px;}blockquote blockquote{ border-color: #00bcd4; color: #00bcd4;}blockquote blockquote blockquote{ border-color: #43a047; color: #43a047;} table.grid{ border-collapse: collapse;} table.grid td, table.grid th { border: 1px solid #ddd;} .fr-fic.fr-dib{ display: block; margin: 5px auto;}.fr-fic.fr-dib.fr-fir{ text-align: right; margin: 5px 0 5px auto;}.fr-fic.fr-dib.fr-fil{ text-align: left; margin: 5px auto 5px 0;}.fr-fic.fr-dii{ float: none; margin: 5px auto;}.fr-fic.fr-dii.fr-fil{ float: left; margin: 5px auto;}.fr-fic.fr-dii.fr-fir{ float: right; margin: 5px auto;}img.fr-dib.fr-fir { margin-right: 0; text-align: right;}img.fr-dib.fr-fil { margin-left: 0; text-align: left;}img.fr-dib { margin: 5px auto; display: block; float: none;}img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC;}img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc;}img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box;}</style><style>
p {
margin: 0;
}
span.fr-emoticon.fr-emoticon-img {
background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle;
}
span.fr-emoticon {
font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0;
}
blockquote {
border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px;
}
blockquote blockquote {
border-color: #00bcd4; color: #00bcd4;
}
blockquote blockquote blockquote {
border-color: #43a047; color: #43a047;
}
table.grid {
border-collapse: collapse;
}
table.grid td,
table.grid th {
border: 1px solid #ddd;
}
.fr-fic.fr-dib {
display: block; margin: 5px auto;
}
.fr-fic.fr-dib.fr-fir {
text-align: right; margin: 5px 0 5px auto;
}
.fr-fic.fr-dib.fr-fil {
text-align: left; margin: 5px auto 5px 0;
}
.fr-fic.fr-dii {
float: none; margin: 5px auto;
}
.fr-fic.fr-dii.fr-fil {
float: left; margin: 5px auto;
}
.fr-fic.fr-dii.fr-fir {
float: right; margin: 5px auto;
}
img.fr-dib.fr-fir {
margin-right: 0; text-align: right;
}
img.fr-dib.fr-fil {
margin-left: 0; text-align: left;
}
img.fr-dib {
margin: 5px auto; display: block; float: none;
}
img.fr-bordered {
box-sizing: content-box; border: solid 5px #CCC;
}
img.fr-shadow {
box-shadow: 10px 10px 5px 0px #cccccc;
}
img.fr-rounded {
border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box;
}
</style><style>
p {
margin: 0;
}
span.fr-emoticon.fr-emoticon-img {
background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle;
}
span.fr-emoticon {
font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0;
}
blockquote {
border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px;
}
blockquote blockquote {
border-color: #00bcd4; color: #00bcd4;
}
blockquote blockquote blockquote {
border-color: #43a047; color: #43a047;
}
table.grid {
border-collapse: collapse;
}
table.grid td,
table.grid th {
border: 1px solid #ddd;
}
.fr-fic.fr-dib {
display: block; margin: 5px auto;
}
.fr-fic.fr-dib.fr-fir {
text-align: right; margin: 5px 0 5px auto;
}
.fr-fic.fr-dib.fr-fil {
text-align: left; margin: 5px auto 5px 0;
}
.fr-fic.fr-dii {
float: none; margin: 5px auto;
}
.fr-fic.fr-dii.fr-fil {
float: left; margin: 5px auto;
}
.fr-fic.fr-dii.fr-fir {
float: right; margin: 5px auto;
}
img.fr-dib.fr-fir {
margin-right: 0; text-align: right;
}
img.fr-dib.fr-fil {
margin-left: 0; text-align: left;
}
img.fr-dib {
margin: 5px auto; display: block; float: none;
}
img.fr-bordered {
box-sizing: content-box; border: solid 5px #CCC;
}
img.fr-shadow {
box-shadow: 10px 10px 5px 0px #cccccc;
}
img.fr-rounded {
border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box;
}
</style><style>
p {
margin: 0;
}
span.fr-emoticon.fr-emoticon-img {
background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle;
}
span.fr-emoticon {
font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0;
}
blockquote {
border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px;
}
blockquote blockquote {
border-color: #00bcd4; color: #00bcd4;
}
blockquote blockquote blockquote {
border-color: #43a047; color: #43a047;
}
table.grid {
border-collapse: collapse;
}
table.grid td,
table.grid th {
border: 1px solid #ddd;
}
.fr-fic.fr-dib {
display: block; margin: 5px auto;
}
.fr-fic.fr-dib.fr-fir {
text-align: right; margin: 5px 0 5px auto;
}
.fr-fic.fr-dib.fr-fil {
text-align: left; margin: 5px auto 5px 0;
}
.fr-fic.fr-dii {
float: none; margin: 5px auto;
}
.fr-fic.fr-dii.fr-fil {
float: left; margin: 5px auto;
}
.fr-fic.fr-dii.fr-fir {
float: right; margin: 5px auto;
}
img.fr-dib.fr-fir {
margin-right: 0; text-align: right;
}
img.fr-dib.fr-fil {
margin-left: 0; text-align: left;
}
img.fr-dib {
margin: 5px auto; display: block; float: none;
}
img.fr-bordered {
box-sizing: content-box; border: solid 5px #CCC;
}
img.fr-shadow {
box-shadow: 10px 10px 5px 0px #cccccc;
}
img.fr-rounded {
border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box;
}
</style><style>
p {
margin: 0;
}
span.fr-emoticon.fr-emoticon-img {
background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle;
}
span.fr-emoticon {
font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0;
}
blockquote {
border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px;
}
blockquote blockquote {
border-color: #00bcd4; color: #00bcd4;
}
blockquote blockquote blockquote {
border-color: #43a047; color: #43a047;
}
table.grid {
border-collapse: collapse;
}
table.grid td,
table.grid th {
border: 1px solid #ddd;
}
.fr-fic.fr-dib {
display: block; margin: 5px auto;
}
.fr-fic.fr-dib.fr-fir {
text-align: right; margin: 5px 0 5px auto;
}
.fr-fic.fr-dib.fr-fil {
text-align: left; margin: 5px auto 5px 0;
}
.fr-fic.fr-dii {
float: none; margin: 5px auto;
}
.fr-fic.fr-dii.fr-fil {
float: left; margin: 5px auto;
}
.fr-fic.fr-dii.fr-fir {
float: right; margin: 5px auto;
}
img.fr-dib.fr-fir {
margin-right: 0; text-align: right;
}
img.fr-dib.fr-fil {
margin-left: 0; text-align: left;
}
img.fr-dib {
margin: 5px auto; display: block; float: none;
}
img.fr-bordered {
box-sizing: content-box; border: solid 5px #CCC;
}
img.fr-shadow {
box-shadow: 10px 10px 5px 0px #cccccc;
}
img.fr-rounded {
border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box;
}
</style><style>
p {
margin: 0;
}
span.fr-emoticon.fr-emoticon-img {
background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle;
}
span.fr-emoticon {
font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0;
}
blockquote {
border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px;
}
blockquote blockquote {
border-color: #00bcd4; color: #00bcd4;
}
blockquote blockquote blockquote {
border-color: #43a047; color: #43a047;
}
table.grid {
border-collapse: collapse;
}
table.grid td,
table.grid th {
border: 1px solid #ddd;
}
.fr-fic.fr-dib {
display: block; margin: 5px auto;
}
.fr-fic.fr-dib.fr-fir {
text-align: right; margin: 5px 0 5px auto;
}
.fr-fic.fr-dib.fr-fil {
text-align: left; margin: 5px auto 5px 0;
}
</style><p><strong>In this guide we will cover:</strong></p><p><strong>- Requirements</strong></p><p><strong>- Adding a Replying Party Trust</strong></p><p><strong>- Creating Claim Rules</strong></p><p><strong>- Adjusting the Trust Settings</strong></p><p><strong>- Configuring Halo</strong></p><p><br></p><p><br></p><p><span style="font-size: 14pt;"><strong>Requirements</strong></span></p><p>To use ADFS to log in to your Halo instance, you need the following components:</p><p><br></p><ul type="disc"><li>An Active Directory instance where all users have an email address attribute.</li><li>A server running Microsoft Server 2012 or 2008. This guide uses screenshots from Server 2012R2, but similar steps should be possible on other versions.</li></ul><p>After you meet these basic requirements, you need to install ADFS on your server. Configuring and installing ADFS is beyond the scope of this guide, but is detailed in a <a href="http://msdn.microsoft.com/en-us/library/gg188612.aspx" target="_blank" rel="noopener noreferrer"><strong>Microsoft KB article</strong></a>. You can also follow the YouTube video found <a href="https://www.youtube.com/watch?v=tAQ2n-bJ6Vs" target="_blank" rel="noopener noreferrer"><strong>here</strong></a>. </p><p><br></p><p>When you have a fully installed ADFS installation, note down the value for the 'SAML 2.0/W-Federation' URL in the ADFS Endpoints section. If you chose the defaults for the installation, this will be '/adfs/ls/'.</p><p><br></p><p><strong><span style="font-size: 14pt;">Adding a Relying Party Trust</span></strong></p><p>At this point you should be ready to set up the ADFS connection with your Halo instance. The connection between ADFS and Halo is defined using a Relying Party Trust (RPT).</p><p>Select the <strong>Relying Party Trusts</strong> folder from <strong>AD FS Management</strong>, and add a new <strong>Standard Relying Party Trust</strong> from the Actions sidebar. This starts the configuration wizard for a new trust.</p><p><br></p><p><img border="0" width="602" src="http://halo.haloservicedesk.com/api/attachment/image/8997948d-18e0-4e9d-84bc-c8ecf4881d02" class="fr-fic fr-dii" height="486"></p><p><span style="font-size: 10pt;"><strong>Fig 1. Adding a new relying party trust.</strong></span></p><p><br></p><p>In the <strong>Select Data Source</strong> screen, select the last option, <strong>Enter Data About the Party Manually</strong>.</p><p><br></p><p><img border="0" width="602" src="http://halo.haloservicedesk.com/api/attachment/image/ab918704-e309-43bf-b16e-8d79cb4666bf" class="fr-fic fr-dii" height="486"></p><p><strong><span style="font-size: 10pt;">Fig 2. Enter data manually option.</span></strong></p><p><br></p><p>On the next screen, enter a <strong>Display name</strong> that you'll recognise in the future, and any notes you want to make.</p><p><br></p><p>On the next screen, select the <strong>ADFS FS profile</strong> radio button.</p><p><br></p><p>On the next screen, leave the certificate settings at their defaults.</p><p><br></p><p>On the next screen, check the box labelled Enable Support for the SAML 2.0 WebSSO protocol. The service URL will be your authentication server with '/auth/account/saml' added to the end. You can find your authentication server by going to Configuration > Integrations > HaloITSM API (or HaloPSA API or Halo ServiceDesk API depending on your product).</p><p><br></p><p>On the next screen, add a Relying party trust identifier of subdomain.Halo.com, replacing subdomain with your Halo subdomain if you are hosted. If you are not hosted, use your usual instance URL with no http / https.</p><p><br></p><p><em><strong>Note: If you enter subdomain.Halo.com, and receive a request failure error, you may need to enter your subdomain as <a href="https://subdomain.Halo.com">https://subdomain.Halo.com</a>.</strong></em></p><p><br></p><p>On the next screen, you may configure multi-factor authentication but this is beyond the scope of this guide.</p><p><br></p><p>On the next screen, select the Permit all users to access this relying party radio button.</p><p><br></p><p>On the next two screens, the wizard will display an overview of your settings. On the final screen use the Close button to exit and open the Claim Rules editor.</p><p><br></p><p><strong><span style="font-size: 14pt;">Creating Claim Rules</span></strong></p><p>Once the relying party trust has been created, you can create the claim rules and update the RPT with minor changes that aren't set by the wizard. By default the claim rule editor opens once you created the trust. If not, you can add the claim rules by selecting 'Edit Claim Issuance Policy...' from the side bar when clicking on the Relying Party Trust you created:</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImZlM2IzMjQxLTYxMTEtNGE3NC1iMzU2LTI5MTU2YTYyYTg4MCJ9.WdeXW1sgH-ja70snOXAbyb8JhFOr25veL-2yfHol0jc" class="fr-fic fr-fil fr-dib" width="731" style="width: 733px; height: 497.679px;" height="498"></p><p><span style="font-size: 10pt;"><strong>Fig 3. Edit Claim Issuance Policy option.</strong></span></p><p><br></p><p>To create a new rule, click on Add Rule. Create a Send LDAP Attributes as Claims rule.</p><p><br></p><p>On the next screen, using Active Directory as your attribute store, do the following:</p><p><br></p><ol><li>From the LDAP Attribute column, select E-Mail Addresses.</li><li>From the Outgoing Claim Type, select E-Mail Address.</li></ol><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImQ1ZTBjNDg0LTBjY2QtNGUzZS05MDlkLTFiZTc4ZmY0MWU4ZCJ9.rmEOzAShLT5f_yvo60TsKohOxvcIGf5dYPk1CRl1i-w" class="fr-fic fr-fil fr-dib" width="748" style="width: 750px; height: 508.54px;" height="509"></p><p><strong><span style="font-size: 10pt;">Fig 4. Editing the rule.</span></strong></p><p><br></p><p>Click on OK to save the new rule. </p><p><br></p><p>Create <strong>another new rule</strong> by clicking Add Rule, this time selecting Transform an Incoming Claim as the template.</p><p><br></p><p>On the next screen:</p><p><br></p><ol><li>Select E-mail Address as the Incoming Claim Type.</li><li>For Outgoing Claim Type, select Name ID.</li><li>For Outgoing Name ID Format, select Email.</li></ol><p>Leave the rule to the default of Pass through all claim values.</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijg1Y2UyNmFkLWVmOTctNGU4OS1hOWM3LTc1YTQ3MWMyYmYxOSJ9.d2xPf4FYeMUxwYKqMN-fr2nMxR0W8JjBK8HJphk0clY" class="fr-fic fr-fil fr-dib" width="742" style="width: 744px; height: 506.259px;" height="506"></p><p><strong><span style="font-size: 10pt;">Fig 5. Editing the second rule.</span></strong></p><p><br></p><p>Finally, click OK to create the claim rule, and then OK again to finish creating rules.</p><p><br></p><p><strong><span style="font-size: 14pt;">Adjusting the Trust Settings</span></strong></p><p>You still need to adjust a few settings on your relying party trust.</p><p><br></p><p>To access these settings, select Properties from the Actions sidebar while you have the RPT selected.</p><p><br></p><ul><li>In the Advanced tab, make sure SHA-256 is specified as the secure hash algorithm.</li><li>In the Endpoints tab, click on add SAML to add a new endpoint. <ul style="list-style-type: disc;"><li>For the Endpoint type, select SAML Logout. </li><li>For the Binding, choose POST. </li><li>For the Trusted URL, create a URL using:<br> 1. The web address of your ADFS server<br> 2. The ADFS SAML endpoint you noted earlier<br> 3. The string '?wa=wsignout1.0'<br> The URL should look something like this: https://sso.yourdomain.tld/adfs/ls/?wa=wsignout1.0.</li></ul></li></ul><p>Confirm your changes by clicking OK on the endpoint and the RPT properties. You should now have a working RPT for Halo.</p><p><br></p><p><em><strong>Note: Your instance of ADFS may have security settings in place that require all Federation Services Properties to be filled out and published in the metadata. Check with your team to see if this applies in your instance. If it is, be sure to check the Publish organization information in federation metadata box.</strong></em></p><p><br></p><p><strong><span style="font-size: 14pt;">Configuring Halo</span></strong></p><p>Navigate to Configuration > Integrations > AD FS (SAML 2.0) within Halo.</p><p><br></p><p>Fill in your Login URL with the URL your users use to login to your AD FS server. Usually this follows the format: ‘https://sso.company.com/adfs/ls’.</p><p>The logout URL usually follows the format: ‘https://sso.company.com/adfs/ls/?wa=wsignout1.0’ .</p><p><br></p><p>You can run the below PowerShell script to return the Token-Signing certificate in the required format to be added into Halo:</p><p><br></p><div style="background: linear-gradient(135deg, #e6f2ff, #cce6ff); color: #333; font-family: Consolas, 'Courier New', monospace; padding: 20px; border-radius: 8px; box-shadow: 0 4px 8px rgba(0, 0, 0, 0.1); white-space: pre-wrap; overflow-x: auto; line-height: 1.5; font-size: 14px;">-----BEGIN CERTIFICATE-----<br>$formattedBase64<br>-----END CERTIFICATE-----</div><p><br></p><p>It is best to leave the automatic redirect tick box unticked until logins and logouts have been tested.</p><p><br></p><p>You should now have a working <strong>ADFS SSO</strong> implementation for Halo.</p>