Single Sign On (SSO) is a common enterprise software feature. SSO allows enterprise organization to secure access to disparate applications via a single Identity Provider (IdP), such as Okta or Microsoft Active Directory (AD), among others.
With SSO, users do not have to manage different passwords and can use a single set of credentials to access the different applications made available within their organization.
SSO also makes provisioning of access requests to members of an organization easier from an IT perspective. Administrators simply manage permissions in the SSO platform of choice. These permissions can then be made available to applications via the authentication flow.
Virtana Platform supports SAML 2.0 SSO. Okta and Azure AD are currently supported as Identity Providers (IdPs).
If SSO is enabled for an organization, Virtana Platform enforces SSO. When the user enters a username on the login page, Virtana determines if SSO is enabled. The user is authenticated against Virtana Platform and then directed to an appropriate sign-in page. The username must be in the format firstName.lastName@companyName.suffix.
If users were onboarded prior to SSO enablement, they are still required to use SSO.
SSO can be enabled with a Pro License. An administrator role with credentials-based login is required to set up SSO in Virtana Platform.
If you have configured a custom subdomain as part of white labeling rebranding of Virtana Platform, you must login using that custom subdomain before configuring SSO.
The domain used in the administrator's email address is the domain that the SSO account is bound to in Virtana Platform. All users with the same domain as the administrator will be redirected to the IdP when they log in.
Important
If an administrator who was onboarded using SSO disables or removes the organization’s SSO configuration, they will no longer be able to log in. In this case, they will have to contact Virtana Platform Support to establish a set of credentials.
The process for inviting new users to Virtana Platform is the same whether using SSO or password authentication. That is, any existing user in Virtana Platform can invite a new user. The invited user receives an email from Virtana with a clickable link to access the Virtana Platform login screen. However, the login screen is different, based on authentication method.
Related Topics
To use Okta as the SSO identity provider (IdP) for Virtana Platform, you must configure specific settings as required by Virtana. You then copy the IdP SSO metadata URL from Okta and enter it in Virtana Platform to complete the configuration process.
About This Task
-
After configuring the IdP, you must copy the metadata URL, which is needed for Virtana Platform
-
You must have set up a SAML 2.0 application with your IdP.
-
You must have administrator privileges in both IdP and Virtana Platform.
-
You must have an appropriate Virtana Platform license to use SSO.
Steps
-
Log into Okta as an administrator and navigate to Applications > Applications.
-
Click Add Application.
-
Click Create New App and select Web in the Platform dropdown.
-
Choose SAML 2.0 and click Create.
-
Enter an App name and upload a logo (if desired), and then click Next.
Leave the App visibility options as the default.
-
Enter the Single Sign On URL and leave Use this for Recipient URL and Destination URL checked.
SSO URL:
https://<env>.cloud.virtana.com/authentication/SSO/saml/acs
<env> is the variable used for your locale. For example: https://app.cloud.virtana.com/...
-
Enter the Audience URI (SP Entity ID):
URI:
Virtana-Platform
Leave Default RelayState and Name ID Format with the default settings.
-
For Application username, select Email.
-
Click Show Advanced Settings and under the Attribute Statements section do the following:
Important
Entries in the Name field must be exactly as indicated below. Names are case-sensitive. Ensure the spelling and capitalization are correct for the entries in the Name fields.
-
For the first attribute statement enter the following:
Name
Name Format
Value
firstName
Basic
user.firstName
-
Click Add Another and complete the second attribute statement:
-
Click Add Another and complete the third attribute statement:
-
-
Click Next and Finish.
A page displays the Virtana Platform Settings on the Sign-On tab.
-
In the Sign-on methods area, click Identity Provider Metadata under View Setup Instructions.
-
Make a note of the IdP metadata URL that displays in the browser's URL field.
You must enter this URL in the Virtana Platform SSO settings form.
Tip
This is not the same as the Identify Provider Single Sign-On URL that is displayed by clicking View Setup Instructions.
-
[Optional] Configure any other options, such as Password reveal or a Sign On Policy.
-
Add users to the SSO application you just created.
This completes the Okta configuration. You can close Okta and log in to Virtana Platform to proceed with setup.
Next Steps
You must log in to Virtana Platform and configure SSO for the platform.
To use Azure Active Directory (AD) as the SSO identity provider (IdP) with Virtana Platform, you must add Virtana Platform to Azure AD as a managed SaaS application. You then assign users to the application in Azure.
Prerequisites
You need an Administrator role in Microsoft Azure with privileges to create applications and assign users and groups.
-
You must have set up a SAML 2.0 application with your IdP.
-
You must have administrator privileges in both IdP and Virtana Platform.
-
You must have an appropriate Virtana Platform license to use SSO.
This completes the creation and configuration of the SSO application in Azure. You can log in to Virtana Platform to proceed with setup.
-
Log in to Microsoft Azure as Administrator.
-
Click the hamburger menu in the navigation pane and select Azure Active Directory>Enterprise applications.
-
Click New application and Create your own application, then complete the following:
-
Enter the name of the application.
-
Select Integrate any other application you don't find in the gallery (Non-gallery).
-
Click Create.
-
-
Navigate back to Azure Active Directory>Enterprise applications>All applications and select the application you just created.
It might take a minute before the new application displays.
-
In the left navigation pane, click Single sign-on and select the SAML option.
-
On the SAML-based Sign-on page, click Edit for Basic SAML Configuration and complete the following:
-
Set the Identifier (Entity ID) to https://app.cloud.virtana.com.
-
Set Reply URL (Assertion Consumer Service URL) to https://app.cloud.virtana.com/authentication/sso/saml/acs.
-
-
Click Edit for Attributes & Claims and add or update the following fields, which will be used to authenticate the user
-
externalId:
user.mail
-
firstName:
user.givenname
-
lastName:
user.surname
Leave name and Unique User Identifier unchanged.
Important
The Azure AD user profile must have firstName, lastName, and Mail configured. Otherwise, the integration will fail.
-
-
Ensure the Claim name for externalId, firstName, and lastName are properly configured.
On the Attributes & Claims edit page, make sure the Claim names for externalId, firstName and lastName do NOT have a Namespace URI (XML schema URL) prepended, like the other two attributes. If the format of these fields is changed, SSO will not work properly with Virtana.
-
In the SAML Certificates section, copy the value for App Federation Metadata Url.
You will need to add this URL in Virtana Platform when you configure SSO.
-
Navigate to Users and Groups , click Add user/group and select the users or groups to be added to the SSO application.
If you do not have the required privileges to manage users and groups, contact the administrator at your company with those rights.
Note
The username must be in the form firstName.lastName@companyName.extension. Example: elizaveta.smirnoff@exampleco.com.
Next Steps:
To configure SSO in Virtana Platform, you simply have to enter the identity provider (IdP) SSO metadata URL that is viewable in your IdP account. This URL accesses SAML metadata XML files that allow the IdP and service provider (SP) to share configuration information.
About This Task
The domain used in the administrator's email address is the domain that the SSO account is bound to in Virtana Platform. All users with the same domain as the administrator will be redirected to the IdP when they log in.
Prerequisites
-
You must have an Administrator role in Virtana Platform to perform this task.
Important
If you have configured a custom subdomain as part of white labeling rebranding of Virtana Platform, you must login using that custom subdomain before configuring SSO.
-
You must have configured a Virtana Platform application in your IdP account and made a note of the IdP metadata URL.
-
You must have an administrator role with credentials-based login to Virtana Platform.
Steps
-
Log in to Virtana Platform and navigate to Settings > Login & Permissions.
-
Click Configure SAML 2.0 SSO.
-
Enter the Identify Provider Metadata URL and click Verify Metadata.
If the URL is correct, the following Configuration Parameters are displayed from the metadata file:
-
IdP Issuer ID
Example:
http://www.<service-provider>.com/<aaa111bbb222ccc333dd>
-
IdP SSO URL
Example:
http://virtana-platform.<service-provider>.com/virtanaplf/<eeff4455gg66hh77jj88>/sso/saml
-
X.509 Certificate
Example:
----BEGIN CERTIFICATE----
abCD123eFgH456JkLM789npQR0123STUV4567wXyZ890ABcd098EfGh765JKlm4321...
----END CERTIFICATE----
-
-
Click Save.
The SSO Configuration page displays, listing the SAML SSO you just configured.
-
Click (down arrows) to see the configuration information for SSO, including the following:
-
Tenant ID
-
Email Domain
-
SP Entity ID
-
IdP Metadata URL
-
IdP
-
IdP Issuer ID
-
IdP SSO URL
-
-
[Optional] Click Edit if you need to modify any parameters.
Important
Do not modify the metadata URL unless the URL from your IdP changes. If you are changing identity providers, be sure to configure the appropriate settings for Virtana Platform in the new IdP.
Related Topics
Comments
0 comments
Article is closed for comments.