Kaseya Community

Duo SSO 2FA and Kaseya

  • Does Kaseya support SAML for MFA on other platforms besides AuthAnvil. It doesn't make sense to be forced into a MFA solution in 2019.

  • saaspass.com/.../kaseya-two-factor-authentication-2fa-single-sign-on-sso-saml THis is what i found

  • There is support for MFA via AuthAnvil and Okta.

  • An unsupported method we use is configure the SAML connector in the AuthAvil Module (Under the SSO section)

    We use Azure SSO to handle the sign in enforcing the MFA requirement here.

    We then point the AuthAnvil module at a non-existent AuthAnvil Server and tell it to enforce for all logins which stops all users directly signing into kaseya and making the Azure SSO the only option.

  • Interested in this as well.

  • Same here. 's solution sounds very interesting.

  • Craig,

    What settings are you using in Azure to get the authentication to Kaseya to work?   I'm trying the same thing and i can only get it to drop me off at the login page.

    Thanks,

    - Marc

  • It took a bit of playing around with but eventually the following Settings are working on a production 9.5 instance:

    Basic SAML:

    Identifier: <KaseyaServer>/vsapres/web20/core/ssologin.aspx

    Reply URL: <KaseyaServer>/vsapres/web20/core/ssologin.aspx

    Repalce <KaseyaServer> with the FQDN of your server.

    User Attributes / Claims:

    Unique User Identifier: Set this to match your user name format - in our case it's user.onpremisessamaccountname remove all additional claims as you only need the user name passed to Kaseya.

    Signing Options:

    Signing Option: Sign SAML response

    Signing Algorithm: SHA-1

    In the AuthAnvil module

    Go to Configure Kaseya Logon:

    Tick "Enable Sign Sign On to Kaseya" under the Kaseya Single Sign On Configuration section

    Set the reply to url to: <KaseyaServer>/vsapres/web20/core/ssologin.aspx

    Import the certificate from Azure through the Select Certificate section. You want the Base 64 version of the certificate.

  • Is still working for you? I have set it up, but when trying to login, get an error page:

    vsa.xxxxxxx.com/.../error.html

    It seems like the endpoing set in the Identified / Reply URL isn't functional? Tried basically everything I could including creating multiple variations of accounts on the VSA server:

    username

    username@company.com

    etc.

    But no such luck. Any input would be appreciated. :)