Introduction

Zivver supports Single Sign-On (SSO) via HelloID from Tools4Ever, so that users can log in to Zivver with their workplace credentials. This manual describes how to set up SSO as a Zivver administrator.

SSO operates on the basis of Security Assertion Markup Language (SAML) v2.0; in this scenario, HelloID is the Identity Provider (IdP) and Zivver is the Service Provider (SP).

To configure HelloID as an IdP for Zivver, this is necessary:

1. You are a Zivver administrator.
2. You have access to the HelloID admin portal.

Configure SSO in HelloID

Create or import a certificate

A certificate is necessary for the SSO connection. If there is no certificate for your organization, follow these steps to import or create a certificate in HelloID. In this example, a self-signed certificate is created:

1. Go to the HelloID Administrator Portal.
2. Select Settings.
3. Go to Certificates.
4. Import or create a certificate in HelloID:
   • Create a new self-signed certificate.
   • Import an existing certificate.

You now have a certificate. HelloID can now securely communicate with Zivver.

Install and configure the Zivver HelloID application

These steps describe how to add and configure the Zivver SSO application in HelloID.

1. Go to the HelloID Administrator Portal.
2. Navigate to Applications.
3. Click Applications again.
4. Open the Application Catalog.
5. Search for Zivver.
   Zivver should appear in the list of results. If it does not, please contact Tools4Ever via their support page.
6. Select Add to add the Zivver app to the catalog.
7. Click Next.
8. In the Single Sign-On tab, change the Issuer to your organization’s portal name.
9. In the X509 Certificate dropdown menu, select the certificate you imported or created in the previous section, or select an existing certificate.
10. Click Next.
11. In the Self Service tab, choose whether or not to automatically create a Self Service product.
    This makes the application available on request to users.
12. Click Next.
13. In the Finish tab, click Save to add the application to HelloID.
    The application is now set up in HelloID.

Application metadata

The metadata is necessary for the connection between HelloID and Zivver. Follow these steps to retrieve the metadata.

1. Select the Zivver application in the HelloID catalog.
2. In the application overview, click Edit to view the properties.
3. In the top-right corner, right-click the button Download metadata.
4. Select the option to copy the URL.
5. Save this URL.
   You will need this URL in a later section.

Configure attribute mapping

1. Select the Zivver application in the HelloID catalog.
2. In the application overview, click Edit to view the properties.
3. In the Configuration tab, click Configure Mapping Set.
4. Click Proceed.
5. Next to SAML User, click Change mappings.
6. When changing mappings, there are 2 options. Choose the option that applies to your organization:
   • Mapping with HelloID ZivverAccountKey - Use this option if your organization does not use Microsoft Active Directory as source for user data in HelloID.
   • Mapping with Active Directory ZivverAccountKey - Use this option if your organization uses Microsoft Active Directory as source for user data in HelloID.

Mapping attributes with HelloID

You don’t need to change the mapping, by default the email address in HelloID will be used and the HelloID UserGUID will be used as ZivverAccountKey.

Mapping attributes with Active Directory

When you create Zivver accounts based on data from Microsoft Active Directory, you need to configure HelloID in such a way that it provides the same information (i.e. username and ZivverAccountKey) when creating accounts and when logging an account in. If this is not done correctly, HelloID cannot decrypt the user mailbox and the user will be asked to fill in a password.

1. Make sure you have configured an Active Directory configuration for your HelloID organization.
   Create or manage an Active Directory configuration
2. Make sure Active Directory’s “objectGUID” is mapped to a HelloID attribute.
   Edit a mapping set
3. Enter this information in the Mapping for SAML User panel Screenshots:

4. Click the f(x) icon next to {{user.attributes.ADObjectGUID}}.
5. Select the option Encode to Base64.
6. Save the changes.
7. Close the configuration panel.

Note

The email address that is sent to HelloID from AD is mapped by default to {{user.contactEmail}}. If this is different for your organization, replace {{user.contactEmail}} with the attribute that contains the user’s email address, imported from AD.

Configure SSO in Zivver

This section of the manual describes how to import the HelloID metadata into Zivver. The URL for this metadata was retrieved from HelloID in the section Application metadata.

1. Log in to the WebApp.
2. Click the room_preferences Organization Settings icon at the bottom left of your browser window.
3. Go to people_outline User administration.
4. Go to Single Sign-on.
5. Select Automatically.
6. Paste the App Federation Metadata Url copied to your clipboard from the previous section.
7. Click Save.
8. On to of the page, click the key Enable Single sign-on button.
   Zivver is now set up to work with Single Sign-On.

Zivver 2FA exemption (optional)

By default, Zivver accounts are protected with an additional login method (2FA). 2FA is also required when logging in via SSO. However, it is possible to disable 2FA in Zivver when users log in with SSO via HelloID. You need to know which Authentication Method is passed from HelloID to Zivver in order to exempt 2FA in Zivver. In the SAML standard, this is called Authentication Context.

HelloID will always return this Authentication Context in the SAML response:

• urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Warning

The above Authentication Method ensures that users are never asked for 2FA when logging in to Zivver. This is a possible security risk, because users can now log in to Zivver without 2FA.
Zivver strongly recommends to enforce 2FA for users within HelloID if you use this option! Refer to
2FA Management from HelloID.

Do these steps to set up the 2FA exemption for HelloID in Zivver:

1. Log in to the WebApp.
2. Click the room_preferences Organization Settings icon at the bottom left of your browser window.
3. Go to people_outline User administration.
4. Go to Single Sign-on.
5. Scroll down to the Zivver 2FA exemptions card.
6. In the Authentication methods to be exempted field, enter these value:
   • urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
7. Click Save.
   You have now successfully set a 2FA exemption for HelloID. When users log in via SSO, Zivver will not ask for 2FA.

Test SSO in the Zivver Web App

Do these steps to test the login process via SSO in the Zivver Web App:

1. Go to the Zivver Web App.
2. Enter your e-mail address.
3. Depending on your role in Zivver:
   • As a user: You are immediately redirected to the login screen of your organization.
   • As an administrator: You choose between your Zivver password and your workplace login details to log in.
4. Log in with the workplace login data of your organization.
   Depending on the existence of a 2FA exemption, you will be asked for an extra login method. With a 2FA exemption in place, the last step will be skipped.
5. Enter your extra login factor (2FA).
   You are logged in to Zivver Web App.

Test SSO in the Zivver Office Plugin

Do these steps to test the login process via SSO in the Zivver Office Plugin in Outlook:

1. Click the Zivver tab in Outlook.
2. Click Manage accounts account_circle .
3. Click the link Add an account add_circle .
4. Select the e-mail address with which you want to log in.
5. Click Yes, I want to log in now.
   You will be redirected to the login screen of your organization.
6. Log in with the workplace login details of your organization.
   Depending on the existence of a 2FA exemption, you will be asked for an extra login method. With a 2FA exemption in place, the last step will be skipped.
7. Enter your extra login factor (2FA).
   You are logged in to the Zivver Office Plugin.