Manage Authentications

Concepts

The Service Manager Service Portal Administrator can use the Authentication view to configure and manage the following types of authentication identity servers:

LDAP — the Administrator can configure and manage multiple LDAP (Lightweight Directory Access Protocol) identity servers for an organization. The Administrator can connect multiple LDAP servers by adding configurations and adjusting their relative priority within an organization.

LDAP is used to:

  • Authenticate a user's login.
  • Authenticate a user's access to information.
  • Authorize a user's access to information.

To completely configure Service Manager Service Portal access with LDAP, you must configure LDAP to authenticate a user's login, configure LDAP for an organization to authenticate a user's access to information, and configure access control for an organization to authorize a user's access to information.

Tasks

The Service Manager Service Portal Administrator can perform the following authentication tasks:

View Authentication Configurations

To view all of the authentication configurations for an organization:

  1. Click the Identity application in the Launchpad.
  2. In the Organization List view, click the organization that contains the authentication configurations you want to view.
  3. In the Organization Details view, click Authentication.

The Authentication view is displayed and all of the authentication configurations for the organization are listed.

Add LDAP Configuration

Note This task assumes you are in the Authentication view for the organization. (See View Authentication Configurations for instructions.)

To configure LDAP for an organization:

  1. In the Authentication view, click Add Configuration.
  2. In the Create new Authentication dialog, select LDAP Configuration and then click Create.
  3. In the LDAP Server Settings dialog, type the values for required fields.

    LDAP Server Information

    Configure one or more LDAP servers and a user with access to the server.

    Item Description
    Display Name The display name for the LDAP server.
    Hostname

    The fully-qualified LDAP server domain name (server.domain.com) or IP address.

    Example: ldap.xyz.com

    Port

    The port used to connect to the LDAP server (by default, 389).

    Example: 389

    SSL Connection If the LDAP server is configured to require ldaps (LDAP over SSL), select the SSL Connection checkbox.
    Base DN

    Base distinguished name. The Base DN is the top level of the LDAP directory that is used as the basis of a search.

    Example: o=xyz.com

    User ID (Full DN)

    The fully distinguished name of any user with authentication rights to the LDAP server. If the LDAP server does not require a User ID or password for authentication, this value can be omitted.

    Example: uid=admin@xyz.com,ou=People,o=xyz.com

    Password

    Password of the User ID. If the LDAP server does not require a User ID or password for authentication, this value can be omitted.

    Retype Password Retype the password of the User ID.

    LDAP Attributes

    Enter the names of the attributes whose values are used for email notifications, authentication, and Service Manager Service Portal approvals.

    Item Description
    Full Name

    The name of the LDAP attribute used to store the full name of the user. Often, this is cn or Display Name, but different LDAP directories may use different attributes. Contact your LDAP administrator to determine the proper Full Name.

    Default: cn

    User Email

    The name of the attribute of a user object that designates the email address of the user. The email address is used for notifications. If a value for this attribute does not exist for a user, the user does not receive email notifications.

    Default: mail

    Group Membership

    The name of the attribute(s) of a group object that identifies a user as belonging to the group. If multiple attributes convey group membership, the attribute names should be separated by a comma.

    Default: member,uniqueMember

    Manager Identifier

    The name of the attribute of a user object that identifies the manager of the user.

    Default: manager

    Manager Identifier Value

    The name of the attribute of a user object that describes the value of the Manager Identifier's attribute. For example, if the value of the Manager Identifier attribute is a distinguished name (such as cn=John Smith, ou=People, o=xyz.com) then the value of this field could be dn (distinguished name). Or, if the Manager Identifier is an email address (such as admin@xyz.com) then the value of this field could be email.

    Default: dn

    User Avatar

    LDAP attribute whose value is the URL to a user avatar image that is displayed for the logged-in user. If no avatar is specified, a default avatar image is used.

    User Login Settings

    A user search-based login method is used to authenticate access to information.

    Item Description
    User Name Attributes

    The name of the attribute of a user object that contains the username that will be used to log in. The value for this field can be determined by looking at one or more user objects in the LDAP directory to determine which attribute consistently contains a unique user name. Often, you will want a User Name Attribute whose value in a user object is an email address.

    Examples: userPrincipalName or sAMAccountName or uid

    User Searchbase

    The location in the LDAP directory where users' records are located. This location should be specified relative to the Base DN. If users are not located in a common directory under the Base DN, leave this field blank.

    Examples: cn=Users or ou=People

    User Search Filter

    Specifies the general form of the LDAP query used to identify users during login. It must include the pattern {0}, which represents the user name entered by the user when logging in. The filter is generally of the form {<attribute>= 0}, with <attribute> typically corresponding to the value entered for User Name Attribute.

    Examples: userPrincipalName={0} or sAMAccountName={0} or uid={0}

    Search Option (Search Subtree)

    When a user logs in, the LDAP directory is queried to find the user’s account. The Search Subtree setting controls the depth of the search under User Searchbase.

    If you want to search for a matching user in the User Searchbase and all subtrees under the User Searchbase, make sure the Search Subtree checkbox is selected.

    If you want to restrict the search for a matching user to only the User Searchbase, excluding any subtrees, unselect the Search Subtree checkbox.

  4. Click Save to complete the authentication configuration.

The new LDAP authentication configuration appears in the list of authentications for the organization.

Add a SAML Configuration

This task assumes you are in the Authentication view for the organization. (See View Authentication Configurations for instructions.)

To configure SAML for an organization:

  1. In the Authentication view, click Add Configuration.
  2. In the Create new Authentication dialog, select SAML Configuration and then click the Create button.
  3. In the SAML Server Settings dialog, type the values for required fields.
  4. Click the Save button to complete the authentication configuration.

The new SAML authentication configuration appears in the list of authentications for the organization.

Important For information about the entire procedure of setting up SAML authentication in Service Manager Service Portal, see the SAML Single Sign-On section in the Service Manager Help Center, published at the Software Documentation Portal.

Edit an Authentication Configuration

Note This task assumes you are in the Authentication view for the organization. (See View Authentication Configurations for instructions.)

To edit an authentication configuration:

  1. In the Authentication view, for the authentication configuration to edit, click the edit icon.
  2. In the LDAP server settings dialog, type your changes, and then click Save to finish and save your changes.

Delete an Authentication Configuration

Note This task assumes you are in the Authentication view for the organization. (See View Authentication Configurations for instructions.)

To delete an authentication configuration:

  1. In the Authentication view, for the authentication configuration to delete, click the delete icon.
  2. Confirm deletion of the authentication configuration.

The Service Manager Service Portal authentication configuration is deleted.

 

Related Topics