Here's how you can configure ADFS SAML SSO for your users.
Step 1: On your ADFS Server, Open up AD FS Management.
Step 2: Right click on Relying Party Trusts and select Add Relying Party Trust. This will launch the Add Relying Party Trust Wizard.
Step 3: In the Select Data Source step, choose Enter data about the relying party manually.
Step 4: Enter a Display name and click Next
Step 5: Choose AD FS profile with SAML 2.0 and click Next.
Step 5: Click Next on the Configure Certificate screen without choosing any certificates.
Step 6: Select Enable support for the SAML 2.0 SSO Web SSO protocol.
Step 7: Enter the login URL (https://<yourdomain>.freshservice.com/login/saml) and click Next.
If your Freshservice Portal URL has a vanity URL, then use the vanity URL in the configurations as well.
For example, if the URL is https://support.yourcompany.com, then your Login URL will be https://support.yourcompany.com/login/saml.
Note: Please make that you always use an https URL
Step 8: Add a Relying party trust identifier, Eg: mydemoportal.freshservice.com
Also add https://mydemoportal.freshservice.com and click Next.
Step 9: Click Next on until you reach the Finish screen.
Step 10: Choose to Open the Edit Claim Rules dialog before clicking finish to edit further configuration. This will launch the Edit Claim Rules window.
Step 11: Click on Add Rule and Choose Claim Rule as Send LDAP Attributes as Claims.
Step 12: Freshservice can accept all the default requestor attributes through SAML. You can pass these parameters from LDAP rules. For more information on the attributes that are accepted, refer to this solution.
Step 13: You can add the Outgoing claim Type as shown in the image here.
Step 14: Click Finish.
Freshservice uses Email of the user as a login ID. In order for this to work, you need to set up the Email as the NameID on the SAML login request. This can be achieved by setting up a Transform Rule.
Step 15: Click Add Rule again, choose Transform an Incoming Claim and click Next.
Step 16: Setup Email ID to be sent as NameID as shown below and click Finish.
Make sure that the order is maintained as shown in the image below (LDAP Attributes followed by the NameID) and click Apply.
Step 17: On the AD FS Management window, right click on the Relying Party for Freshservice and choose properties. Under the Advanced tab, choose SHA-256 as the Secure hash Algorithm.
Step 18: On the AD FS Management Window, choose Services -> Certificates and double click on Token Signing Certificate, which will give you an option "copy to file". By doing this, you will be able to export the X509 certificate from the raw file.
Step 19: Copy the X509 Certificate from the file, and go to https://www.samltool.com/fingerprint.php in order to calculate the Fingerprint.
You are all set to use SAML with ADFS on Freshservice. Now, login to your Freshservice instance, and navigate to Admin > Helpdesk Security.
Choose SAML SSO under the Single Sign on.
You need to configure the login URL for your ADFS Server and the Certificate Fingerprint(SHA256) obtained from the raw data from Step 19.
You are now set to log in with ADFS SAML SSO in Freshservice.
If you have any questions or need help with configuring the ADFS SAML SSO, please contact support@freshservice.com
