© 2021 www.richardwalz.com
Richard Walz
All rights reserved.

Active Directory Federation Services – Part 3 (Add SSO Trust Partner)

In this example we are going to walkthrough adding FreshDesk as a relying party trust to our ADFS environment in order to enable SSO/SAML for all our end users. FreshDesk includes SSO/SAML for all plans.

1. Open ADFS Management

2. Expand “Trust Relationships” and right click on Relying Party Trusts and choose “Add Relying Party Trust

3. Click “Start

4. Select “Enter data about the relying party manually“, then click next.

5. Give the trust a name, then click next.

6. Select “AD FS Profile“, then click next.

7. Do not configure anything on this page, click next.

8. Select “Enable support for the SAML 2.0 WebSSO Protocol“, enter in your FreshDesk instance name. Make sure not to include a trailing slash “/” at the end of the URL. Yours will most likely be “https://yourinstancename.freshdesk.com/login/saml“, click next.

9. Contrary to what official documentation says, be sure to include the “https://” prefix.  Enter the Relying party trust identifier “https://yourinstancename.freshdesk.com” click add, then click next.

10. Leave the default options, and click next.

11. Select “Permit all users to access this relying party“, then click next.

12. Leave all defaults/review settings, click next.

13. Leave the default option selected, click close.

14. Select “Send LDAP Attributes as Claims” and click Next.

note: if the following window does not open up, just click “Add Rule”

15. Ensure all the following options are selected, and attributes are mapped to the appropriate values.  Case-sensitivity matters.  If the attribute does not exist in the Outgoing Claim Type column, you may type it. Then click “Ok”

16. Click “Add Rule”

17. Select “Transform an Incoming Rule“, click next.

18. Give the rule a name and select the following options, then click “Ok”.

19. Under “ADFS” > “Service” > “Certificates” right click on the “Token-Signing” certificate and choose “View Certificate“.

note: the next steps are required for FreshDesk, other SAML applications may require different values such as just the Thumbprint or the Public Key values.

20. On the Certificate window select “Details” tab and then “Copy to File…

21. On the Certificate Export Wizard click “Next”

22. Select “Base-64 encoded“.

23. Select “Browse” give the file a name of your choosing. Then click “Save”.

24. Click “Next”

25. Click Finish

26. Open the “Base-64 encoded” certificate you just exported using Notepad.  Copy all the content within the file and paste the data into the website called “https://samltool.com/fingerprint.php”.

Be sure to select “SHA256” as this is required for FreshDesk SAML and click “Calculate Fingerprint”.

Copy the FingerPrint value to a safe place.

note: you can generate the SHA256 fingerprint without using samltool by using openssl and running the following command:

"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" x509 -noout -fingerprint -sha256 -inform pem -in "c:\su-admin\desktop\SSO-Cert-For-FreshDesk.cer" > "c:\users\su-admin\desktop\FingerPrintValue.txt"

27. Login to your Freshdesk Admin Panel and go to “Admin” > “Security” > “SSO”.  Select “Enable SAML SSO”. Enter your AD FS login url: https://adfs.cloudrigs.com/adfs/ls

Note: do not include a trailing slash “/” at the end of the URL

Paste the “FingerPrint” value into the corresponding “Security Certificate Fingerprint” textbox.

It will look like this:

28. Test Access via Single Sign On by opening up your FreshDesk instance website url:

https://enterpriseinfosec.freshdesk.com and click on “Login” you should automatically be logged in.

29. If your FreshDesk users have agent based roles, they will be auto-logged on with those permissions granted to them.