SAML is an open standard for authentication and authorization. Using SAML, a service provider (like Deskpro) can check if a User is authorized with an identity provider or IdP.
SAML is provided by many third-party products, or your organization may have its own SAML IdP. Deskpro is compatible with SAML 2.0.
Because SAML is a complicated standard, the way it is implemented can vary. Be prepared to experiment with the settings of the IdP and the Deskpro SAML app. We cannot guarantee that Deskpro will work with a particular identity provider.
If you’re using Deskpro On-Premise, you should ensure that SSL is set up on your helpdesk before using SAML authentication.
To set up SAML, you will need to install and configure the SAML authentication app in Deskpro and enter settings for Deskpro into your IdP.
SAML Settings in Deskpro
Go to Agents > Auth & SSO or CRM > User Auth & SSO, depending on whether you want to set up SAML for Agents or Users.
Select SAML from the list of available options.
Find and enter the following URLs that should be provided by the IdP:
Single Sign-On Service URL (this may also be called SAML Login URL or SSO URL): this is the URL where Deskpro will redirect the User or Agent for authentication.
Single Logout Service URL - (this may also be called SAM Logout URL or SLO URL): this is used to log Users or Agents out.
You can also set the Login Button Text
Some IdPs provide XML metadata describing their service. You can find the URLs in the
<md:SingleSignOnServiceand<md:SingleLogout Service>fields. You can also enter a URL for the XML metadata and Deskpro will attempt to extract the URLs.Enter x509 certificate details: this is used by Deskpro to verify the IdP’s identity. The IdP may provide the full x509 Certificate or the x509 Certificate Fingerprint (SHA1 fingerprint) - you only have to enter one of these.
Set the SSO Method. Understanding SSO Options for details.
Agent authentication only Set the Auto Agent option. This controls which permissions are granted to Agents who log in through SAML and don’t have an existing Deskpro account.
User authentication only Set the Grant Usergroup option. This controls the Usergroup granted to Users who log in through SAML.
Click Add.
SAML IdP Settings
You will need to enter settings from the Deskpro SAML app into the SAML identity provider.
The exact settings required will vary, but you are likely to need to provide:
Assertion Consumer Service URL (also referred to as ACS or Post Back URL or Recipient or Destination): this is the URL where Deskpro receives the authorization from the IdP. This is displayed after you install the Deskpro SAML app as above.
Single Logout Service URL (this may also be called SLO or SLS URL): this is used to log Users or Agents out. This is displayed after you install the Deskpro SAML app as above.
Metadata URL (also referred to as Entity ID or Audience Restriction): this is a URL that uniquely identifies your helpdesk as a service provider and provides information about it. This is displayed after you install the Deskpro SAML app as above.
SAML IdP Attributes
When the IdP responds to Deskpro, it must return the User attributes in the following format:
Field | Value |
|---|---|
user or agent email | |
and either | |
name | user or agent full name |
or | |
first_name | user or agent first name |
last_name | user or agent last name |
By default, your IdP may not use these field names, resulting in Users or Agents being created with no name or email information.
This will result in Agents being created with names like ID-2:
Most IdPs provide a way to configure the attributes. Set the IdP to return the exact field names above.
Additional User Data
Your usersource may have additional user data beyond the User’s email address and password: for example, employee numbers, location information, etc.
You can set up Deskpro to copy this data into a custom User field so it is available in your helpdesk when you view each User’s profile.
Make sure the authentication app for the desired usersource is installed in Deskpro and working correctly.
If you have an On-Premise helpdesk on Deskpro build #430 or earlier, open
config.phpin the Deskpro install folder.
Edit this line: $DP_CONFIG['debug']['enable_usersource_log'] = false; to say $DP_CONFIG['debug']['enable_usersource_log'] = true;. Please note this step is not required on later Deskpro versions.
Go to CRM > User Auth & SSO (or Agents > Auth & SSO) and select the app.
Click the Test Settings button. Enter some login credentials for a User in the external usersource which you know are valid.
You will see a results page. Click Show user data. You will see an encoded list of values that are returned from the usersource. Make a note of the field name for the value you want to copy into your helpdesk (ignoring any square brackets around it).
Here’s a sample excerpt from an Active Directory app:
In this case, if you wanted to import the highlighted value, you would use telephonenumber as the field name.
Go to CRM > Fields > User fields. Click the New button and choose the “User Auth Data” field type. Fill in the title and description. In Field Name, enter the name of the field as returned from your usersource in step 4.
Repeat for any other data fields you require.
If you edited the $DP_CONFIG['debug']['enable_usersource_log'] value in step 2, change it back to false once you are finished.
Working with Data Collections
If your usersource returns collections of data (e.g., arrays of nested data), you can access sub-elements of a collection by using “dot notation”. For example, given this collection of values:
[example] => Array(
[inner] => Array(
[value1] => Hello
[value2] => World
)) }}) }}) }}) }}
) copyYou can gain access to the “World” value by using the field name “example.inner.value2”.
If you omit the last part of a collection name, Deskpro will automatically concatenate all values together as a single string.
Please log in or register to submit a comment.