Patrick Mackaaij
… is an information distribution coordinator. He is specialized
in technical issues and optimizing processes.

Different login names and passwords for various applications
are a daily annoyance for end users. You can facilitate automatic
logins using SAML (Security Assertion Markup Language) for
employees, customers and partners using the single sign-on
principle. This means they only need to log in once, after which
they can seamlessly use the organization’s applications, even via
the internet.

What is SAML?

The end user can use the same login credentials for all applications

SAML is a technical standard that simplifies automatic logins.

involved in single sign-on. One of SAML’s benefits is that the

Applications outsource the login processing to an Identity

applications in question do not save login details. In practice,

Provider (IdP).

applications often save login credentials in their database in a way

When an end user wants to log in to an application, the application
refers the end user to an IdP to process the login. The IdP identifies
the end user based on their login name, password, and (if applicable)

that is not coded securely enough. News about passwords leaked due
to insufficient security are not uncommon.
For administrators, it is a benefit that logging in is managed

a second factor such as a code sent to their smartphone. The IdP then

centrally. An administrator can block access for all related applications

assigns the user credentials that enable the user to automatically log

from a single point. Instances where this could be useful include

in to the original application. If an end user recently logged in, the

an employee leaving the organization, or a password being entered

IdP immediately fulfills the request. As a result, the user experiences

incorrectly several times. It also makes it possible to centrally manage

applications that support SAML as single sign-on.

password complexity and second factor requests.


SAML and LDAPS instead of VPN

SAML uses a secure internet connection so that your colleagues,

Organizations that outsource the technical management of

customers and partners across the globe can use single sign-on,

applications to application suppliers often choose a VPN connection.

without the disadvantages of a VPN connection. Any exchange of data,

This ‘tunnel’ facilitates automatic logins and data exchange with

such as important contact details, can often be done in a different way,

other systems, such as with TOPdesk SaaS. Opening and maintaining

such as via LDAPS, a stable and safe network protocol.

a VPN connection takes time, however. Installing and changing

LDAPS is safer than VPN. With a VPN connection, the communication

the installation at a later date requires coordination between your

between the end user or the tunnel on one side and the tunnel or

organization and the application supplier. Besides, the tunnel is

server on the other side may be unencrypted. LDAPS encrypts the

temporarily unavailable during maintenance. Think for instance of

entire connection, from server to end user. Short passwords are

changing the pre-shared key (the connection’s ‘password’), which in

common for VPN, while LDAPS uses various lines with a mix of a

practice is rarely changed because of all the surrounding hassle. In

variety of characters thanks to the SSL key used.

daily use, a VPN connection often results in minor disruptions when
one of the intermediate steps has a temporary malfunction.

For your network’s safety, the commonly used Microsoft Active
Directory has offered the possibility of linking a Read Only Domain


Controller to the internet since Windows Server 2008. You can further secure the server

Download this issue and more at

by only allowing connections from specific IP addresses to specific port numbers.


Another option is limiting the traffic to the Domain Controller using stateful inspection.
Are you currently using a VPN connection to TOPdesk SaaS? Contact your account

The TOPdesk Magazine covers subjects that

manager to discuss the possibilities.

are topical in the world of professional
service desks in IT, facilities and other

Getting started with SAML

service providing organizations. TOPdesk
Magazine is intended for managers, service

Microsoft’s Active Directory Federation Services (AD FS) can operate as an IdP for SAML.

desk employees, facilities organizations and

This is also true for the Microsoft-hosted Azure Active Directory. The settings required for

electronic city councils — anyone who is

TOPdesk can be found in Microsoft’s documentation: http://bit.ly/1IJ7gZq.

involved with supporting clients on a daily

Do you not yet have an IdP, or has your Active Directory not yet been set up to function
as such? You could call in an organization that supplies network management to take

basis. This concerns both the processes and
the technology behind these services.

care of the set-up, such as our sister organization OGD.
TOPdesk supports SAML 2.0 from version 5.5 onwards. In order to use SAML, your
TOPdesk environment should be accessible via the SSL protocol. This could be either

TOPdesk Magazine is a TOPdesk publication,
+44 (0) 207 803 4200, editorial@topdesk.com

directly or through a proxy, as documented on the TOPdesk Help & Support website:
You also need the TOPdesk licence for web authentication, along with a few days of

Editors-in-chief: Milou Snaterse, Nicola
van de Velde

consultancy to set up the SAML link. You can read more about this in our documentation

Editors: Nienke Deuss, Stefanie Klaassen,

on the Help & Support website: http://bit.ly/1LL26tF.

Milou Snaterse, Luke van Velthoven

Our consultants can also help you update your TOPdesk environment. Get in touch
with your TOPdesk account manager to discuss your options.

Translators: Laura van Rosenberg, Leah Clarke
and Nicola van de Velde
Contributors: Lukke van Bemmel, Wes
Heemskerk, Fiona IJkema, Patrick Mackaaij,
Wolter Smit
Layout: Louise van der Laak, Joost Knuit,
Denise van Rijst
Photography: Menno van der Bijl, Aad
Copy editor: Leah Clarke
A print run of 10,000
Quarterly magazine
Languages: Dutch, English
Copyright © 2015 TOPdesk. Although this
publication has been produced with the
utmost care and attention, the writers
cannot be held responsible in any way for any
damages that may occur due to errors and /
or deficiencies in this publication.

Sign up to vote on this title
UsefulNot useful