Configuring single sign-on for SAML-enabled custom enterprise applications

Note: SSO for applications is available only with the Endpoint MFA.

ADSelfService Plus supports single sign-on (SSO) for over 100+ cloud applications right out of the box. The solution also extends its SSO support capability to any SAML-enabled custom enterprise application.

Prerequisites:

  1. Login to the enterprise application (service provider) for which custom application going to be created.
  2. Get Metadata or Entity ID/SAML Redirect URL and ACS URL from the enterprise application

Create Custom Application

The steps given below will guide you through setting up the single sign-on functionality between ADSelfService Plus and your custom SAML applications. 

  1. Log into ADSelfService Plus web-console as an administrator.
  2. Navigate to Password Sync/Single Sign On → Add Application → Custom Application.
  3. Enter your Application name and Description.
  4. In the Domain Name field, enter the domain name of your email address. For example, if you use johndoe@mydomain.com to log in, then mydomain.com is the domain name.
  5. Upload an image for app icon in both sizes.
  6. Provide a suitable option for the Supported SSO flow.
    7. Note: It is advisable to contact your Service Provider and verify the supported SSO flow before choosing the correct option.
  7. Automatic Configuration : If you have metadata downloaded in Step 2 of Prerequisites, upload the downloaded Metadata file or follow step 8 given below.
  8. Manual Configuration : Based on the SSO flow you selected earlier, enter the required details.

    • If you had selected SP flow:

      • In the SAML Redirect URL field, enter the SAML redirect URL your application service provider supplies. The URL value can be found in the application’s default login page or the SSO configuration page.
      • Enter the Assertion Consumer Service (ACS) URL your application service provider provides in the ACS URL field. This value can also be found in the application's SSO configuration page.

    • If you had selected IdP flow:

      • Enter the Assertion Consumer Service (ACS) URL your application service provider in the ACS URL field. This value can also be found in the application's SSO configuration page.
      • In the Entity ID field, enter the Entity ID that your application service provider supplies. This value can also be found in the application’s SSO configuration page.
  9. Under Provider Settings :
    • Choose an RSA-SHA1 or RSA-SHA256 Algorithm depending on the encryption your application supports.
    • Pick a SAML response (Signed/ Unsigned).
    • Choose the XML canonicalization method to be used. Canonicalization method is the process of converting the XML content to a standardized format by the IdP and SP. The algorithm you choose is used for signing the SAML response and assertion.
    • In the Name ID Format field, choose the format for the user login attribute value specific to the application.

      • Note: Use Unspecified as the default option if you are unsure about the format of the login attribute value used by the application.

  10. Click Create Custom Application.
Note: Check with your Service Provider to identify the supported SSO flow and the SAML response. By default, the SAML Assertion will be 'signed'.
Go to Top

Copyright © 2025, ZOHO Corp. All Rights Reserved.