If you have been using AuthAnvil On-Premises and would like to migrate to Passly here are the steps to complete this project.
Background
- AuthAnvil On-Premises was the original Identity and Access Management tool built by Scorpion Software. In 2014 Kaseya acquired Scorpion Software.
- In 2016 we began AuthAnvil On-Demand in the Cloud. In 2020 we rebranded AuthAnvil On-Demand as Passly.
Today we are welcoming all our legacy AuthAnvil customers to migrate to Passly. Please contact your Kaseya Account Manager for more details.
AuthAnvil On-Premises and Passly are parallel services, both products serve similar endpoints.
Process
Users
- You are going to want to add your users to Passly.
Here are some guides that can walk you through the process.
* How do I add a user? - https://helpdesk.kaseya.com/hc/en-gb/articles/4407400832017
* Enabling Directory Synchronization - https://helpdesk.kaseya.com/hc/en-gb/articles/4407400833425
* Added Users, Now What? - https://helpdesk.kaseya.com/hc/en-gb/articles/4407400801681
* If you or a user did not receive your enrolment email for Passly please check this KB https://helpdesk.kaseya.com/hc/en-gb/articles/4407400723345
Once you provision your users in Passly you are ready for the next part.
Updating Kaseya VSA
There are two possible integration configurations involved here.
- Customers using AuthAnvil in place of VSA's native 2FA enforcement.
- Customers also using the SAML settings enabled.
AuthAnvil 2FA only using customers
You have the AuthAnvil Module enabled In VSA. That module contains a setting known as the SAS URL (https://FQDN/AuthAnvil/SAS.asmx
- Update the SAS URL in VSA. VSA > AuthAnvil Module > Configure Kaseya login.
Note: VSA On-Premises customers you can also update this in MS SQL > ksubscribers > dbo.AA_Settings if you have any user interface issues.
Note: Site ID is always 1 for Passly tenants. https://(customer).my.passly.com/AuthAnvil/SAS.asmx (Replace (customer) with your actual Passly tenant).
Note: You will be changing the SAS URL to reflect your new Passly tenant.
Note: if you no longer wish to use the AuthAnvil module for 2FA simple select "Disable Two Factor Auth during Kaseya server logons" - Select Save Changes.
Users will now be logging into VSA using Passly and no longer required to use AuthAnvil.
SAML Using Customers
You have the AuthAnvil Module enabled In VSA using the SAML settings located below the SAS URL settings you will need to make the following changes as well.
- Create the new VSA SAML Application in Passly.
Most customers will follow the first link below. If you use Domain watch or have a need for the Passly username to be different then the Kaseya VSA username we have alternate guides to aide you.
- VSA: Adding the Virtual System Administrator (VSA) for Single Sign On - https://helpdesk.kaseya.com/hc/en-gb/articles/4407399173521
- VSA using Domain Watch. (Alternate configuration)
Adding Virtual System Administrator (VSA) SAML app fails when using Domain Watch - https://helpdesk.kaseya.com/hc/en-gb/articles/4407406483473 - Using VSA with alternate Usernames. (Alternate configuration)
How to make a Custom Alternate Principal Name for SSO to Kaseya VSA - https://helpdesk.kaseya.com/hc/en-gb/articles/4407405559697
Complete the setup for VSA by replacing your AAoP based SAML certificate with the one generated from the Passly Web user interface.
- You can download this new certificate from the "Signing and Encryption" tab within your Passly VSA application under the SSO Manager.
- You can upload the certificate into VSA via VSA > AuthAnvil Module > Configure Kaseya login.
- Choose Select certificate .
- Select Choose file.
- Select Import Selected Certificate.
- Select Save Changes.
Users should now be able to Launch VSA from your Passly SSO Launchpad.
If you wish to enforce the use of SSO the module does contain those options as well.