SSO (Single Sign On) Support for Vyopta Cloud

Vyopta provides Single Sign-On (SSO) through the Security Assertion Markup Language (SAML) standard. This mechanism, allows customers, through their Identity Provider (IdP) platform of choice, to provide authorization credentials to Vyopta’s Technology Insights application, which plays the Service Provider (SP) role in the SAML negotiation process. Customers must have IdP software installed that supports the SAML 2.0 standard. Examples of compliant IdP software include Microsoft ADFS 2.1 or later, Okta, Oracle Identity Federation, SailPoint IdentityNow, and SecureAuth, as well as a free option called OpenTPS. The SAML 2.0 standard is widely accepted, so it is likely that your IdP platform supports it.

 

Before we can start with the SSO integration,  we will need to schedule a kickoff meeting to review how the integration works,  and the requirements behind the integration.   We suggest having a member of your Identity Provider team to be part of the kickoff call.

To start off the integration process,  please open a new ticket on our support team and ask the support team to schedule a SSO kickoff call, and we will will go ahead and schedule the call.   During the kickoff call,  we will be providing additional information to set up the integration.

 

Deployment Process

NA Cloud EU Cloud
  1. Vyopta creates a customer-specific security realm.
  2. Vyopta creates a DNS name to point to the Vyopta service. Example of DNS name: <customername>.vyopta.com
  3. Customer obtains Vyopta SAML metadata through the following link
https://login.vyopta.com/auth/realms/<customername>/broker/saml/endpoint/descriptor

 4. Customer supplies IdP metadata to Vyopta by providing an XML file (or URL) containing an encryption key (public) and the IdP login page.

5. Vyopta and Customer configure their respective services using the metadata provided.

6. Test and deploy.

 

Required IdP Assertions

Your IdP software must be configured to provide the following assertions, for our SSO integration to work:

Attribute Required/Optional Description
email Required Users Email (used as ID)
name Required Users Display Name
memberOf Required Comma separated list of Vyopta application groups

 

The memberOf is used to provide end users with specific permissions within Vyopta. There are four groups currently honored by the Vyopta application:

Users should be assigned to 1 Role at a time

Group Name Role Description
vyopta_admin Vyopta Application Administrator

Users with this role will have administrator access to the Vyopta Application. 

vyopta_vanrptvwr Vyopta vAnalytics viewer This is the Vyopta 'Default' role for the Vyopta Application.
vyopta_vanrptrdr Vyopta vAnalytics viewer reader only Users with this role will only have access to viewing dashboards and datasets in the Vyopta Application
vyopta_vandbvwr Strict Dashboard Viewer Users with this role will only have access to viewing dashboards.

 

Please note, generally memberOf sends all the AD groups a user is part of by default. Due to different requirements from Vyopta and different Idp systems, SSO Admins must only send the Vyopta groups that the user is a part of.

To learn more about the Vyopta Roles and permissions, please see Vyopta User Permissions

Was this article helpful?
0 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.