Vyopta provides Single Sign-On (SSO) through the Security Assertion Markup Language (SAML) standard. This mechanism, allows customers, through their Identity Provider (IdP) platform of choice, to provide authorization credentials to Vyopta’s Technology Insights application, which plays the Service Provider (SP) role in the SAML negotiation process. Customers must have IdP software installed that supports the SAML 2.0 standard. Examples of compliant IdP software include Microsoft Azure, Microsoft ADFS 2.1 or later, Okta, Oracle Identity Federation, SailPoint IdentityNow, and SecureAuth, as well as a free option called OpenTPS. The SAML 2.0 standard is widely accepted, so it is likely that your IdP platform supports it.
Requirements:
- SAML 2.0 IdP provider
- Specific IdP Assertions
- Group Membership for Role Assignment
Specific IdP Assertions Requirement:
The IdP software your organization uses must provide the following assertions for SSO integration to work.
Attribute | Required/Optional | Description |
---|---|---|
Required | Users Email (used as ID) | |
name | Required | Users Display Name |
memberOf | Required | Comma separated list of Vyopta application groups |
Group Membership for Role Assignment Requirement:
The memberOf is used to provide end users with specific permissions within Vyopta. There are four groups currently honored by the Vyopta application:
Users should be assigned to 1 Role at a time
Group Name | UI Display Name | Role | Description |
---|---|---|---|
vyopta_admin | Admin Group Mapping | Vyopta Application Administrator |
Users with this role will have administrator access to the Vyopta Application. |
vyopta_vanrptvwr | User Group Mapping | Vyopta vAnalytics viewer | This is the Vyopta 'Default' role for the Vyopta Application. |
vyopta_vanrptrdr | Dashboard Group Mapping | Vyopta vAnalytics viewer reader only | Users with this role will only have access to viewing dashboards and datasets in the Vyopta Application |
vyopta_vandbvwr | Read-Only Group Mapping | Strict Dashboard Viewer | Users with this role will only have access to viewing dashboards. |
Group Names can be customized to follow your organizational standards and will require mapping during SSO configuration. To learn more about the level of permissions each group contains, please see Vyopta User Permissions.
Please note, generally memberOf sends all the AD groups a user is part of by default. Due to different requirements from Vyopta and different Idp systems, SSO Admins must only send the Vyopta groups that the user is a part of.
Configuring SSO
Part 1 - Providing your IdP team with the required data
1. Log into the Admin Portal
2. Click on "Account Settings" and then head to the "Single Sign-On" Tab
3. Provide your IdP Team with the "Service Provider Entity ID" URL and the "Assertion Consumer Service URL" as seen below:
Part 2 - Configuring SSO in the Vyopta Admin Portal
- Once that data has been provided to your IdP Team, they will need to supply you with the following:
-
Single Sign-On URL
-
Single Sign-Out URL (optional)
-
Issuer (IDP Entity ID)
-
NameID policy format
-
If the IdP allows for HTTP-POST or HTTP-Redirect
-
A Verification/Validation Token
-
- Input the relevant data supplied by your IdP team as seen below:
When supplying the Verification/Validation Certificate, please remove the -----BEGIN CERTIFICATE----- and the -----END CERTIFICATE----- lines
3. Now that the information above has been entered, if your organization is using different group naming standards, they would need to be mapped to the appropriate Vyopta Group Name.
4. Sign SAML Request (Optional)
Vyopta provides the ability to Sign the SAML Requests. Should your organization require SAML be signed, please ensure to check the "Sign SAML Request" checkbox and download the metadata to supply back to your IdP team to upload. The Download SAML Metadata is located at the top of the page. Should it not be Blue, please hit the SAVE button and refresh the page.
5. Click the SAVE button.
6. Please test your SSO configuration by using another browser or by going into Incognito to test it out. Once verified, you may continue using Vyopta normally. Should signing in via SSO fail, please remain logged in and open a ticket with Vyopta Support.
Comments
Please sign in to leave a comment.