Create a SAML configuration for your organization

Service Manager Service Portal users log in to an organization (a "tenant") by specifying the Organization ID for the organization in the Service Manager Service Portal login URL. For example, to log in to the Consumer organization, users must enter this URL in a browser:

https://SMSP_HOST:9000/org/CONSUMER

Where SMSP_HOST is the fully qualified host name of the Service Manager Service Portal system, and "CONSUMER" is the Organization ID of the Consumer organization.

Tip The Organization ID for an organization can be viewed in the Organization Details view in Service Manager Service Portal.

For this reason, in Service Manager Service Portal, a SAML configuration must be associated to an organization. Before you can create a SAML configuration, an organization for which you want to enable SAML SSO must already exist. For example, you can use the out-of-box Consumer organization in a testing environment, or you can create a new organization that contains groups of users with specific roles and permissions.

Note When enabling SAML SSO for Service Manager by using the Service Manager Service Portal IdM, you must specify the same tenant (that is, the Organization ID of the same organization) in the idm.tenant parameter in the relevant configuration file of each Service Manager client (the Web Tier, SRC, or Mobility Client). For example, if the Organization ID is IDM-SM, the idm.tenant parameter in each Service Manager client must be set to IDM-SM. For more information, see the following topics:

Configure IdM authentication in the Service Manager web tier

Configure IdM authentication in SRC

Configure IdM authentication in the Mobility Client

To create a SAML configuration for your organization, you need the IdP (ADFS) metadata URL:

https://<your ADFS server>/federationmetadata/2007-06/federationmetadata.xml

Note You may not be able to access the ADFS metadata URL without providing user:password credentials. As a workaround, you can download the metadata XML from your ADFS server and save it in the /var/www/html directory of Service Manager Service Portal (which is empty by default). Next, point the metadata URL in the Service Manager Service Portal UI to http://<your Service Manager Service Portal server>/FederationMetadata.xml.

  1. Log in to Service Manager Service Portal Management Console as an administrator:

    https://SMSP_HOST:9000/org/PROVIDER

  2. Click Identity, and then select the organization for which you want to enable SAML SSO.
  3. Go to the Authentication tab, and then click Add Configuration.
  4. Select SAML Configuration as the authentication type.

  5. Specify the following SAML server settings:

    • Display Name: a user-friendly display name for the IdP (ADFS) server
    • Server URL: the IdP (ADFS) metadata xml URL (https://<your ADFS server host name>/federationmetadata/2007-06/federationmetadata.xml)

  6. Go to the Customization tab, find the idm.auth.flow field, and then append "saml" to the value with a comma as the delimiter.

Important Besides the SAML configuration, you must configure an LDAP integration, which will handle the user authorization. The SAML configuration will take care of the authentication, while the LDAP configuration will handle the authorization of users. After an LDAP integration has been set up, you need to create Groups based on your LDAP Groups. These Service Manager Service Portal Groups need to be mapped to Roles. LDAP configuration is part of a standard Service Manager Service Portal installation and setup. For detailed steps, see Configure LDAP.

Next step:

Configure the ADFS SAML token

Related topics

Configure SAML SSO using the Service Portal IdM