HaloPSA - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team
This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for HaloPSA using MPAS. SSO simplifies user authentication by allowing access to multiple applications with a single set of credentials. This integration enhances security and improves user experience across your organization.
To set up Multi-Pass with HaloPSA, ensure you meet the following requirements:
- HaloPSA admin rights and a business plan
- MPAS Admin rights
- Make sure that all users intended to use SSO in HaloPSA are registered in your IdP and have the necessary permissions to access HaloPSA.
Important: Custom elements in URLs (like realm names) are case sensitive. Make sure to match the exact casing from your environment.
HaloPSA - SSO configuration
Step 1: Enable the SAML Integration in HaloPSA
- Log into your HaloPSA dashboard.
- Go to Configuration > Advanced > Integrations.
- Scroll down to the Identity Management section.
- Click on ADFS and press the “+” icon to activate it.
Step 2: Retrieve HaloPSA Metadata and Configuration
- Once on the ADFS configuration page, download the HaloPSA metadata XML file (you’ll need it in MPAS).
- In the Identity Provider section:
- Type: Select Other
- Name: Enter a display name (e.g., Multi-Pass)
- Click on IdP Configuration — a window will pop up with information you will need for MPAS setup.
- To enable login requests initiated by the identity provider (IdP), you must retrieve and use the client_id provided by MPAS
- At the bottom of the configuration page, you will find a line starting with: client_id=[...]
- Copy we will need it in MPAS
Step 3: Set Up the Client in Multi-Pass (MPAS)
- Open Multi-Pass Dashboard
- Select your deployment.
- Click on Advanced Console from the left-side menu.
- Navigate to Clients > Create a Client.
- Fill in the following fields:
- Client Type: SAML
- Client ID: Use the Entity ID from HaloPSA
- Name: e.g., halopsa
- Description: e.g., SSO integration
- Always display in UI: ON
- Click Next.
- Then complete:
- Home URL: https://ca.auth.kzero.com/realms/<your-realm>/protocol/saml/clients/halopsa
- Valid Redirect URIs: Use the Single Sign-On URL from the HaloPSA IdP configuration window
- IDP-Initiated SSO URL Name: halopsa
- Click Save.
You will be redirect to a page with all the informations about the new client you just created, Scroll down and confirm/update the following settings:
- SAML Capabilities
- Name ID Format: email
- Force POST Binding: ON
- Include AuthnStatement: ON
- Signature & Encryption
- Sign Assertions: ON
- Keys Tab
- Both options must be switched OFF
- Advanced Tab
- Assertion Consumer Service POST Binding URL: Paste the Single Sign-On URL from HaloPSA and do not forget to add the client_id=[...] mentionned above.
- Click Save.
Before leaving MPAS, we need to get metadata file and the x.509 certificate.
- In the left-hand menu of MPAS, go to Realm Settings.
- Scroll down and click SAML 2.0 Identity Provider Metadata.
- A new window opens.
- Right-click > Save As, and save it as an XML file.
- Then, go to the Keys tab.
- On the line RS256, click Certificate to view the X.509 certificate.
- Copy the certificate and save it in a note.
Step 4: Finalize the configuration on HaloPSA
- In the SAML Configuration section of HaloPSA, fill in the following fields:
- Login URL: https://ca.auth.kzero.com/realms/<your-realm>/protocol/saml
- Logout URL: https://ca.auth.kzero.com/realms/<your-realm>/protocol/openid-connect/logout
- X.509 Certificate: Paste the certificate from MPAS, and be sure to add: -----BEGIN CERTIFICATE----- [your certificate here] -----END CERTIFICATE-----
Step 5: Confirm HaloPSA Integration Settings
- Go to the HaloPSA Configuration section and verify:
- Assertion Endpoint: /account/saml
- Allow Single Sign-On: Choose whether for Agents, Users, or Both
- SAML User Matching Attribute: NameId
- User Matching Field: Email address
- Sign all AuthnRequests: Make sure this is enabled
- Accept login requests that are initiated via the identity provider : make sure this is enabled if you want to authenticate by using your identity provider and that the client_id has been paste at the right place in MPAS.
You’re done!HaloPSA is now successfully integrated with Multi-Pass. Your users can now authenticate through a secure and centralized identity provider.
Related Articles
SAML SSO Integration Guide
This guide provides an overview of how to configure SAML Single Sign-On (SSO) between Multi-Pass and a third-party Service Provider (SP). Multi-Pass acts as the Identity Provider (IdP) in this federation model. Multi-Pass is working on SCIM support ...Rocket.chat - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Rocket.chat using MPAS. SSO simplifies user authentication by allowing access to multiple ...Auvik - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Auvik using MPAS. SSO simplifies user authentication by allowing access to multiple ...Huntress - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Huntress using MPAS. SSO simplifies user authentication by allowing access to multiple ...ConnectWise - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for ConnectWise using MPAS. SSO simplifies user authentication by allowing access to multiple ...