HelloID Agent
To enable important on-premises features, at least one HelloID Agent must be installed on a server in your network. These features include:
- Running PowerShell scripts,
- Syncing Active Directory users into HelloID,
- Authenticating user logins,
- and account Provisioning.
For installation instructions, see Install or manage an Agent.
Agent requirements are listed below.
Server
Agent can run on any server in your domain that has HTTPS access to HelloID. We recommend, however, that it be run on a server that is not a domain controller. Running Agent on a domain controller can cause various problems. For example, if the HelloID Directory Agent service starts before the necessary Active Directory services, Agent will be unable to reach AD and will shut down. The Provisioning Agent service may also encounter conflicts with local security policies.
If you must install Agent on a domain controller, you can attempt to work around these limitations by setting the HelloID Directory Agent to restart on failure in Recovery tab of its Windows service. You will also need to manually identify and evaluate any security policies which may interfere with the Provisioning Agent service.
Installation and execution permissions
The HelloID Agent must be installed with an admin account.
In production environments, its three services must be run with a domain account(s); running them with local system account(s) can cause logon problems for end users or failed synchronization tasks. Furthermore, the domain account should have local admin rights or Agent will fail to update.
The permissions required for the domain account depend on the operations that the Agent will perform in your environment. For example, if Agent will run tasks to create AD users and add them to groups, the account will need the corresponding permissions. All actions happen within the context of the assigned account.
For installation instructions, see Install or manage an Agent.
Additional requirements for common HelloID operations are listed below.
Synchronizing AD users to HelloID
- Read rights for all the Organizational Units above the OU that contains the user accounts and groups that are synced to HelloID.
- Read rights for all nested groups of the groups that are synced to HelloID.
- Read rights for the following attributes:
- Users (Required)
- objectSid
- userAccountControl
- userPrincipalName
- sAMAccountName
- uSNChanged
- Users (Recommended)
- givenName
- sn
- telephoneNumber
- title
- department
- manager
- employeeID
- Groups (Required)
- objectSid
- name
- uSNChanged
- Groups (Recommended)
- ManagedBy
- Users (Required)
Self Service, PowerShell tasks
These permissions have to be determined separately for each task which will be run on premises. In addition to granting permissions in Active Directory, it might be necessary to grant permissions in other systems where HelloID will perform actions.
When Agent is used to run a task, any PowerShell modules required for the task must be installed on the server running the Agent. When adding tasks from the HelloID task catalog, any required module(s) are shown along with task-specific documentation:
When Agent is running as a domain user, it will need local admin rights to run PowerShell according to the local execution policy.
Hardware
- 1.4 GHz 64-bit processor or faster
- 2 GB of RAM or more (Service Automation and/or Access Management)
- 8 GB of RAM or more (Provisioning)
- 50MB of free disk space
Software
- Windows Server 2019 or higher (older editions may work, but we recommend staying within the Microsoft Lifecycle Policy)
- PowerShell version 5 or higher
- If you have installed more than one Agent, all Agents must be running on the same version of PowerShell.
- .Net Framework 4.5.2 or higher
- PowerShell version 5 or higher
Firewall
The server(s) running Agent need to have access to the HelloID platform to ensure working communication for the user synchronization, authentication, and automation tasks. All traffic is initiated by Agent itself using HTTPS port 443. No inbound ports need to be allowed on the firewall. You must also whitelist these domains. The level of encryption is TLS 1.2, AES, with 256-bit encryption.
If it’s not possible to grant the server(s) an internet connection, the IP addresses of the HelloID servers in the Azure platform can be provided. Traffic to these addresses through port 443 has to be allowed in the firewall. However, when using this option, a configuration change has to be made in the HelloID platform. This change will cause the portal not to fail-over to other Azure regions, which can lead to downtime.
Active Directory Identity Provider (AD SAML IdP)
The Active Directory SAML IdP is a simple, free alternative IdP for organizations which don't use Active Directory Federation Services. It provides pass-through authentication for HelloID via SAML.
It’s not necessary to make the AD IdP available to the internet since all actions are initiated by the user’s browser client.
The AD IdP can be installed multiple times in one configuration to ensure high availability. If a high availability setup is needed, this has to be configured by the customer using their own preferred solution.
The AD IdP server must be configured with an SSL Certificate in IIS, which must be trusted by the client machines. The traffic to the HelloID webserver is using HTTPS. The level of encryption is TLS 1.2, AES with 256-bit encryption.
The following attributes will be sent in the SAML Message:
SAML Attribute | Example |
NameID | DOMAIN\Username |
user@helloid.com | |
FirstName | John |
LastName | Williams |
ADSID | S-1-5-21-1085031214-1563985344-725345543 |
ADUPN | user@helloid.com |
ADPhone | +31 6 123456789 |
It is not possible to change this default attribute set.
Hardware minimum requirements
Hardware minimum requirements:
- 4 GHz 64-bit processor or faster
- 2 GB of RAM or more
- 10MB program, 200MB data diskspace
Software requirements
- Windows server 2008 R2 or newer
- .NET Framework 4.5
- Web Server (IIS)
- Common HTTP Features
- Default Document
- Directory Browsing
- HTTP Errors
- Static Content
- Health and Diagnostics
- HTTP Logging
- Performance
- Static Content Compression
- Security
- Request Filtering
- Windows Authentication (not selected by default)
- Application Development
- .NET Extensibility 4.5 (not selected by default)
- NET 4.5 (not selected by default)
- ISAPI Extensions (not selected by default)
- ISAPI Filters (not selected by default)
- Management Tools
- IIS Management Console
- SSL Webserver certificate
- Common HTTP Features
Installation instructions can be found here.
Admin & end user portal access
- Recommended browser: Mozilla Firefox or Google Chrome.
- Internet Explorer is not supported.