TOPdesk

This page is intended for engineers responsible for the TOPdesk instances in SURFconext. Managing TOPdesk on SURFconext differs from other Service Providers in several ways. This page will outline what you need to do in case of changes to instances of TOPdesk or your IdP, which affects your TOPdesk instances. 

Introduction

TOPdesk is a service management provider. The goal of TOPdesk is to help organizations with software to provide service. The core business is managing notifications, resources, changes, workflows and reservations in the infrastructure of organizations. The product supports service departments within organizations, such as the IT, HR and facilities department and external support from Managed Service Providers. TOPdesk is connected to SURFconext and many institutions make use of TOPdesk. TOPdesk is a single tenant service, usually consisting of a 'public' and a 'secure' instance, and has the following properties with regards to SURFconext:

• Depending on the agreements an institution has made, the connection with SURFconext is managed by the institution or by TOPdesk. This is stated in the contracts that an institution has concluded with TOPdesk. Make sure you know well in advance of making changes to TOPdesk or your IdP, who is responsible for the management of the TOPdesk instances in SURFconext.
• It is a Single Tenant Service so every institution has their own entry in SURFconext to access TOPdesk and needs to be configured and registered in SURFconext separately for every institution.
• Changes in the configuration of a TOPdesk instance generally result in a new entityID. This has to be registered again in SURFconext by TOPdesk or the institution, depending on the service agreements (see above).

• A change in the entityID of an IdP, e.g. when upgrading an ADFS environment, results in configuration changes in TOPdesk and usually new entityID's of TOPdesk in SURFconext.

• TOPdesk instances addresses a Single Sign On location that is specific to the institution it is used for.

• When a change is submitted and a new entity registered, the previous version of the entity remains active for a transition period. Notify us when the old instances can be deleted. This avoids a cluttered list of TOPdesk instances in the IdP dashboard and SURFconext.

Managing TOPdesk instances using the SP Dashboard (Preferred)

The standard and most straight forward way to manage your TOPdesk instances is through the SP Dashboard. The SURFconext Service Provider Dashboard (https://sp.surfconext.nl/) enables you to manage your service(s) on the SURFconext platform. It allows you to create, test and edit entities before promoting them to production. An institution or TOPdesk Support can get access to the SURFconext SP Dashboard by sending a mail to the SURFconext help-desk (support@surfconext.nl). Working with the SP Dashboard is the fastest and most reliable way to publish or modify an instance of TOPdesk in SURFconext.

How to use this SURFconext SP Dashboard is found on this page. There are  no special requirements to work with the SP Dashboard, other than the browser you are viewing this page with:

• If you work for a Service Provider and you are not a member of an Identity Provider like an institution or a research facility that is enlisted with SURFconext, you can use our guest identity provider eduID to gain access to the Service Provider Dashboard.

• If you setup a service and you work for a Dutch education or research institution, you can use the identity of this institution to work with the dashboard.

• You will become a member of a SURFconext team and this team is created by us. More on teams can be found by following this link.

• You will have an overview of all your TOPdesk instances in one place. This makes TOPdesk's instances manageable for TOPdesk Premium Support as well as for customers of TOPdesk.

Managing TOPdesk instances using by sending us the metadata (Not recommended)

You can request an update of a TOPdesk instance by sending us the metadata of your instance. Please note that the turnaround time is longer doing it this way. Apart from that, it is error-prone because of the many instances TOPdesk can have for one IdP. If you decide to work this way supply us with the following information:

• In case of an upgrade, the entityID that needs to be upgraded.
• A contact person we can notify at the IdP.
• The reason of the publication. We will communicate this with our contact at the IdP.
• The metadata as an XML supplying us with all the necessary information like the (new) entityID, AssertionConsumerService:Location, certData, contacts, etc.
• We will want to know when the upgraded entityID's needs to be removed from SURFconext.

Upgrade or Migrate an IdP

The TOPdesk services are configured with an IdP specific Single Sign On location on SURFconext which for an IdP need to be converted from the old to the new IdP when doing an upgrade. Prior to an IdP-upgrade going live you need to collect data that you need to configure in your TOPdesk instance. Contact support@surfconext.nl. We will supply you wit the necessary data of the IdP in SURFconext to migrate the TOPdesk instance. The Single Sign On location (SSO-URL) will change. Changing this URL will most likely result in a new instance of TOPdesk in SURFconext, because the entityID of the TOPdesk instance will change. Using the SP Dashboard, you can upload and publish the new metadata.

As an example, the following data will be supplied by us. Note that the IdP Hash will change for the new instance of the upgraded IdP:

The information needs to be processed by either TOPdesk (premiumsupport@topdesk.com) or the TOPdesk responsible engineer at an institution. After that, publish your new instance through the SP Dashboard or by supplying us with the new metadata.

Knowledge Item TOPdesk

TOPdesk has documentation regarding SURFconext. Please browse to their support website. SURFconext is found in Knowledge Item KI 7463. A fragment of this item is found below. Please note that we do not maintain this so always refer to the TOPdesk site for configuration details.

If you want to enable SSO via SURFconext, your organization

• needs to be registered at SURF.
• needs to be registered as authentication provider at SURFconext. For more information, please refer to your SURFbeheerder.
• Also, you need to have permissions for the functional settings in TOPdesk.

This article explains SSO for the Self-Service Portal. The setup for the Operator's Section works the same.

Step 1: Create TOPdesk metadata

• Go to Functional Settings > Login > General > Self-Service Portal / Operator's Section
• Click Add... and fill in the following:
  • Federation metadata url: https://metadata.surfconext.nl/idp-metadata.xml
  • EntityID: https://engine.surfconext.nl/authentication/idp/metadata
  • User name attribute: urn:mace:dir:attribute-def:uid
  • Use signed metadata: no
• You can download the metadata certificate from SURF, upload it to TOPdesk and turn it on for added security
  • Host TOPdesk metadata: yes
  • Assertions will be encrypted: no
  • Generate key pair: yes
  • Enter a name, e.g. 'SURF Authentication'
  • Save the data.

Step 2: Share metadata with SURF
Click 'URL metadata'. Pass this URL on to SURF as ServiceProvider, e.g. via your contact at SURF.

Step 3: Enable SAML authentication
As soon as SURF has processed the metadata, check the SAML option in the Self-Service Portal.

Summary

To manage your TOPdesk instances effectively, do the following:

• Find out who is responsible for the technical maintenance of your TOPdesk instances.
• Request access to the SURFconext SP Dashboard.
• Request information from us when migrating your IdP well in advance of the migrate date, so you have time to configure TOPdesk.

• Publish and manage your instances through the SP Dashboard.