This article describes the process to set up JWT SSO in Freshservice for authentication using the Active Directory. A script will need to be hosted in the IIS server and will have access to the Active Directory to authenticate your users in Freshservice.
Note: This option is currently available only if you've signed up with the Freshworks Suite of Products from February 2020. We'll be incrementally rolling this option out for customers who signed up before that.
Step 1: To install Internet Information Services (IIS)
Internet Information Services (IIS Manager) should be configured on Windows Server to host the Classic ASP script file which will access user information from the Active directory. You can follow the steps given in this article to install IIS 8 on Windows Server 2012. Please choose the following options while installing the IIS role on the Server.
Web Server (IIS)
IIS Management Console
You need ASP to host the Classic ASP script and Windows Authentication to authenticate users in the Active Directory for Freshservice. So if you’ve already installed IIS, make sure that these features are installed.
Step 2: To edit the Classic ASP script file
Download the ADScriptJWT.asp, Constants.asp, and jwt.all.asp files attached below.
Open the Constants.asp file and assign the following values to the variables.
sLdapReaderUsername = "domain\username" (Username of the AD account which has Read-Only privilege to all the users in the AD)
sLdapReaderPassword = "password" (Password of that user account)
To create the signature part you have to take the encoded header, the encoded payload, RSA private key, and sign that. You can generate the RSA Key using the following script:
#generate RSA key
ssh-keygen -t rsa -b 1024 -m PEM -f jwtRS256.key
# use empty passphrase
openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub
Or use the online generators Link1, Link2
sReturnURL: The Freshservice Redirect URL where the user will be redirected once the authentication is successful < https://domain.freshworks.com/sp/OIDC/13415184120 >
Save the Constants.asp file.
sLdapReaderUsername = "FRESHSERVICE\admin"
sLdapReaderPassword = "xxxxxxxxx"
sRSAPrivateKey = "-----BEGIN RSA PRIVATE KEY-----<RSA Private Key as single line string>----END RSA PRIVATE KEY-----"
Note: When you run commands on Linux/Mac, two files will be generated which contains the RSA public and private keys jwtRS256.key and jwtRS256.key.pub
Make sure you copy the multiline content from the .key files, change to a single line within double quotes before pasting along with the sRSAPrivateKey in the Constants.asp file.
Step 3: To configure the ASP script in the IIS
Create a new website in IIS, go through the Create a new Web site section in this article (you can create a new site or use the existing site available in IIS).
Click on the site and double click ASP on the right pane.
Set Enable Parent Paths to true.
Click on the site again and double click Authentication.
Right-click Windows Authentication and select Enable.
Note: Disable all the other authentication types. IIS will use the integrated Windows authentication. To make it possible, IIS Server should be installed on the Active Directory Domain which contains the users.
Right-click on the site, select Explore.
Paste the 3 files - ADScriptJWT.asp, Constants.asp, and jwt.all.asp which are configured already.
Navigate to the ADScriptJWT.asp path.
You will be authenticated and logged into Freshservice.
Prerequisites/ Points to Remember:
The Classic ASP script uses your mail attribute as an email holder. It will fetch the email address from your mail attribute. So it is mandatory to have the mail attribute populated in User Attributes to successfully log into Freshservice. So if you get the error “Couldn't log in to Freshservice. Please contact your administrator”, check whether the email address is configured for you in the Active directory.
Try to access the Script from http://dc-svr01/test.asp and see if the script is executed or not. Ensure that the IIS calls this script with Integrated Authentication and NOT via Anonymous Authentication.
Change the authentication to only use NTLM and not negotiate with Kerberos.
Step 4: To set up SSO for Freshservice
Sign in to your Freshservice account.
Click on the Admin Settings icon.
Click Helpdesk Security under General Settings.
Click on the link - Manage Helpdesk Security from Freshworks 360 Security. This opens the Org Security page in a new tab.
Navigate to the Single sign-on card under Login Methods.
Toggle the switch. By default SAML SSO will be selected.
Click the dropdown and select JWT SSO. A Redirect URL will be automatically generated in the Redirect URL field box.
Note: Copy the Redirect URL generated and paste it along with the sReturnURL while assigning values in the Constants.asp file.
Copy the contents of jwtRS256.key and paste it in the RSA Public key field box.
Note: Make sure you omit the header and footer contents of the jwtRS256.key before pasting it in the field.
Enter the Authorization URL
https://<AD Server Domain or IP>:<port>/ADScriptJWT.asp
(Optional) You can also enter the Logout URL to which the users will be sent when they log out.
Click Save to finalize your changes.