Does Kaseya support SAML for MFA on other platforms besides AuthAnvil. It doesn't make sense to be forced into a MFA solution in 2019.
saaspass.com/.../kaseya-two-factor-authentication-2fa-single-sign-on-sso-saml THis is what i found
raum.sandoval
There is support for MFA via AuthAnvil and Okta.
An unsupported method we use is configure the SAML connector in the AuthAvil Module (Under the SSO section)
We use Azure SSO to handle the sign in enforcing the MFA requirement here.
We then point the AuthAnvil module at a non-existent AuthAnvil Server and tell it to enforce for all logins which stops all users directly signing into kaseya and making the Azure SSO the only option.
Interested in this as well.
Same here. craig.smith 's solution sounds very interesting.
Craig,
What settings are you using in Azure to get the authentication to Kaseya to work? I'm trying the same thing and i can only get it to drop me off at the login page.
Thanks,
- Marc
It took a bit of playing around with but eventually the following Settings are working on a production 9.5 instance:
Basic SAML:
Identifier: <KaseyaServer>/vsapres/web20/core/ssologin.aspx
Reply URL: <KaseyaServer>/vsapres/web20/core/ssologin.aspx
Repalce <KaseyaServer> with the FQDN of your server.
User Attributes / Claims:
Unique User Identifier: Set this to match your user name format - in our case it's user.onpremisessamaccountname remove all additional claims as you only need the user name passed to Kaseya.
Signing Options:
Signing Option: Sign SAML response
Signing Algorithm: SHA-1
In the AuthAnvil module
Go to Configure Kaseya Logon:
Tick "Enable Sign Sign On to Kaseya" under the Kaseya Single Sign On Configuration section
Set the reply to url to: <KaseyaServer>/vsapres/web20/core/ssologin.aspx
Import the certificate from Azure through the Select Certificate section. You want the Base 64 version of the certificate.
Is still working for you? I have set it up, but when trying to login, get an error page:
vsa.xxxxxxx.com/.../error.html
It seems like the endpoing set in the Identified / Reply URL isn't functional? Tried basically everything I could including creating multiple variations of accounts on the VSA server:
username
username@company.com
etc.
But no such luck. Any input would be appreciated. :)