Set Up Single Sign-On
Allow users to use their login credentials from an external service provider to log on to the solution.
Note:
- You may need help from your IT administrator to set up single sign-on.
- The solution supports IdP initiated SSO logon processes. For more information, contact Visier Support.
You will need to configure your SAML 2.0 settings with an identity provider (IdP) before you can set-up single sign-on in the solution. Visier supports IDP-initiated single sign-on, so any IDP that supports SAML 2.0 can be used.
Step One: Set up single sign-on with your identity provider
Use the following information as guidance for configuring the SAML 2.0 assertion:
General settings
- Service Provider: Visier Analytics
- Service Provider Endpoint: https://vanityname.visier.com/VServer/auth
Note: Replace vanityname with your vanity URL domain.
- Single Logout Endpoint (Optional): https://vanityname.visier.com/VServer/auth/logoffWithSaml
Note:
- Replace vanityname with your vanity URL domain.
- This is required to enable single logout (SLO). If your IdP does not have a distinct setting to enable SLO, you can enable SLO by providing the above URL. To disable SLO in this case, just remove the SLO URL. If your IdP does have a setting to enable SLO, you must enable the setting and provide the above URL.
- Unique identifier for users: The NameID attribute should be mapped to the username field in Visier.
- Secondary information to be passed to Visier pertaining to user accounts: Nothing specific to user accounts, but we need to know the Issuer URL for SSO to work.
- Tenant code: The tenant code for the tenant you're setting up SSO for needs to be included the SAML assertion. Let's say you have the following tenant hierarchy structure, where WFF_j1r is the tenant code for the administrating tenant and WFF_j1r~i1o is the tenant code for one of its analytic tenants.
- If you're setting up SSO for users at the administrating tenant level, the SAML assertion should have tenantcode=WFF_j1r
- If you're setting up SSO for users at the analytic level, the SAML assertion should have tenantcode=WFF_j1r~i1o
Security settings
The assertion must be signed with one of the following algorithms:
- RSA-SHA256
- RSA-SHA1
- DSA-SHA1
Tip: We recommend RSA-SHA256 as the signing algorithm because it is the most secure.
Issuer and certificate information
- NameID format expected by Visier: Standard format. This should be the username field in Visier.
- At the administrating tenant level this is usually an email address. For example, john.doe@acmeinc.com
- At the analytic tenant level this is usually a universally unique identifier (UUID). For example, 8987kcny-tas19tk89@WFF_j1r~1l0
- NameIDPolicy: Unspecified, transient.
- Type of SSO initiation: IdP Initiated.
- Creation of user accounts: User accounts can be loaded from a file or created manually. Auto-provisioning is also available. For more information, see Auto Provisioning.
- Deactivation of user accounts: Deactivate user accounts via the solution.
- Self-signed certificates: Supported.
- SAML single logout: Supported. If enabled, users who sign out of their IdP site are also signed out of Visier.
- Session timeout limit: Yes. This can be adjusted in the SAML assertion. The following is an example of a three hour session:Copy
<saml2:SubjectConfirmationData NotOnOrAfter="2015-01-26T11:40:56.109Z" Recipient="https://vanityname.visier.com/VServer/auth"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2015-01-26T08:40:56.109Z" NotOnOrAfter="2015-01-26T11:40:56.109Z">
Step Two: Set up single sign-on in Visier
We recommend that Embedded Partner Administrators set up single sign-on in the administrating tenant to promote consistency with your analytic tenant user experience.
-
On the global navigation bar, click Settings > Single Sign-On.
Note: Embedded Partner Administrators must click Settings > Partner Single Sign-On.
- In the Login URL box, type the URL that users will use to log on to the solution. This URL is generated by your SSO solution (IdP).
- Optional: In the Logout URL box, type the URL that users will be directed to after they log out of the solution.
- In the Certificate box, type the X509 certificate that was used to sign the SAML assertion. SAML assertions for the solution should be signed but not encrypted.
- In the Issuer box, type the entity ID of the IdP. The issuer uniquely identifies the identity provider within the solution and should match what was provided as part of the assertion during sign-on events.
- Optional: In the Parameters box, type any additional parameters required by the IdP. These parameters must be URL encoded.
- Optional: Enable auto-provisioning to automatically create user accounts for new users who access the solution from your SSO portal. For more information, see Auto Provisioning.
- Optional: To exclude specific users from SSO, add users to the Bypass Users list. Selected users can bypass SSO and use their existing username and password to log into Visier with the following URL: https://{vanity-name}.visier.com/VServer/auth/admin. To complete the login process, users will be asked to enter a verification code that is sent via email.
- Click Save.
- Click Test Login to test the login workflow.
- Click Enable SSO.
Note:
- We recommend that you set up a call with Visier Support to assist you through the SSO configuration. If enabled with an invalid or untested configuration, users may be locked out of the solution.
- If SSO is turned off, users need a Visier account and password to sign in. Users can reset their password from the sign-in page. However, they may require assistance with account setup and password resets.
Step Three: Set up single sign-on for your analytic tenants
You may configure multiple IdPs to support multi-SSO for your analytic tenants. If SSO is enabled, existing tenants that don't have assigned SSO providers will accept authentication from any of the configured IdPs. SSO provides a seamless user onboarding experience and adoption for your analytic tenants.
- On the global navigation bar, click Settings > Tenant Single sign-on.
- Click Create New SSO Configuration and enter the IdP issuer.
Note: Each issuer name must be unique. Symbols are not allowed.
- Click Create.
- In the IdP URL box, type the URL that users will use to log on to the solution. This URL is generated by your SSO solution (IdP).
- Optional: In the Logout URL box, type the URL that users will be directed to after they log out of the solution.
- In the Certificate box, type the X509 certificate that was used to sign the SAML assertion. SAML assertions for the solution should be signed but not encrypted.
- Optional: In the Parameters box, type any additional parameters required by the IdP. These parameters must be URL encoded.
- Click Save.
- In the Tenant Single sign-on room, turn on the Enable SSO toggle.
Frequently asked questions
Is there a metadata file that can be consumed in our IDP to configure the integration?
No. There is no metadata file. However, the only Visier specific information needed to set up SSO with your identiy provider is the Service Provider Endpoint. You can find this in Studio by clicking Settings > Single Sign-On on the global navigation bar. The Service Provider Endpoint should be in the following format: https://vanityname.visier.com/VServer/auth
Is Just-in-Time (JIT) or SCIM provisioning supported?
Visier supports JIT provisioning. For more information, see Auto Provisioning. If auto provisioning is enabled, when a user attempts to sign into Visier, a user account will automatically be created for them if a username does not already exist matching the NameID sent. SCIM provisioning is not supported as a protocol, and users cannot be create automatically based on criteria defined in the IDP or elsewhere.
Is Multi-Factor Authentication (MFA) supported?
As an IDP-initiated connection, the sign in is initiated via the Identity Provider and any steps required by the end user as part of the authentication process is irrelevant from Visier’s perspective. Once any required steps are completed, the only requirement is that the IDP sends the SAML on to Visier.
Is a Sandbox/QA environment available to test the SSO integration prior to go-live?
No. We do not provide an environment for SSO testing. However, before you enable SSO, you can test the connection to confirm it is working as expected. When you set up single sign-on in Studio, click Test Login to test the login workflow. A new tab will open with a Visier icon, click the icon and it should log you in automatically. If successful, you can enable SSO to go-live.
How do users access Visier once SSO is set up?
When users navigate to the sign in page in their browser they will be seamlessly taken to the IDP to authenticate at the Login URLthat you defined. Once authenticated, users will be redirected by to Visier and signed in.
Once enabled can users only connect via SSO?
Exceptions can be made. For example, if you want to have a backup in case a certificate expires or there is an issue with the IDP. You may also have contractors that cannot be added to the IDP due to internal controls. In these cases, you can add users to the Bypass Users list when you set up SSO in Visier. Bypass users can sign in to Visier independent of SSO. They will be redirected to a different sign in URL, enter their credentials, and asked to enter a verification code that is sent via email.
How can I troubleshoot if a user cannot sign in via the IDP?
When a user attempts to sign in to Visier via SSO, and is unsuccessful, there are two potential outcomes.
If the user is redirected to a generic Visier page requesting the user’s username and password, the request was passed on to Visier successfully via the IDP, but the SAML contents do not match what Visier expects. For example, the NameID sent does not match a user’s username in Visier, or the certificate or issuer sent does not match the expected values defined in Visier.
If the user encounters an error, or is redirected to a non-Visier landing page, the issue is on the IDP-side. Either the user is not configured to allow access to Visier (in the wrong user group) or an incorrect Login URL was entered in Visier to support IDP-initiated connections.