SSO with Google G-Suite

Introduction

ZIVVER supports Single Sign-On (SSO) via Google G-Suite, so that users can log in to ZIVVER with their workplace credentials. This manual shows how to set up SSO, as a ZIVVER administrator.

SSO operates on the basis of Security Assertion Markup Language (SAML) v2.0; in this scenario, Google G-Suite is the Identity Provider (IdP) and ZIVVER is the Service Provider (SP).

To activate SSO in ZIVVER, you need the following:

  1. You are a ZIVVER administrator.
  2. You have access to the Admin panel in G-Suite.
  3. You have Super Admin rights in G-Suite. You need this to set up a new SSO link.

Set up SSO connection in G-Suite

  1. Log in to Google G-Suite.
  2. Choose Apps in the menu to the left.
  3. Click SAML Apps. 3.Click Add add in the right lower corner.
  4. Click Set up my own custom app.
    A new window opens.
  5. Download the IDP metadata file from Option 2.
  6. Click Next.
  7. Give the SAML App a name, for example ZIVVER.
  8. Click Next.
  9. Set ACS URL to https://app.zivver.com/api/sso/saml/consumer/.
  10. Set Entity ID to https://app.zivver.com/SAML/Zivver.
  11. Optional: set Start URL to https://app.zivver.com/
  12. Leave Signed Response unchecked.
  13. Ensure that Basic information is set to Name ID
  14. Ensure that Primary Email is set to Name ID
  15. Ensure that EMAIL is set to Name ID
    The e-mail address is passed as the primary value with this setting. 18.Click Next.
  16. Click Add new mapping.
  17. Enter the ZivverAccountKey attribute. ZIVVER uses the ZivverAccountKey in the encryption process. It is therefore important that the number is long, unique and random. Preferably, this number is generated by you and is not used in other connections or systems.
    The attribute name should be entered as: https://zivver.com/SAML/Attributes/ZivverAccountKey
    The same value should be used as input when creating accounts.

    If you are using an on-premise Microsoft Active Directory, you can set objectGUID as ZivverAccountKey
  18. Link this attribute to the desired user information in G-suite.

  19. Click Finish. You have successfully set up SSO in G-Suite.

Set up SSO connection in ZIVVER

Follow the steps below to set up the newly created SSO connection in ZIVVER:

  1. Log in to the WebApp.
  2. Click Organization Settings tune in the bottom left of the side panel.
  3. Click Single Sign-On (SSO) vpn_key .
  4. Select Manually paste your organization’s Identity Provider (IdP) SAML metadata XML file contents.
  5. Open the IDP metadata file you downloaded from G-Suite.
  6. Paste the contents of the IDP metadata file into the Identity Provider XML field in ZIVVER.
  7. Check the option Use Single sign-on at the bottom of your screen.
  8. Click SAVE. You have successfully set up the SSO link in ZIVVER.
Users can now only log in via SSO (which implies that if SSO is not set up correctly, users will be unable to login at all).
Immediately test that users can log in to the WebApp and Outlook.

Release ZIVVER 2FA

A ZIVVER account is protected, by default, with an additional login method (2FA). 2FA is also required when logging in via SSO. It is possible to disable ZIVVER’s 2FA when users log in via SSO with G-Suite.

Unfortunately G-Suite does not indicate in the SAML response whether the user has already specified an extra login method. G-Suite always provides the following SAML response:

  • urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

This means that the SAML response does not contain any information from which ZIVVER can decide whether the user is logged in securely with 2FA.

ZIVVER will never ask for a second authentication factor if you exempt this authentication context from 2FA in the SSO settings. This creates a security risk when users log in to G-Suite without 2FA in combination while a 2FA exemption is configured in ZIVVER. Therefore, it is important that users are required to login to G-Suite with 2FA if you release the above-mentioned authentication context in ZIVVER.

Follow the steps below to set up 2FA exemption for G-Suite in ZIVVER:

  1. Log in to the WebApp.
  2. Click Organization settings tune in the bottom left of the side panel
  3. Click Single Sign-On (SSO) vpn_key .
  4. In the SAML 2.0 authentication contexts with ZIVVER 2FA exemptions field, enter the value urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified in.
  5. Click SAVE.
    You have now successfully set a 2FA exemption for G-Suite. When users now log in via SSO, ZIVVER will not ask for 2FA.

Log in to the WebApp with SSO

  1. Go to the WebApp.
  2. Enter your e-mail address.
  3. Depending on your role in ZIVVER:
    • as a user: you are immediately redirected to the login screen of your organization.
    • as an administrator: you choose between your ZIVVER password and your workplace login details to log in.
  4. Log in with the workplace login data of your organization. Depending on the existence of a 2FA exemption, you will be asked for an extra login method. With a 2FA exemption in place, the last step will be skipped.
  5. Enter your extra login factor. You are logged in to ZIVVER WebApp.

Log in to Outlook with SSO

In the ZIVVER Office Plugin in Outlook you can perform SSO login in the following way:

  1. Click the ZIVVER tab.
  2. Click Manage accounts account_circle .
  3. Click the link Add an account add_circle .
  4. Select the e-mail address with which you want to log in.
  5. Click Yes, I want to log in now.
    You will be redirected to the login screen of your organization.
  6. Log in with the workplace login details of your organization. Depending on a 2FA exemption you will be asked for an extra login method. With a 2FA exemption you skip the last step.
  7. Enter your extra login method.
    You are logged in to Outlook.

Was this article helpful?

thumb_up thumb_down