VisibleThread -
Help Center Find helpful articles on different VisibleThread Products

Follow

Getting Started with Single Sign-On (SSO)

VisibleThread Docs on-prem supports Single Sign-On(SSO) through SAML 2.0. When SSO is enabled, users can sign in to VisibleThread Docs using your organization's login system and credentials e.g. Microsoft Active Directory Federation Services (ADFS), Ping, Okta etc.

In SAML terminology VisibleThread Docs is a "Service Provider" and your organization's authentication system is an "Identity Provider". To setup SAML SSO, you need to :

  1. Configure VT Docs Security Settings and provide your Identity Provider's SAML information.
  2. In your Identity Provider (e.g. ADFS) - setup VT Docs as a Service Provider (aka "Relying Party Trust").
  3. Test and enable SAML SSO in VT Docs.

1. Configure VT Docs Security Settings

To review your current Security Settings :

  • login to the sandboxAdmin app - go to https://<your-on-prem-vt-docs-server>/sandboxAdmin
  • click on Security Settings icon in the sidebar

mceclip2.png

Out of the box, VT Docs is configured to use it's own local Username/Password credentials.

To get started with Single Sign-On, click Single Sign-On with SAML 2.0 :

mceclip3.png

You must supply your Identity Provider's :

  • Entity ID
  • SSO url
  • x509 certificate 

If you don't already know these values your Identity Provider will have a way to obtain it's metadata xml file. The metadata xml (usually available through a url e.g. https://adfs.example.com/FederationMetadata/2007-06/FederationMetadata.xml) should have the following elements :

  • EntityDescriptor.entityID
  • EntityDescriptor.IDPSSODescriptor.SingleSignOnService.Location
  • EntityDescriptor/IDPSSODescriptor/KeyDescriptor/KeyInfo/X509Data/X509Certificate

2. Setup VT Docs (as a Service Provider) in your Identify Provider

This section is carried out within your Identity Provider (e.g. ADFS) and the steps required are particular to each Identity Provider. The VT Docs metadata xml file will provide most of the information that you will need to setup VT Docs as a Service Provider in your Identity Provider. You can obtain the VT Docs metadata from the above screen in VT Docs | Security Settings :

mceclip0.png

We require that end-users have an email address associated with their Identity in your Identity Provider and that there is a claim created that maps a user's email address to the SAML attribute "Name ID".

For detailed steps to setup VT Docs in ADFS see Setup Single Sign-On for Active Directory and VisibleThread Docs on-prem 

3. Test and Enable SAML SSO

Once you have completed the above 2 steps you are ready to test out your SSO configuration. In VT Docs, click Test Login :

mceclip1.png

This will open a new window and should prompt you to login to your Identity Provider. Enter your credentials and if everything is setup correctly you should see :

mceclip2.png

To save your changes and enable SAML SSO for all users, click Enable and then Confirm :

mceclip3.png 

mceclip4.png

mceclip6.png

End-user Login Experience

Once SSO is enabled, VT Docs will authenticate users against your Identity Provider when they open VT Docs in their web browser. 

If a user does not have an active session with your Identity Provider then they will be re-directed to your Identity Provider's login url. Once a user is successfully authenticated against the Identity Provider then the browser will re-direct the user back to VT Docs.

Note: To access VT Docs the user must already exist in the VT Docs system and the VT Docs username should be the email address sent int he SAML "NAME ID" assertion. We do NOT auto-provision SSO users as VT Docs users. In the case where a user does not already exist in the VT Docs system, the user will see this screen : 

mceclip8.png

For details on adding users see How do I add/remove users from VisibleThread

Troubleshooting

SSO Configuration Issues

If you see either of the following messages when you Test Login from your SAML configuration :

mceclip0.png

mceclip1.png

  •  then this suggests that you have entered an invalid or expired x509 certificate in the VisibleThread Security Settings.

When you Apply changes to your Security Settings we will validate your certificate and report any issues e.g. :

mceclip2.png

 

User Login - Access Denied

If a user logins in through SAML but they get the following Access Denied message -"NameID element must be present..."

mceclip0.png

Then this indicates that either:

  • the user does not have an email address associated with their Identity; OR
  • the claim (configured in your Identity Provider) that maps a user's email address to the SAML attribute "Name ID" is either missing or not setup correctly.

 

Was this article helpful?
0 out of 0 found this helpful

Get Additional Help

Visit our Helpdesk for additional help and support.