Configuring SAML SSO for ManageEngine Application Control Plus

The following steps will help you enable single sign-on (SSO) to Application Control Plus from ADSelfService Plus.

Prerequisite

1. Ensure that the ADSelfService Plus server can be accessed through HTTPS Connection (Access URL must be configured as HTTPS).
2. Log in to ADSelfService Plus as an administrator.
3. Navigate to Configuration → Self-Service → Password Sync/Single Sign On → Add Application, and select Application Control Plus from the applications displayed.
4. On the Application Control Plus configuration page, click IdP Details in the top-right corner of the screen. A pop-up will appear.
5. You can configure the Identity Provider details by either uploading the metadata file or entering the details manually.
1. Uploading metadata file: Download the metadata file to be uploaded during the configuration of Application Control Plus by clicking the Download IdP Metadata link.
2. For manual configuration: Copy the Login URL which will be used during the configuration of Application Control Plus. Download the SSO certificate by clicking the Download X.509 Certificate link.

Application Control Plus (service provider) configuration steps

1. Log into Application Control Plus with administrator credentials.
2. Navigate to Admin > SAML Authentication.

3. Copy the values of the Entity ID and the Assertion Consumer URL from the Service Provider Details section; these will be used later.

4. Select Others from the Select IdP drop-down, enter a name for ADSelfService Plus (for example, ADSSP) in the IdP name field, and choose a Name ID to map the users from ADSelfService Plus with Application Control Plus. The username is the default option.
5. In the Identity Provider Details section, you can either choose to upload the IdP Metadata file or the configure IdP information using a Certificate.
1. To use the Metadata option, choose Metadata. Click Browse and upload the metadata file downloaded in Step 5a of the Prerequisites.

2. If you choose to configure IdP information using a certificate, click Choose Certificate and enter the Login URL value copied in Step 5b of the Prerequisites.

3. Click Browse and upload the X.509 certificate file downloaded in Step 5b of the Prerequisites.
6. Click Save.

ADSelfService Plus (Identity Provider) configuration steps

1. Switch to ADSelfService Plus' Application Control Plus configuration page.

2. Enter the Application Name and Description.
3. Enter the Domain Name of your Application Control Plus account. For example, if you use admin@examplecompany.com to log in to Application Control Plus, then examplecompany.com is the domain name.
4. In the Assign Policies field, select the policies for which SSO needs to be enabled.
Note: ADSelfService Plus allows you to create OU- and group-based policies for your AD domains. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy.
5. Click the SAML tab and select the Enable Single Sign-On checkbox
6. In the Assertion Consumer URL field, enter the Assertion Consumer URL copied in Step 3 of Application Control Plus configuration.
7. In the Entity ID field, enter the Entity ID value copied in Step 3 of Application Control Plus configuration.
8. In the Name ID format field, choose the format for the user login attribute value specific to the application.
Note: Use Unspecified as the default option if you are unsure about the format of the login attribute value used by the application.
9. Click Add Application.

Your users should now be able to sign into Application Control Plus through the ADSelfService Plus portal.

Note: For Application Control Plus, both SP-initiated and IdP-initiated flows are supported.