Oct 022018
 

According to this article, they say ” SAML with Microsoft Azure is only supported if you are using AD FS”. We are not using ADFS in our environment. We are simply using Azure AD Connect to do Password Synchronization into Azure AD from our on-premises Active Directory Domain Services. I figured out a way to make this work without using ADFS.

Log into your Azure instance, click on “Azure Active Directory” and select “Enterprise Applications”. Click “New Application” and select “Non-gallery application”

Call it something and hit “Add”

While this is configuring, log into your ConnectWise Manage server and go to the URL (https://{site}/v4_6_release/auth/{companyId}/metadata) This will download a metadata file. Save it somewhere.

Back in the Azure portal, your Enterprise Application should now be up. Click on “Users and Groups” and add a group that you would like and hit “Select”, then “Assign”. I am going to select a group with all of our Active Directory users her. (Remember: Our environment is setup using Azure AD Connect with password sync)

Next, click on “Single sign-on” and select “SAML”

I’m using the “New Experience” here. You can switch to and from it with the following button at the top.

Click edit on “Basic SAML Configuration”. Then click “Upload metadata file” at the top and upload the metadata file you downloaded above. It will add the top two lines. I have added the “Sign on URL” manually by just adding the base URL. After you are done with all of this, click “Save”

Next, download the Base64 cert (Under “SAML Signing Certificate”) and save it somewhere.

Under #4, copy both the “Login URL” and the “Azure AD Identifier” into notepad somewhere.

Next, select the “old experience” using the button at the top.  Set “User Identifier” to “user.employeeid” and click “Save” at the top.

You can switch back to the “New Experience” now. You should see your change here:

Log into Manage and go to “System” and “Setup Tables” then “SSO Configuration”. Click “+” to add a new one.

Enter a description and put in “SSO Type” of “SAML” (You may want to set this to inactive while you are screwing with it). Select the location in the top right.

Enter “Login URL” in the “Login URL” field

Enter “Azure AD Identifier” in the “Identity Provider ID” Field

Upload the Base64 certificate from above.

Click “Save”

When you are ready to test it, uncheck the “Inactive” button, and save the configuration.   The login will look like this now:

One last tidbit.  If somehow you DO lock yourself out of your environment, you can change your SSO configuration directly in the database. Just find dbo.SSO_Configuration, and set your “Inactive_Flag” to True.  Not that I did that or anything.  🙂 🙂

  21 Responses to “How to Setup ConnectWise Manage to Azure AD without ADFS”

  1. Are you using the on-premise version of ConnectWise Manage? If so, will this solution work with the cloud hosted version?

  2. What does the matching? It looks like it is “EMail Address” in the CW side, and that should correspond to the default SAML token “emailaddress” -> “user.mail”?

    And when you log into the CW page, the user ID there – does that match anything else?

    I have ours all setup, but keep getting “Server error. Please contact your Administrator.”
    I tried a number of different combinations of attributes and name settings (having the unique user id match my login ID in CW, as well as email address), but all seem to fail. Used fiddler and able to capture the SAML response and looks like I’m passing in the right values based on what I happened to have chose, but always fails.

    Did some searching afterwards and came across your page, and you’re doing what I did, exception being the ID pulling the employeeid attribute, so not sure what your attribute is populated with in relationship to CW (email address, login ID, etc), if that value really matters at all if should just be matching email address anyhow, etc.

    Any insight would be appreciated.

    Thanks.

  3. So, all is needed is the unique ID and it matches the ‘user.mail’ value so it will match the email address.
    The issue I was having is the person that was doing the CW side has spaces at the end of the URLs when he copied/pasted them in and didn’t catch that.
    So that all works fine, but the login process now tries to open a separate browser page at login/authentication, then tries to close it out If I say ‘no’ then my login works fine (just in a second browser window). Not sure ‘why’, a bit odd. Functional, kind of.

  4. Any one get this working with the cloud hosted version?

  5. I just tried it for ConnectWise On-Premise and it didn’t work for me. I got the same error “Server error. Please contact your Administrator” after login to O365.

  6. My “User Identifier:” in Azure AD is user.employeeid but it does not work. Gives me the same error message. “Server error. Please contact your Administrator”

    I tried combinations of different ids, but nothing worked. I made sure no spaces were at the end of the URLs.

  7. anyone have any updates on this? i am getting same error msg “Server error. Please contact your administrator”, i am using the info in the article to configure duo gateway, but i think i have the id wrong or something else is up.

    • Try to set your Unique User Identifier to user.mail or something else. The variables have to line up between your UPN and Azure AD.

  8. Working like a champ.

    Thanks

  9. I have done everything and still can’t get it to work, looking to get some hekp here and willing to pay for it.

  10. So I noticed that now there is an entry under Enterprise Applications for ConnectWise. Does this work for both On-prem and Hosted?

  11. Does anyone know if this will work if you have MFA enabled on your AAD?

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)