ManageEngine ADSelfService Plus
ADSelfService Plus is a web-based identity security tool focused on end-user self-service for password reset/account unlock, adaptive MFA across endpoints (Windows/macOS/Linux, VPN/RADIUS, OWA/IIS), and enterprise SSO. It integrates with AD and federates users to SaaS and web apps via SAML or OIDC/OAuth. Editions and “Endpoint MFA” licensing are documented by the vendor.
Key Capabilities
-
Self-service password reset and unlock: Provides a user-friendly web portal and Windows logon-screen integration for domain password resets, account unlocks, and password expiry notifications.
-
Standards-based SSO: Includes a built-in Identity Provider (IdP) supporting SAML 2.0, OpenID Connect, and OAuth 2.0, with preconfigured app templates and options for custom provider endpoints.
-
MFA and passkeys: Supports multiple MFA options including FIDO2/WebAuthn passkeys (both platform and roaming), TOTP, and others. MFA can be enforced across web apps, VPNs (via RADIUS), endpoints, and Outlook Web Access (OWA)/IIS logins.
-
SCIM JIT provisioning: Enables Just-in-Time provisioning via SCIM 2.0 to create user accounts in target applications upon first login, with detailed configuration guides available.
Limitations
-
SCIM scope: Public documentation confirms outbound JIT provisioning to target applications but does not verify whether ADSelfService Plus exposes a general-purpose inbound SCIM 2.0 provider for external identity systems.
-
Protocol feature coverage: Current documentation focuses on core SAML/OIDC/OAuth 2.0 flows; there is insufficient information to confirm support for advanced OAuth profiles such as PAR, DPoP, or mTLS-bound tokens.
-
Edition-based feature gating: Endpoint MFA for machine logins, VPN/RADIUS, and SSO MFA is limited to the Professional edition with an Endpoint MFA license.
-
AD-centric design: Primarily optimized for Active Directory (AD) environments; organizations using non-AD directories may require additional integration steps or external synchronization mechanisms.