This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

WebHelpDesk SSO using ADFS 2.0 & SAML 2.0

I am attempting to get SSO working for WebHelpDesk using ADFS 2.0 and I am unable to get the authentication to work properly.

Information about our setup:

WebHelpDesk 12.0.0 Hotfix 1

WebHelpDesk Server is encrypted with a SSL Certificate from GoDaddy

ADFS Server is encrypted with a SSL Certificate from GoDaddy

When anyone accesses the WebHelpDesk, it redirects them to our ADFS Server correctly, appears to authenticate them correctly, but when it passes the token back to WebHelpDesk, they are not logged in. They are presented with a standard WebHelpDesk login screen.

As of now, I have the "Signature" for the RP settings using the "ADFS Signing" certificate generated by the ADFS Server. The "Encryption" for the RP Settings is using the SSL Certificate from GoDaddy that is securing the IIS website and the "Service Communications".

The WebHelpDesk is using the "ADFS Signing" certificate generated by the ADFS Server.

Because the WebHelpDesk is redirecting users to the ADFS Server which appears to be authenticating correctly, I believe my issue lies somewhere with the Token-Signing & Token-Decrypting Certificates but I am not 100% sure of that.

Any help would be GREATLY appreciated.

  • Hi,

    Try the following:

    1. Do not set anything in the Signature nor Encryption tabs of the RP settings

    2. In your ADFS server, export the "Token-signing" certificate and use that for the Verification certificate in "Setup > General > Authentication"

    Then for the logout if you'd like to use that too:

    0. open ADFS Managment

    1. Click on Relying Party Trust

    2. Select your WHD Relying Party Trust (in your case, ihelp)

    3. Select Endpoint tab

    4. Add new one

    5. Select SAML Logout; POST; URL "https://<ADFS_Server_IP/domain_name>/adfs/ls/?wa=wsignout1.0" and Save changes.

    Use the same logout URL in WHD.

  • The bit that you are missing is the issuance transform rule in ADFS on the RP trust as a claim rule, create one using AD as the source change SAM-Account-Name to NameID