Start a new topic
Solved

First Name and Last Name from SAML

I am currently testing Freshservice as a trial and was using my test account from AD to create tickets. I'm using SAML through ADFS and the only attribute that Freshservice is using from AD is the email address. I'd like to get First Name and Last name as well. I have set up claim rules in ADFS but they do not appear to be working.

This is an across-the-board problem, I think. FreshService supports SSO with Azure AD (Office 365) and while that returns UPN, email, FN and SN only the email value is actually used.


Would be great to see this fixed.

You're right Joshua. I changed over to using Azure AD SSO and same issue there. At one point I had phone number coming in when I was using ADFS but I must have changed something in the claims because that no longer works. I can live without phone number but FN and SN would be huge. 

Jeff, would you mind sharing how you configured ADFS to provide SAML authentication for Freshservice?

 

Sure John.


I am using a custom domain on mine. But the configuration is as follows:


Under Trust Relationships, and Relying Party Trusts, I added a new Relying Party Trust that I just name "FreshService".


Relying Party Identifier: http://my.customdomain.com

On Endpoints Tab-

SAML Assertion Consumer Endpoints: https://my.customdomain.com/login/saml

SAML Logout Endpoints: https://adfs.customdomain.com/adfs/ls?wa=wsignout1.0

Advanced Tab-

Secure hash algorithm: SHA-1


For Claims Rules-

 The first one I have is "Send LDAP Attributes as Claims" and the LDAP Attribute is E-Mail-Addresses and the Outgoing claim type is E-Mail Address. 

The next rule is "Transform an Incoming Claim" . Incoming claim type is E-Mail Address, Outgoing claim type is Name ID, and Outgoing name ID format is Email.


This works fine for authentication but again, it only seems to populate email address. At one point I did get 2 accounts in that had phone number as well but I have no idea how I managed that because it no longer works.

Thanks Jeff.  I have attached a document that I received from Freshservice support that may help you with populating the first and last name of the user.


A couple other questions regarding SSO configuration on the Freshservice side:


  • Is your SAML Login URL in the format https://adfs.customdomain.com/adfs/ls/IdpInitiatedSignon.aspx or something else?
  • Which certificate are you using for your Security Certificate Fingerprint?  I have three in ADFS: service communications, token-decrypting, and token-signing.

Thanks again,
John
docx
As an update, my users are now being successfully and automatically provisioned in Freshservice through SSO including first name, last name, and email address. I would, however, like to see Freshservice accept additional claims attributes such as department and phone number.

John, I worked with FreshService support as well and they provided that document which got first name and last name working for us too. 


My SAML Login URL is: https://adfs.ourdomain.com/adfs/ls

For logout URL I'm using: https://adfs.ourdomain.com/adfs/ls?wa=wsignout1.0

I also have the above Logout URL entered in as a SAML Logout Endpoint on the Endpoints tab in ADFS.

And we are using the Token-Signing certificate thumbprint.


Try adding this into your Claims rule. 

LDAP Attribute: Telephone-Number

Outgoing claim type: phone


I got that from a ZenDesk article and it seems to work for FreshService as well. Let me know.


1 person likes this
Login or Signup to post a comment
JS Bin