Skip to main content
PSA

Request JIT accounts from HaloPSA tickets

In this guide we will integrate idemeum just-in-time accounts for Entra ID with Halo PSA. Right from a customer ticket in HaloPSA technicians will be able to request JIT Entra ID accounts and view credentials.

Nik Pot

Request JIT accounts from HaloPSA tickets

Prerequisites

MSP technicians can request Entra ID JIT accounts right from HaloPSA tickets. HaloPSA and idemeum integration leverages embedded iFrame sections.

By default idemeum security does not allow cross-domain requests. Therefore, to enable this integration, request idemeum team to allow embedded iFrames for your idemeum tenant.

Configure idemeum session length

This step is optional, but will improve technician experience when accessing just-in-time accounts. By default the idemeum session length is set to 8 hours, meaning you have to re-authenticate with mobile every 8 hours. You can extend this session to 30 days so that you can seamlessly access JIT accounts for any customer tenant right from HaloPSA and you will stay authenticated for 30 days.

  • Navigate to your MSP tenant admin portal
  • Access SettingsGlobal and then define the Session expiration duration

Configure HaloPSA

Overview

In HaloPSA you can create a Custom tab that will point to your idemeum tenant. When managing PSA ticket you can click on that tab and get immediate access to your idemeum portal.

You have 2 options for navigation:

  • Navigate to parent MSP idemeum tenant - you can simply specify the URL for your MSP tenant, i.e. <msp name>.idemeum.com. In this case technicians will access custom tab, MSP idemeum tenant will be loaded, then technician will search for customer tenant, access it, and will request JIT account.
  • Navigate directly to idemeum customer tenant - you can leverage HaloPSA variables to navigate directly to customer idemeum tenant.

Set up HaloPSA variables

We will set up the integration to directly navigate to idemeum customer tenant from PSA ticket.

  • Say we have an idemeum tenant with the display name Demo PAM tenant and the URL demo-nikpot.idemeum.com.
    • We can route based on Demo PAM tenant with the following URL https://<tenant name>.idemeum.com?customerDisplayName=<value>
    • Or we can router based on demo URL with the following https://<tenant name>.idemeum.com?customerName=<value>
    • In this guide we will use display name
  • In HaloPSA we will use default variable Client reference and assign the value Demo PAM tenant to this variable
  • We populate this variable with Demo PAM tenant value in the customer section by simply editing a customer in HaloPSA
  • We can tag all our customers in the same way in HaloPSA so they are mapped to a customer tenant in idemeum with the display name that is used.

Set up custom tab

  • Navigate to ConfigurationCustom objectsCustom tabs in HaloPSA
  • Create a custom tab like in the image below. As you can see for URL we are using the URL of MSP idemeum tenant, and we are passing a parameter from the variable $CLIENT_REFERENCE. You can specify the variable that you have chosen for integration.

Test integration

  • Open any ticket in Halo PSA
  • Click on idemeum tab
  • You will be presented with the idemeum user portal for that customer. You can see all workstation and Entra apps to request JIT accounts and view credentials