Set Up Single Sign-On

Allow users to use their login credentials from an external service provider to log on to the solution.

You will need to configure your SAML 2.0 settings with an identity provider (IdP) before you can set-up single sign-on in the solution.

Step One: Set up single sign-on with your identity provider

Use the following information as guidance for configuring the SAML 2.0 assertion:

General settings

• Service Provider: Visier Analytics
• Service Provider Endpoint: https://vanityname.visier.com/VServer/auth

  Note: Replace vanityname with your vanity URL domain.

• Single Logout Endpoint (Optional): https://vanityname.visier.com/VServer/auth/logoffWithSaml

  Note:  

  • Replace vanityname with your vanity URL domain.
  • This is required to enable single logout (SLO). If your IdP does not have a distinct setting to enable SLO, you can enable SLO by providing the above URL. To disable SLO in this case, just remove the SLO URL. If your IdP does have a setting to enable SLO, you must enable the setting and provide the above URL.
• Unique identifier for users: email address
• Secondary information to be passed to Visier pertaining to user accounts: Nothing specific to user accounts, but we need to know the Issuer URL for SSO to work.

Security settings

The assertion must be signed with one of the following algorithms:

• RSA-SHA256
• RSA-SHA1
• DSA-SHA1

Issuer and certificate information

• NameID format expected by Visier: Standard format. For example, john.doe@acmeinc.com.
• NameIDPolicy: Unspecified, transient
• Type of SSO initiation: IdP Initiated
• Creation of user accounts: User accounts can be loaded from a file or created manually. Auto-provisioning is also available. For more information, see Auto Provisioning.
• Deactivation of user accounts: Deactivate user accounts via the solution.
• Self-signed certificates: Supported
• SAML single logout: Supported. If enabled, users who sign out of their IdP site are also signed out of Visier.
• Session timeout limit: Yes. This can be adjusted in the SAML assertion. The following is an example of a three hour session:
  Copy

  1
  2
  3
  4
  <saml2:SubjectConfirmationData NotOnOrAfter="2015-01-26T11:40:56.109Z" Recipient="https://vanityname.visier.com/VServer/auth"/>
  </saml2:SubjectConfirmation>
  </saml2:Subject>
  <saml2:Conditions NotBefore="2015-01-26T08:40:56.109Z" NotOnOrAfter="2015-01-26T11:40:56.109Z">

Step Two: Set up single sign-on in Visier

1. On the global navigation bar, click Settings > Single Sign-On.

2. In the Login URL box, type the URL that users will use to log on to the solution. This URL is generated by your SSO solution (IdP).
3. Optional: In the Logout URL box, type the URL that users will be directed to after they log out of the solution.
4. In the Certificate box, type the X509 certificate that was used to sign the SAML assertion. SAML assertions for the solution should be signed but not encrypted.
5. In the Issuer box, type the entity ID of the IdP. The issuer uniquely identifies the identity provider within the solution and should match what was provided as part of the assertion during sign-on events.
6. Optional: In the Parameters box, type any additional parameters required by the IdP. These parameters must be URL encoded.
7. Optional: Enable auto-provisioning to automatically create user accounts for new users who access the solution from your SSO portal. For more information, see Auto Provisioning.
8. Optional: To exclude specific users from SSO, add users to the Bypass Users list. Selected users can bypass SSO and use their existing username and password to log into Visier. To complete the login process, users will be asked to enter a verification code that is sent via email.
9. Click Save.
10. Click Test Login to test the login workflow.
11. Click Enable SSO.