Configuring SAML SSO for ManageEngine Patch Manager Plus
The following steps will help you enable single sign-on (SSO) to Patch Manager Plus from ADSelfService Plus.
Prerequisites
- Ensure that the ADSelfService Plus server can be accessed through an HTTPS connection (the Access URL must be configured as HTTPS).
- Log in to ADSelfService Plus as an administrator.
- Navigate to Configuration > Self-Service > Password Sync/Single Sign On > Add Application, and select Patch Manager Plus from the applications displayed.
Note: You can also find Patch Manager Plus from the search bar located in the left pane or the alphabet-wise navigation option in the right pane.
- On the Patch Manager Plus configuration page, click IdP Details in the top-right corner of the screen. A pop-up will appear.
- You can configure the identity provider details by either uploading the metadata file or entering the details manually.
- Uploading the metadata file: Click the Download IdP Metadata link to download the metadata file to be uploaded during the configuration of Patch Manager Plus.
- For manual configuration: Copy the Login URL, which will be used during the configuration of Patch Manager Plus. Download the SSO certificate by clicking the Download X.509 Certificate link.
Patch Manager Plus (service provider) configuration steps
- Log in to Patch Manager Plus with administrator credentials.
- Navigate to Admin > SAML Authentication.
- Copy the values of the Entity Id and the Assertion Consumer URL from the Service Provider Details section; these will be used later.
- In the Identity Provider Details section, select Others from the Select IdP drop-down.
- Enter a name for ADSelfService Plus (for example, ADSSP) in the IdP name field.
- Choose a Name ID to map users from ADSelfService Plus with Patch Manager Plus. The username is the default option.
- In the Configuration by uploading field, you can either choose to upload the identity provider Metadata file or configure identity provider information using a Certificate.
- Click Save.
ADSelfService Plus (identity provider) configuration steps
- Switch to ADSelfService Plus' Patch Manager Plus configuration page.
- Enter the Application Name and Description.
- Enter the Domain Name of your Patch Manager Plus account. For example, if you use johndoe@pmp.com to log in to Patch Manager Plus, then pmp.com is the domain name.
- In the Assign Policies field, select the policies for which SSO needs to be enabled.
Note: ADSelfService Plus allows you to create OU- and group-based policies for your AD domains. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy.
- Select the SAML tab and check Enable Single Sign-On.
- In the Assertion Consumer URL field, enter the Assertion Consumer URL copied in step 3 of Patch Manager Plus configuration.
- In the Entity ID field, enter the Entity Id value copied in step 3 of Patch Manager Plus configuration.
- In the Name ID Format field, choose the format for the user login attribute value specific to the application.
Note: Use Unspecified as the default option if you are unsure about the format of the login attribute value used by the application.
- Click Add Application.
Your users should now be able to sign in to Patch Manager Plus through the ADSelfService Plus portal.
Note: For Patch Manager Plus, both service-provider-initiated and identity-provider-initiated flows are supported.