SSO (Single Sign On) Integration

Vyopta provides Single Sign-On (SSO) through the Security Assertion Markup Language (SAML) standard. This mechanism, allows customers, through their Identity Provider (IdP) platform of choice, to provide authorization credentials to Vyopta’s Technology Insights application, which plays the Service Provider (SP) role in the SAML negotiation process. Customers must have IdP software installed that supports the SAML 2.0 standard. Examples of compliant IdP software include Microsoft Azure, Microsoft ADFS 2.1 or later, Okta, Oracle Identity Federation, SailPoint IdentityNow, and SecureAuth, as well as a free option called OpenTPS. The SAML 2.0 standard is widely accepted, so it is likely that your IdP platform supports it.

Requirements:

  • SAML 2.0 IdP provider
  • Specific IdP Assertions
  • Group Membership for Role Assignment

Specific IdP Assertions Requirement:

The IdP software your organization uses must provide the following assertions for SSO integration to work.

Attribute Required/Optional Description
email Required Users Email (used as ID)
name Required Users Display Name
memberOf Required Comma separated list of Vyopta application groups

 

Group Membership for Role Assignment Requirement:

The memberOf is used to provide end users with specific permissions within Vyopta. There are four groups currently honored by the Vyopta application:

Users should be assigned to 1 Role at a time

Group Name UI Display Name Role Description
vyopta_admin Admin Group Mapping Vyopta Application Administrator

Users with this role will have administrator access to the Vyopta Application. 

vyopta_vanrptvwr User Group Mapping Vyopta vAnalytics viewer This is the Vyopta 'Default' role for the Vyopta Application.
vyopta_vanrptrdr Dashboard Group Mapping Vyopta vAnalytics viewer reader only Users with this role will only have access to viewing dashboards and datasets in the Vyopta Application
vyopta_vandbvwr Read-Only Group Mapping Strict Dashboard Viewer Users with this role will only have access to viewing dashboards.

 

Group Names can be customized to follow your organizational standards and will require mapping during SSO configuration. To learn more about the level of permissions each group contains, please see Vyopta User Permissions.

Please note, generally memberOf sends all the AD groups a user is part of by default. Due to different requirements from Vyopta and different Idp systems, SSO Admins must only send the Vyopta groups that the user is a part of.

Configuring SSO

Part 1 - Providing your IdP team with the required data

1. Log into the Admin Portal

2. Click on "Account Settings" and then head to the "Single Sign-On" Tab

3. Provide your IdP Team with the "Service Provider Entity ID" URL and the "Assertion Consumer Service URL" as seen below:

 

Part 2 - Configuring SSO in the Vyopta Admin Portal

  1. Once that data has been provided to your IdP Team, they will need to supply you with the following:
    1. Single Sign-On URL

    2. Single Sign-Out URL (optional)

    3. Issuer (IDP Entity ID)

    4. NameID policy format

    5. If the IdP allows for HTTP-POST or HTTP-Redirect

    6. A Verification/Validation Token

  2. Input the relevant data supplied by your IdP team as seen below:

When supplying the Verification/Validation Certificate, please remove the -----BEGIN CERTIFICATE----- and the -----END CERTIFICATE----- lines

3. Now that the information above has been entered, if your organization is using different group naming standards, they would need to be mapped to the appropriate Vyopta Group Name.

 

4. Sign SAML Request (Optional)

Vyopta provides the ability to Sign the SAML Requests. Should your organization require SAML be signed, please ensure to check the "Sign SAML Request" checkbox and download the metadata to supply back to your IdP team to upload. The Download SAML Metadata is located at the top of the page. Should it not be Blue, please hit the SAVE button and refresh the page. 

5. Click the SAVE button.

6. Please test your SSO configuration by using another browser or by going into Incognito to test it out. Once verified, you may continue using Vyopta normally. Should signing in via SSO fail, please remain logged in and open a ticket with Vyopta Support.

 

 

Was this article helpful?
0 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.