SSO with HelloID

Introduction

ZIVVER supports Single Sign-On (SSO) via HelloID from Tools4Ever, so that users can log in to ZIVVER with their workplace credentials. This manual describes how to set up SSO as a ZIVVER administrator.

SSO operates on the basis of Security Assertion Markup Language (SAML) v2.0; in this scenario, HelloID is the Identity Provider (IdP) and ZIVVER is the Service Provider (SP).

To configure HelloID as an IdP for ZIVVER, you need the following:

  1. You are a ZIVVER administrator.

  2. You have access to the HelloID admin portal.

Configure SSO in HelloID

Create or import a certificate

A certificate is necessary for the SSO connection. If there is no certificate for your organization, follow the steps below to import or create a certificate in HelloID. In this example, a self-signed certificate is created:

  1. Go to the HelloID Administrator Portal.

  2. Select Settings.

  3. Go to Certificates.

  4. Import or create a certificate in HelloID:

  5. Create a new self-signed certificate.

  6. Import an existing certificate.

You now have a certificate that allows HelloID to securely communicate with ZIVVER.

Install and configure the ZIVVER HelloID application

These steps describe how to add and configure the ZIVVER SSO application in HelloID.

  1. Go to the HelloID Administrator Portal.

  2. Navigate to Applications.

  3. Click Applications again.

  4. Open the Application Catalog.

  5. Search for ZIVVER.
    ZIVVER should appear in the list of results. If it does not, please contact Tools4Ever via their support page.

  6. Select Add to add the ZIVVER app to the catalog.

  7. Click Next.

  8. In the Single Sign-On tab, change the Issuer to your organization’s portal name.

  9. In the X509 Certificate dropdown menu, select the certificate you imported or created in the previous section, or select an existing certificate.

  10. Click Next.

  11. In the Self Service tab, choose whether or not to automatically create a Self Service product.
    This makes the application available on request to users.

  12. Click Next.

  13. In the Finish tab, click Save to add the application to HelloID.
    The application is now set up in HelloID.

Application metadata

The metadata is necessary for the connection between HelloID and ZIVVER. Follow the steps below to retrieve the metadata.

  1. Select the ZIVVER application in the HelloID catalog.

  2. In the application overview, click Edit to view the properties.

  3. In the top-right corner, right-click the button Download metadata.

  4. Select the option to copy the URL.

  5. Save this URL.
    You will need this URL in coming secions.

Configure attribute mapping

  1. Select the ZIVVER application in the HelloID catalog.

  2. In the application overview, click Edit to view the properties.

  3. In the Configuration tab, edit the Mapping Set.

  4. Next to SAML User, click Change mappings.

  5. Depending on your HelloID configuration, there are two options for mapping. Choose the option that applies to your organization:

  6. Mapping with Active Directory - Use this option if your users are managed in Microsoft Active Directory (AD), and this system is used as the source for users in HelloID.

  7. Mapping with HelloID - Use this option if your organization does not use AD as the source for HelloID.

Mapping attributes with Active Directory

  1. Enter the following information in the Mapping for SAML User panel:

User

HelloID Claim Set

f(x) \{\{user.contactEmail}}

NameID

f(x) \{\{user.adsid}}

ZivverAccountKey

  1. Click the f(x) icon next to \{\{user.adsid}}.

  2. Select the option Encode to Base64.

  3. Save the changes.

  4. Close the configuration panel.

Note
The email address that is sent to HelloID from AD is mapped by default to \{\{user.contactEmail}}. If this is different for your organization, replace \{\{user.contactEmail}} for the attribute that contains the users' email address, imported from AD.

Mapping attributes with HelloID

  1. Enter the following information in the Mapping for SAML User panel:

User HelloID Claim Set

f(x) \{\{user.userName}}

NameID

f(x) \{\{user.userGUID}}

Subject.ZivverAccountKey

  1. Save the changes and close the configuration panel.

Configure SSO in ZIVVER

This section of the manual describes how to import the HelloID metadata into ZIVVER. The URL for this metadata was retrieved from HelloID in the section Application metadata.
1. Open your browser. 2. Log in to the ZIVVER WebApp. 3. Click Organisation settings tune in the lower left corner. 4. Go to the Single Sign-On vpn_key page. 5. Enter the HelloID metadata URL in the text box under Automatically retrieve metadata from URL (recommended).. 6. Place a checkmark next to Use Single sign-on. 7. Click SAVE.
ZIVVER is now set up to work with Single Sign-On.

ZIVVER 2FA exemption (optional)

By default, ZIVVER accounts are protected with an additional login method (2FA). 2FA is also required when logging in via SSO. However, it is possible to disable 2FA in ZIVVER when users log in with SSO via HelloID. You need to know which Authentication Method is passed from HelloID to ZIVVER in order to exempt 2FA in ZIVVER. In the SAML standard, this is called Authentication Context.

HelloID will always return the following Authentication Context in the SAML response:
- urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Warning
The above Authentication Method ensures that users are never asked for 2FA when logging in to ZIVVER. This is a possible security risk, because users can now log in to ZIVVER without 2FA. ZIVVER strongly recommends to enforce 2FA for users within HelloID if you use this option! Please see this manual from HelloID regarding 2FA for more information.

Follow the steps below to set up the 2FA exemption for HelloID in ZIVVER:

  1. Log in to the ZIVVER Web App.

  2. Click the Organization Settings tune icon at the bottom left of your screen.

  3. Click Single Sign-On (SSO) vpn_key .

  4. In the SAML 2.0 authentication contexts with ZIVVER 2FA exemptions field, enter the following value:

    • urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

  5. Click SAVE.
    You have now successfully set a 2FA exemption for HelloID. When users log in via SSO, ZIVVER will not ask for 2FA.

Test SSO in the ZIVVER Web App

Follow these steps to test the login process via SSO in the ZIVVER Web App:

  1. Go to the ZIVVER Web App.

  2. Enter your e-mail address.

  3. Depending on your role in ZIVVER:

    • As a user: You are immediately redirected to the login screen of your organization.

    • As an administrator: You choose between your ZIVVER password and your workplace login details to log in.

  4. Log in with the workplace login data of your organization. Depending on the existence of a 2FA exemption, you will be asked for an extra login method. With a 2FA exemption in place, the last step will be skipped.

  5. Enter your extra login factor (2FA). You are logged in to ZIVVER Web App.

Test SSO in the ZIVVER Office Plugin

Follow these steps to test the login process via SSO in the ZIVVER Office Plugin in Outlook:

  1. Click the ZIVVER tab in Outlook.

  2. Click Manage accounts account_circle .

  3. Click the link Add an account add_circle .

  4. Select the e-mail address with which you want to log in.

  5. Click Yes, I want to log in now.
    You will be redirected to the login screen of your organization.

  6. Log in with the workplace login details of your organization. Depending on the existence of a 2FA exemption, you will be asked for an extra login method. With a 2FA exemption in place, the last step will be skipped.

  7. Enter your extra login factor (2FA).
    You are logged in to the ZIVVER Office Plugin.

Was this article helpful?

thumb_up thumb_down