HelloID Agent
The HelloID Agent must be installed on a server in your network to enable several functions in HelloID, including running PowerShell scripts and syncing Active Directory users. Agent communicates with components over the internet using HTTPS. The level of encryption is TLS 1.2, AES, with 256-bit encryption.
Authorizations
The HelloID Agent service must be installed with a local admin account. In production environments it is recommended that the agent runs in the security context of a domain account. The permissions required for the domain account will vary depending on the operations that the agent will be undertaking in your environment. Common operations and required privileges are listed below.
Running the HelloID Agent with a domain account is required in production environments. Running the HelloID agent with a local system account it can cause issues that result into logon problems for the end-users or failed synchronization tasks.
Authenticating Users
To authenticate users, the agent must simply be installed on a domain joined server.
Synchronizing AD users to HelloID
- Rights to read all the Organizational Units above the OU that contains the user accounts and groups that are synced to HelloID.
- Rights to read all nested groups of the groups that are synced to HelloID.
- Read rights on the following attributes:
- Users (Required)
- objectSid
- userAccountControl
- userPrincipalName
- sAMAccountName
- uSNChanged
- Users (Recommended)
- givenName
- sn
- telephoneNumber
- title
- department
- manager
- employeeID
- Groups (Required)
- objectSid
- name
- uSNChanged
- Groups (Recommended)
- ManagedBy
- Users (Required)
Datashare management
- For data share management, it’s recommended to install the agent on the file server with the shares.
- The account must have enough rights to modify the Access Control Entries (ACEs) on the file system.
- The account must have rights in Active Directory to create and modify security groups, as well as to add and remove users from those groups.
Self-Service and 3rd party tasks
These rights have to be determined per task/action which will take place when requesting products and or executing other automated actions. In addition to Active Directory, it might be necessary to grant rights in other systems where HelloID will perform actions.
Hardware
- 1.4 GHz 64-bit processor or faster
- 2 GB of RAM or more
- 50MB of free disk space
Learn how to install the HelloID Agent.
Software
- Windows server 2012 or higher
- Powershell version 4 or higher
- .Net Framework 4.5.2 or higher
When the HelloID Agent is used to automate tasks, the PowerShell modules required for the tasks must be installed on the server running the agent. When adding actions from the catalogue the needed module is shown, along with documentation specific to that task.
When the HelloID agent is running as a domain user it will need local admin rights to be able to run PowerShell according to the local execution policy.
Firewall
The servers which are running the HelloID Agent need to have access to the HelloID platform to ensure working communication for the user synchronization, authentication, and automation tasks. All traffic is initiated by the agents themselves using HTTPS port 443. No inbound ports need to be allowed on the firewall.
If it’s not possible to grant the server(s) an internet connection, the IP addresses of the HelloID servers in the Azure platform can be provided. Traffic to these addresses through port 443 has to be allowed in the firewall. However, when using this option, a configuration change has to be made in the HelloID platform. This change will cause the portal not to fail-over to other Azure regions, which can lead to downtime.
Active Directory Identity Provider (AD IdP)
The AD IdP is used to automatically log users into HelloID while using a computer that is a member of an Active Directory domain.
It works by using Windows authentication on IIS, which then authorizes the user in HelloID via SAML.
It’s not necessary to make the AD IdP available to the internet since all actions are initiated by the user’s browser client.
The AD IdP can be installed multiple times in one configuration to ensure high availability. If a high availability setup is needed, this has to be configured by the customer using their own preferred solution.
The AD IdP server must be configured with an SSL Certificate in IIS, which must be trusted by the client machines. The traffic to the HelloID webserver is using HTTPS. The level of encryption is TLS 1.2, AES with 256-bit encryption.
The following attributes will be sent in the SAML Message:
| SAML Attribute | Example |
| NameID | DOMAIN\Username |
| user@helloid.com | |
| FirstName | John |
| LastName | Williams |
| ADSID | S-1-5-21-1085031214-1563985344-725345543 |
| ADUPN | user@helloid.com |
| ADPhone | +31 6 123456789 |
It is not possible to change this default attribute set.
Hardware minimum requirements
Hardware minimum requirements:
- 4 GHz 64-bit processor or faster
- 2 GB of RAM or more
- 10MB program, 200MB data diskspace
Software requirements
- Windows server 2008 R2 or newer
- .NET Framework 4.5
- Web Server (IIS)
- Common HTTP Features
- Default Document
- Directory Browsing
- HTTP Errors
- Static Content
- Health and Diagnostics
- HTTP Logging
- Performance
- Static Content Compression
- Security
- Request Filtering
- Windows Authentication (not selected by default)
- Application Development
- .NET Extensibility 4.5 (not selected by default)
- NET 4.5 (not selected by default)
- ISAPI Extensions (not selected by default)
- ISAPI Filters (not selected by default)
- Management Tools
- IIS Management Console
- SSL Webserver certificate
- Common HTTP Features