HaloPSA - SSO configuration

HaloPSA - SSO configuration

Idea
This documentation has been tested and approved by Kelvin Zero's team
Quote
This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for HaloPSA using MPAS. SSO simplifies user authentication by allowing access to multiple applications with a single set of credentials. This integration enhances security and improves user experience across your organization.
Warning
To set up Multi-Pass with HaloPSA, ensure you meet the following requirements:
- HaloPSA admin rights and a business plan
- MPAS Admin rights
- Make sure that all users intended to use SSO in HaloPSA are registered in your IdP and have the necessary permissions to access HaloPSA.
Important: Custom elements in URLs (like realm names) are case sensitive. Make sure to match the exact casing from your environment.


HaloPSA - SSO configuration


Step 1: Enable the SAML Integration in HaloPSA

  1. Log into your HaloPSA dashboard.
  2. Go to Configuration > Advanced > Integrations.

  1. Scroll down to the Identity Management section.
  2. Click on ADFS and press the “+” icon to activate it.


Step 2: Retrieve HaloPSA Metadata and Configuration

  1. Once on the ADFS configuration page, download the HaloPSA metadata XML file (you’ll need it in MPAS).
  2. In the Identity Provider section:
    1. Type: Select Other
    2. Name: Enter a display name (e.g., Multi-Pass)

  1. Click on IdP Configuration — a window will pop up with information you will need for MPAS setup. Leave it open.

Step 3: Set Up the Client in Multi-Pass (MPAS)

  1. Go to https://dashboard.kzero.com/deployments
  2. Select your deployment.

  1. Click on Advanced Console from the left-side menu.
  2. Navigate to Clients > Create a Client.
  3. Fill in the following fields:
    1. Client Type: SAML
    2. Client ID: Use the Entity ID from HaloPSA
    3. Name: e.g., halopsa
    4. Description: e.g., SSO integration
    5. Always display in UI: ON

  1. Click Next.
  2. Then complete:
    1. Home URL: https://ca.auth.kzero.com/realms/<your-realm>/protocol/saml/clients/halopsa
    2. Valid Redirect URIs: Use the Single Sign-On URL from the HaloPSA IdP configuration window
    3. IDP-Initiated SSO URL Name: halopsa
  1. Click Save.
You will be redirect to a page with all the informations about the new client you just created, Scroll down and confirm/update the following settings:
  1. SAML Capabilities
    1. Name ID Format: email
    2. Force POST Binding: ON
    3. Include AuthnStatement: ON
  2. Signature & Encryption
    1. Sign Assertions: ON
  3. Keys Tab
    1. Both options must be switched OFF
  4. Advanced Tab
    1. Assertion Consumer Service POST Binding URL: Paste the Single Sign-On URL from HaloPSA.
  5. Click Save.
Before leaving MPAS, we need to get metadata file and the x.509 certificate.
  1. In the left-hand menu of MPAS, go to Realm Settings.
  2. Scroll down and click SAML 2.0 Identity Provider Metadata.

    1. A new window opens.
    2. Right-click > Save As, and save it as an XML file.
  1. Then, go to the Keys tab.
  2. On the line RS256, click Certificate to view the X.509 certificate.

  1. Copy the certificate and save it in a note.

Step 4: Finalize the configuration on HaloPSA

  1. In the SAML Configuration section of HaloPSA, fill in the following fields:
    1. Login URL: https://ca.auth.kzero.com/realms/<your-realm>/protocol/saml
    2. Logout URL: https://ca.auth.kzero.com/realms/<your-realm>/protocol/openid-connect/logout
    3. X.509 Certificate: Paste the certificate from MPAS, and be sure to add: -----BEGIN CERTIFICATE----- [your certificate here] -----END CERTIFICATE-----


Step 5: Confirm HaloPSA Integration Settings

  1. Go to the HaloPSA Configuration section and verify:
    1. Assertion Endpoint: /account/saml
    2. Allow Single Sign-On: Choose whether for Agents, Users, or Both
    3. SAML User Matching Attribute: NameId
    4. User Matching Field: Email address
    5. Sign all AuthnRequests: Make sure this is enabled

InfoYou’re done!
HaloPSA is now successfully integrated with Multi-Pass. Your users can now authenticate through a secure and centralized identity provider.

    • Related Articles

    • Auvik - SSO configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Auvik using MPAS. SSO simplifies user authentication by allowing access to multiple ...

    • Datadog - SSO configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Datadog using MPAS. SSO simplifies user authentication by allowing access to multiple ...

    • Blumira - SSO Configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Blumira using MPAS. SSO simplifies user authentication by allowing access to multiple ...

    • Odoo - SSO configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Odoo using MPAS. SSO simplifies user authentication by allowing access to multiple ...

    • Trend Micro - SSO configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Trend Micro using MPAS. SSO simplifies user authentication by allowing access to multiple ...