×

Want to Search?

Go here

Switch Language

Nederlands English

Contact Us

Get Help Give feedback

I am a Zivver admin

Configure and manage Zivver

SSO with HelloID

Introduction

Zivver supports Single Sign-On (SSO) via HelloID from Tools4Ever, allowing users to log in to Zivver with their workplace credentials. This manual describes how to set up SSO as a Zivver administrator.

SSO operates on the basis of Security Assertion Markup Language (SAML) v2.0. In this scenario, HelloID acts as the Identity Provider (IdP) and Zivver as the Service Provider (SP).

To configure HelloID as an IdP for Zivver, you need:

  1. Zivver administrator rights.
  2. Access to the HelloID admin portal.

Configure SSO in HelloID

Generate or import a certificate

A certificate is required for the SSO connection. If your organization does not yet have a certificate, follow these steps to import or generate one in HelloID. In this example, a self-signed certificate is generated:

  1. Go to the HelloID Administrator Portal.
  2. Select Settings.
  3. Go to Certificates.
  4. Import or generate a certificate in HelloID:

You now have a certificate. HelloID can securely communicate with Zivver.

Install and configure the Zivver HelloID application

These steps describe how to add and configure the Zivver SSO application in HelloID.

  1. Go to the HelloID Administrator Portal.
  2. Navigate to Applications.
  3. Click Applications again.
  4. Open the Application Catalog.
  5. Search for Zivver.
    Zivver should appear in the list of results. If it does not, contact Tools4Ever via their support page.
  6. Select Add to add the Zivver app to the catalog.
  7. Click Next.
  8. In the Single Sign-On tab, change the Issuer to your organization’s portal name.
  9. In the X509 Certificate dropdown menu, select the certificate you imported or generated earlier, or select an existing one.
  10. Click Next.
  11. In the Self Service tab, choose whether to automatically create a Self Service product.
    This makes the application available to users on request.
  12. Click Next.
  13. In the Finish tab, click Save to add the application to HelloID.
    The application is now configured in HelloID.

Application metadata

Metadata is required for the connection between HelloID and Zivver. Follow these steps to retrieve it.

  1. Select the Zivver application in the HelloID catalog.
  2. In the application overview, click Edit to view its properties.
  3. In the top-right corner, right-click Download metadata.
  4. Select the option to copy the URL.
  5. Save this URL.
    You will need it later.

Configure attribute mapping

  1. Select the Zivver application in the HelloID catalog.
  2. In the application overview, click Edit to view the properties.
  3. In the Configuration tab, click Configure Mapping Set.
  4. Click Proceed.
  5. Next to SAML User, click Change mappings.
  6. Choose one of the following options:

Mapping attributes with HelloID

You do not need to modify the mapping. By default, the email address in HelloID is used, and the HelloID UserGUID serves as the ZivverAccountKey.

UserHelloID Claim Set
f(x) {{user.contactEmail}}NameID
f(x) {{user.userGUID}}ZivverAccountKey

Mapping attributes with Active Directory

If your Zivver accounts are created based on data from Microsoft Active Directory, HelloID must provide the same information (i.e., username and ZivverAccountKey) when creating and logging in to accounts. If this configuration is incorrect, HelloID cannot decrypt user mailboxes, and users will be prompted to enter a password.

  1. Verify that an Active Directory configuration is set up for your HelloID organization.
    Create or manage an Active Directory configuration
  2. Ensure that the “objectGUID” attribute from Active Directory is mapped to a HelloID attribute.
    Edit a mapping set
  3. Enter this information in the Mapping for SAML User panel (reference screenshots):
UserHelloID Claim Set
f(x) {{user.contactEmail}}NameID
f(x) {{user.attributes.ADObjectGUID}}ZivverAccountKey
  1. Click the f(x) icon next to {{user.attributes.ADObjectGUID}}.
  2. Select Encode to Base64.
  3. Save the changes.
  4. Close the configuration panel.
Note
The email address sent from AD to HelloID is mapped by default to {{user.contactEmail}}. If this is different for your organization, replace {{user.contactEmail}} with the attribute containing the user’s email address from AD.

Configure SSO in Zivver

This section describes how to import the HelloID metadata into Zivver. The metadata URL was retrieved in Application metadata.

  1. Log in to the Zivver WebApp.
  2. Click Organization Settings.
  3. Expand User administration.
  4. Click Single Sign-on.
  5. Select Automatically recommended.
  6. Paste the URL copied from the previous section.
  7. Click .
  8. Click in the top-right corner.
    Zivver is now configured for Single Sign-On.

Zivver 2FA exemption (optional)

By default, Zivver accounts are protected with two-factor authentication (2FA). 2FA is also required when logging in via SSO. However, you can disable 2FA in Zivver for users who log in via SSO through HelloID. You need to know which Authentication Method is passed from HelloID to Zivver to configure this exemption. In SAML, this is called the Authentication Context.

HelloID always returns the following Authentication Context in the SAML response:

  • urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Warning
Exempting the above Authentication Method ensures that users are never prompted for 2FA when logging in to Zivver. This may pose a security risk because users can log in to Zivver without 2FA. Zivver strongly recommends enforcing 2FA within HelloID if you use this option. See 2FA Management in the HelloID documentation.

Follow these steps to configure the 2FA exemption for HelloID in Zivver:

  1. Log in to the Zivver WebApp.
  2. Click Organization Settings.
  3. Expand User administration.
  4. Click Single Sign-on.
  5. Scroll down to the Zivver 2FA exemptions card.
  6. In the Authentication methods to be exempted field, enter:
    • urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
  7. Click .
    You have now successfully set a 2FA exemption for HelloID. When users log in via SSO, Zivver will not request 2FA.

Log in to the WebApp with SSO

  1. Go to the Zivver WebApp.
  2. Enter your email address.
  3. Depending on your role in Zivver:
    • Users are redirected directly to the organization’s login screen.
    • Administrators can choose between logging in with their Zivver password or workplace credentials.
  4. Log in with your organization’s credentials.
    Depending on whether a 2FA exemption applies, you may be prompted for an additional login method. If a 2FA exemption is in place, this step is skipped.
  5. Enter your additional login factor.
    You are now logged in to the Zivver WebApp.

Log in to Outlook with SSO

In the Zivver Office Plugin for Outlook, you can log in via SSO using these steps:

  1. Click the Zivver tab.
  2. Click Manage accounts.
  3. Click the link add_circle Add an account.
  4. Enter the email address you want to use for login.
  5. Click .
    You will be redirected to your organization’s login screen.
  6. Log in with your organization’s credentials.
    Depending on whether a 2FA exemption applies, you may be prompted for an additional login method. If a 2FA exemption is in place, this step is skipped.
  7. Enter your additional login factor.
    You are now logged in to Outlook.

Updated on 2025-10-17