VisibleThread -
Help Center Find helpful articles on different VisibleThread Products

Follow

Getting Started with Single Sign-On (SSO)

VisibleThread Readability on-prem supports Single Sign-On(SSO) through SAML 2.0. When SSO is enabled, users can sign in to VisibleThread Readability using your organization's login system and credentials e.g. Microsoft Active Directory Federation Services (ADFS), Ping, Okta etc.

In SAML terminology VisibleThread Readability is a "Service Provider" and your organization's authentication system is an "Identity Provider". To setup SAML SSO, you need to :

  1. Configure VT Readability Security Settings and provide your Identity Provider's SAML information.
  2. In your Identity Provider (e.g. ADFS) - setup VT Readability as a Service Provider (aka "Relying Party Trust").
  3. Test and enable SAML SSO in VT Readability .

1. Configure VT Readability Security Settings

To review your current Security Settings :

  • login to the Readability application. Note you must have the 'System Admin' role in order to access the Security Settings
  • click on Security Settings icon in the sidebar

mceclip1.png

Out of the box, VT Readability is configured to use it's own local Username/Password credentials.

To get started with Single Sign-On, click Single Sign-On:

mceclip2.png

 

You must supply your Identity Provider's :

  • Entity ID
  • SSO url
  • x509 certificate 

If you don't already know these values your Identity Provider will have a way to obtain it's metadata xml file. The metadata xml (usually available through a url e.g. https://adfs.example.com/FederationMetadata/2007-06/FederationMetadata.xml) should have the following elements :

  • EntityDescriptor.entityID
  • EntityDescriptor.IDPSSODescriptor.SingleSignOnService.Location
  • EntityDescriptor/IDPSSODescriptor/KeyDescriptor/KeyInfo/X509Data/X509Certificate

2. Setup VT Readability (as a Service Provider) in your Identify Provider

This section is carried out within your Identity Provider (e.g. ADFS) and the steps required are particular to each Identity Provider. The VT Readability metadata xml file will provide most of the information that you will need to setup VT Readability as a Service Provider in your Identity Provider. You can obtain the VT Readability metadata from the above screen in VT Readability | Security Settings :

 

mceclip4.png

 

We require that end-users have an email address associated with their Identity in your Identity Provider and that there is a claim created that maps a user's email address to the SAML attribute "Name ID".

For detailed steps to setup VT Readability in ADFS see Setup Single Sign-On for Active Directory and VisibleThread Docs on-prem 

3. Test and Enable SAML SSO

Once you have completed the above 2 steps you are ready to test out your SSO configuration. In VT Docs, click Test Login :

mceclip1.png

This will open a new window and should prompt you to login to your Identity Provider. Enter your credentials and if everything is setup correctly you should see :

mceclip5.png

To save your changes and enable SAML SSO for all users, click Apply Changes.

.

You will be signed out of the application.

 

End-user Login Experience

Once SSO is enabled, VT Readability will authenticate users against your Identity Provider when they open VT Readability in their web browser. 

If a user does not have an active session with your Identity Provider then they will be re-directed to your Identity Provider's login url. Once a user is successfully authenticated against the Identity Provider then the browser will re-direct the user back to VT Readability.

Note: To access VT Readability the user must already exist in the VT Readability system and the VT Readability username should be the email address sent int he SAML "NAME ID" assertion. By default Readability does NOT auto-provision SSO users as VT Readability users. You can enable auto-provision (see below . In the case where a user does not already exist in the VT Readability system, the user will see this screen : 

mceclip6.png

 

 

Enabling auto-provisioning

As described above, by default VT Readability requires that end-users be registered in the Readability application prior to signing in via SSO. 

You can choose to enable 'auto-provision' by navigation to the 'System Admin' menu and selecting 'System Settings'. Once auto-provisioning is enabled, any new users that sign in via Single Sign On will be added as users to the Readability system, provided there are user licenses available.

mceclip7.png

 

 

If a new user attempts to sign with auto-provisioning enabled, but no user licenses are available, they will be prompted with the following message:

 

mceclip8.png

 

 

Was this article helpful?
0 out of 0 found this helpful

Get Additional Help

Visit our Helpdesk for additional help and support.