SSO with Microsoft AD FS internal network only

Use this manual only if you can not use the default and recommended method for configuring Microsoft AD FS for Zivver.

Configuring SSO with the method from this manual causes SSO to stop working when your AD FS certificate expires. This requires manually updating the AD FS metadata in Zivver after expiration of your AD FS certificate.

Configuring SSO with the method from this manual prohibits users from logging in to Zivver outside your internal network. This could cause login problems with for example working from home.

Introduction

Zivver supports Single Sign-On (SSO) via Microsoft AD FS, so that users can log in to Zivver with their workplace credentials. This manual shows how to set up SSO, as a Zivver administrator.

SSO operates on the basis of Security Assertion Markup Language (SAML) v2.0; in this scenario, Microsoft Entra ID is the Identity Provider (IdP) and Zivver is the Service Provider (SP).

To activate SSO in Zivver, you need the following:

  1. You are a Zivver administrator.
  2. You have access to AD FS management console on the AD FS server.

Set up SSO in Zivver using alternate method

  1. Open your favorite browser.
  2. Log in to the Zivver WebApp.
  3. Click Organization settings[ tune ] in the lower left corner .
  4. Go to the Single Sign-On [ vpn_key ] page.
  5. Select Manually paste your organization’s Identity Provider (IdP) SAML metadata XML file contents.
    The following steps help you retrieve the SAML metadata of AD FS so that you can paste it in the Zivver WebApp.
  6. Log in on your AD FS server.
  7. Open a browser.
  8. Fill in the URL of the AD FS, followed by /FederationMetadata/2007-06/FederationMetadata.xml For example: https://adfs.organisation_domain.tld/FederationMetadata/2007-06/FederationMetadata.xml. Modern browsers automatically save a file FederationMetadata.xml. In IE11 you can save the page as an .xml file using Ctrl + s. + [TIP] Use the PowerShell cmdlet Get-AdfsEndpoint -AddressPath "/FederationMetadata/2007-06/FederationMetadata.xml" to find your AD FS Metadata URL. The URL will most likely look something like this: https://adfs.organisation_domain.tld/FederationMetadata/2007-06/FederationMetadata.xml

  9. Open the FederationMetadata.xml file in Notepad. + Opening in Notepad is important because you need the metadata in plain text.

  10. Select and copy the full content of the .xml file.

  11. Go back to the Single Sign-On [ vpn_key ] page in Zivver.

  12. Paste the full content in the text box under Identity Provider XML.

  13. Place a checkmark adjacent to Use Single sign-on.

  14. Click SAVE.

    Zivver is now configured to work with Single Sing-On, however AD FS has not been configured yet to handle incoming authentication requests from Zivver. When SSO is enabled in the Zivver admin panel, Zivver will only authenticate users via the Identity Provider. This could cause log in problems for users who are created before SSO is fully configured. Users will remain logged in and won’t be logged out when you toggle SSO on or off. Zivver administrators can always log in to Zivver with a username and password, even if AD FS is not yet configured to work with Zivver.
  15. Click the copy icon pass:[ content_copy ] next to the Zivver metadata URL box. You will be able to use this URL in the following procedure. + Zivver is now set up to work with Single Sign-On. The next and final step is to adjust the settings in the AD FS Management Console.

Set up SSO in AD FS

Refer to SSO with Microsoft AD FS.

Set up Claim Rules

Refer to SSO with Microsoft AD FS.

Set up SSO in Zivver

Refer to SSO with Microsoft AD FS.

Zivver 2FA exemption (optional)

Refer to SSO with Microsoft AD FS.

Log in to the WebApp with SSO

Refer to SSO with Microsoft AD FS.

Log in to Outlook with SSO

Refer to SSO with Microsoft AD FS.

Change User Name field on AD FS login page (optional)

Refer to SSO with Microsoft AD FS.

Set up email address as login name

Refer to SSO with Microsoft AD FS.

Set a custom login name

Refer to SSO with Microsoft AD FS.

Leave login name empty by default

Refer to SSO with Microsoft AD FS.

Create shortcut to the WebApp (optional)

Refer to SSO with Microsoft AD FS.

Add trusted networks to AD FS (optional)

Refer to SSO with Microsoft AD FS.