Implementing AzureAD SSO for the Kaseya VSA

In this post we cover how to setup Azure Active Directory to provide the authentication for a Kaseya Virtual System Administrator server using single sign on through SAML.

These instructions assume you have access to a Kaseya VSA server (with the AuthAnvil module installed) and licensed for Enterprise Applications in Azure AD.

We will not be covering the details of the Enterprise App configuration outside of the SAML based setup.

Configuration – Azure AD

1. To begin log into your Azure AD tenant and open the Enterprise Applications settings.
2. Choose New Application at the top.
3. Then select “Non-Gallery Application” and give this a name.
4. In the left menu choose Single sign-on
5. Choose SAML as the option
6. Enter the Basic SAML Configuration section
   1. Identifier (Entity ID) for this we want to use the URL of your VSA server as a base and the rest of <vsaserver>/vsapres/web20/core/ssologin.aspx
      e.g:
      https://vsa.arweth.com/vsapres/web20/core/ssologin.aspx
   2. Repeat this for the Reply URL (Assertion Consumer Service URL)
   3. Leave the remainder empty (Sign on URL, Relay State, Logout URL)
7. Enter the User Attributes & Claims
   1. Name identifier value: This is what we use for the Kaseya user name.
   2. You want to delete all other entries from this section other than the one we use to sign into Kaseya with.
8. SAML Signing Certificate
   1. Enter the configuration for the certificate. You can use the default Azure generated one or upload a new one if you use your own certificate on different platforms.
   2. Set the signing option to Sign SAML response
   3. Signing Algorithm to SHA-1
   4. Set a notification email address to be notified when this certificate is due to expire.
   5. Download the certificate (Base 64) as we need this later.

Configuration – Kaseya VSA

1. From here we configure the AuthAnvil module in the VSA server.
   1. Go to AuthAnvil -> Two Factor Auth -> Configured Kaseya Logon
   2. Enter an AuthAnvil SAS URL just so this setting saves – we use a non-existing AuthAnvil on demand tenant as this still verifies the URL exists.
      https://nonexistant-disable.my.authanvil.com/SAS.asmx
   3. Tick the option “Enable Single Sign On to Kaseya”
   4. Set the reply to URL to the same as used in step 5.1 above
   5. Click “Select Certificate”
   6. Followed by “Choose File” and choose the certificate we downloaded in step 7.5 above
   7. Click “Import Selected Certificate” and confirm the certificate information supplied is for the correct certificate – if you used an Azure generated one this will have Azure details on it.
   8. Save the settings

Once you assign the application to users in AzureAD you should be able to log into the VSA with the enterprise application portal.

Troubleshooting

When this fails to work the sign in process will take you to the server login screen.

There are very few logs that assist with troubleshooting this.

One of the tools used when troubleshooting our configuration was the SAML-tracer plugin for Firefox: https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/

This plugin when shows the SAML traffic and the data being passed to the Kaseya VSA server.
One of the main issues we encountered was getting the correct user claim passed in the SAML response.
This is because the user must match the internal Kaseya directory exactly.

The other main issue is to ensure your signing settings are correct as the VSA will not process these when set incorrectly.

Please comment here or reach out to me if I’ve missed something or a step is not clear.