Helpdesk Single-Sign-On - SAML and beyond

What is "Single Sign-On"?

In simple terms, "single sign-on" (SSO) allows your users to log in to Jitbit Helpdesk using the same credentials they use for other cloud applications or websites. Jitbit Helpdesk offers several methods for implementing SSO:

1. Via SAML protocol - keep reading.
2. "Sign in with Google" - Google's standard OAuth protocol.
3. "Sign in with Microsoft" - Microsoft's standard OAuth protocol.
4. Via the autologin API, which enables you to create special expiring login links (less commonly preferred).
5. Via Windows-integrated authentication (SaaS version) by deploying a simple script on your local server. This script authenticates users using their Windows accounts and redirects them to the helpdesk application.
6. Via Windows-integrated authentication directly (available for the self-hosted version only).

SAML Sign-On

Jitbit Helpdesk supports the SAML 2.0 protocol for single sign-on. Below are the settings you might need to configure in your SAML provider:

• App ID URI (sometimes labeled "Entity ID", etc.) - https://www.jitbit.com/web-helpdesk/
• SAML Sign-On URL - [HelpDeskURL]/User/Login (for example, if you are using the hosted version: https://acme.jitbit.com/helpdesk/User/Login)
• Reply URL (sometimes labeled "Assertion Consumer URL", etc.) - [HelpDeskURL]/Saml/Consume (for example: https://acme.jitbit.com/helpdesk/Saml/Consume)

To complete the setup, simply enter the SAML endpoint address and the X.509 certificate (obtain these from your SAML provider) in the helpdesk admin panel. Once configured, the integration should function seamlessly. This feature is compatible with both our hosted helpdesk and the downloadable version. You can integrate it with any SAML 2.0 compliant provider, such as Windows Azure and OneLogin.

Optional Attributes

Your SAML provider likely already includes the "NameID" setting and the "User.email" parameter. You can optionally include attributes for the user's first and last names in the SAML response.

<saml:Attribute Name="first_name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">FirstName</saml:AttributeValue>
</saml:Attribute>

<saml:Attribute Name="last_name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">LastName</saml:AttributeValue>
</saml:Attribute>

Supported SAML Providers

Jitbit is compatible with a wide range of SAML providers, including:

• Azure Active Directory (aka "MS Entra ID") (step-by-step manual)
• OneLogin (step-by-step manual)
• Google Apps (step-by-step manual)
• ADFS (step-by-step manual)
• SAASPASS (step-by-step manual)
• Centrify (step-by-step manual)
• Any other provider that supports SAML 2.0

By utilizing SAML, you can integrate Jitbit with your LDAP, Active Directory, multi-factor authentication systems, security tokens, mobile logins, and more.

SAML vs. "Sign in with Google" vs. "Sign in with Microsoft"

While SAML offers robust integration capabilities, it can sometimes be complex to configure. To provide simpler alternatives, we also offer standard, zero-configuration "Sign in with Microsoft account" and "Sign in with Google account" options. These work out of the box, enabling seamless login for users with Microsoft or Google accounts (both personal and company-managed). You can easily enable these options with a single checkbox and optionally specify allowed domain names (for example, restricting Microsoft logins to users with "@YourCompany.com" email addresses).

SCIM - Automatic User Provisioning/Deprovisioning

Jitbit Helpdesk has recently introduced support for the SCIM protocol. This allows you to automatically provision and deprovision user accounts in your central user management system (Identity Provider or IdP, such as Microsoft Entra ID (formerly Azure AD), Okta, Auth0, Google Workspace, etc.). Any changes made to user accounts in your IdP will be automatically reflected in the helpdesk application. For more details, please refer to our SCIM documentation.

Seamless Log-Out with "Single Sign-Out (SLO)"

To ensure a complete and secure logout across your systems, Jitbit Helpdesk supports SAML's Single Log Out (SLO). When you sign out of Jitbit, a logout request is automatically sent to your Identity Provider (IdP). Simply configure the "SLO URL" in your Jitbit settings to enable this feature.

No SAML? Use Our API!

If SAML isn't the right fit for your needs, your developers can leverage our authentication API to generate secure, time-limited "auto-login" links for users to access the helpdesk application.