Get a Quote

Articles in this section

HelloID Requirements

  • Updated:

Introduction

HelloID is Tools4ever’s Cloud single sign-on (SSO) portal solution. The primary function of this solution is to provide unified access for end users to organizational resources in the simplest way possible. The end user only needs to memorize one URL and not every single URL per web-based application. The end user also needs to identify themselves only once with a single set of credentials, and not over-and-over again for each web-based application.

The end user first needs to authenticate themselves before getting access to the portal with the links to the web-based applications. The links to the web-based applications are presented as easy to access icons. Based on the SSO functionality offered by the web-based application, HelloID uses the correct protocol to identify the end user to the web-based application. HelloID offers SAML, HTTP Post, browser plugins, and mobile device support. The diagram below shows the concept of the HelloID solution.


 

HelloID Agent

The HelloID agent is responsible for operational processing, such as:

  • Authenticating login requests.
  • Executing scheduled tasks like:
    • Synchronizing Active Directory Users to HelloID.
    • Reading data from a third-party source for provisioning.
  • Executing approved self-service requests.
  • Data share management operations, such as granting access to file folders.

When using the HelloID agent as login method for HelloID, it is recommended to use a pool of agents for higher availability and better performance. This allows agents to execute or take over tasks when another agent is busy or fails.

 

The HelloID webserver communicates with components over the internet using HTTPS. The level of encryption is TLS 1.2, AES, with 256-bit encryption.

Authorizations

The HelloID Agent service must be installed with a local admin account. In production environments it is recommended that the agent runs in the security context of a domain account. The permissions required for the domain account will vary depending on the operations that the agent will be undertaking in your environment. Common operations and required privileges are listed below.

Running the HelloID Agent with a domain account is required in production environments. Running the HelloID agent with a local system account it can cause issues that result into logon problems for the end-users or failed synchronization tasks.

Authenticating Users

To authenticate users, the agent must simply be installed on a domain joined server.

Synchronizing AD users to HelloID

  • Rights to read all the Organizational Units above the OU that contains the user accounts and groups that are synced to HelloID.
  • Rights to read all nested groups of the groups that are synced to HelloID.
  • Read rights on the following attributes:
    • Users (Required)
      • objectSid
      • userAccountControl
      • userPrincipalName
      • sAMAccountName
      • uSNChanged
    • Users (Recommended)
      • Mail
      • givenName
      • sn
      • telephoneNumber
      • title
      • department
      • manager
      • employeeID
    • Groups (Required)
      • objectSid
      • name
      • uSNChanged
    • Groups (Recommended)
      • ManagedBy

Datashare management 

  • For data share management, it’s recommended to install the agent on the file server with the shares.
  • The account must have enough rights to modify the Access Control Entries (ACEs) on the file system.
  • The account must have rights in Active Directory to create and modify security groups, as well as to add and remove users from those groups. 

Self-Service and 3rd party tasks

These rights have to be determined per task/action which will take place when requesting products and or executing other automated actions.  In addition to Active Directory, it might be necessary to grant rights in other systems where HelloID will perform actions.

Hardware

  • 1.4 GHz 64-bit processor or faster
  • 2 GB of RAM or more
  • 50MB of free disk space


Installation instructions can be found here:
https://docs.helloid.com/hc/en-us/articles/360001597494-How-to-Install-and-Manage-Agents

Software

  • Windows server 2012 or higher
    • Powershell version 4 or higher
    • .Net Framework 4.5.2 or higher

When the HelloID Agent is used to automate tasks, the PowerShell modules required for the tasks must be installed on the server running the agent. When adding actions from the catalogue the needed module is shown, along with documentation specific to that task.
When the HelloID agent is running as a domain user it will need local admin rights to be able to run powershell according to the local execution policy.

Firewall

The servers which are running the HelloID Agent need to have access to the HelloID platform to ensure working communication for the user synchronization, authentication, and automation tasks. All traffic is initiated by the agents themselves using HTTPS port 443. No inbound ports need to be allowed on the firewall.

If it’s not possible to grant the server(s) an internet connection, the IP addresses of the HelloID servers in the Azure platform can be provided. Traffic to these addresses through port 443 has to be allowed in the firewall. However, when using this option, a configuration change has to be made in the HelloID platform. This change will cause the portal not to fail-over to other Azure regions, which can lead to downtime.

Active Directory Identity Provider (AD IdP)

The AD IdP is used to automatically log users into HelloID while using a computer that is a member of an Active Directory domain.

It works by using Windows authentication on IIS, which then authorizes the user in HelloID via SAML.

It’s not necessary to make the AD IdP available to the internet since all actions are initiated by the user’s browser client.

The AD IdP can be installed multiple times in one configuration to ensure high availability. If a high availability setup is needed, this has to be configured by the customer using their own preferred solution.

The AD IdP server must be configured with an SSL Certificate in IIS, which must be trusted by the client machines. The traffic to the HelloID webserver is using HTTPS. The level of encryption is TLS 1.2, AES with 256-bit encryption.

The following attributes will be sent in the SAML Message:

SAML Attribute Example
NameID DOMAIN\Username
email user@helloid.com
FirstName John
LastName Williams
ADSID S-1-5-21-1085031214-1563985344-725345543
ADUPN user@helloid.com
ADPhone +31 6 123456789


It is not possible to change this default attribute set.

Hardware minimum requirements

Hardware minimum requirements:

  • 4 GHz 64-bit processor or faster
  • 2 GB of RAM or more
  • 10MB program, 200MB data diskspace

Software requirements

  • Windows server 2008 R2 or newer
    • .NET Framework 4.5
    • Web Server (IIS)
      • Common HTTP Features
        • Default Document
        • Directory Browsing
        • HTTP Errors
        • Static Content
      • Health and Diagnostics
        • HTTP Logging
      • Performance
        • Static Content Compression
      • Security
        • Request Filtering
        • Windows Authentication (not selected by default)
      • Application Development
        • .NET Extensibility 4.5 (not selected by default)
        • NET 4.5 (not selected by default)
        • ISAPI Extensions (not selected by default)
        • ISAPI Filters (not selected by default)
      • Management Tools
        • IIS Management Console
      • SSL Webserver certificate


Installation instructions can be found here:
https://docs.helloid.com/hc/en-us/articles/115002875193-How-to-configure-an-AD-IDP