SSO with Microsoft Azure Active Directory

Introduction

ZIVVER supports Single Sign-On (SSO) via Microsoft Azure AD, so that users can log in to ZIVVER using their workplace credentials. This manual shows how to set up SSO, as a ZIVVER administrator.

SSO operates on the basis of Security Assertion Markup Language (SAML) v2.0; in this scenario, Microsoft Azure AD is the Identity Provider (IdP) and ZIVVER is the Service Provider (SP).

To activate SSO in ZIVVER, you need the following:

  1. You are a ZIVVER administrator.

  2. You have access to Microsoft Azure and an Azure AD subscription.

Configure SSO in Azure AD

The first step is to set up ZIVVER SSO in Azure AD.

  1. Log in to Microsoft Azure.

  2. Click Azure Active Directory.

  3. Click Enterprise applications.

  4. Click add New application.

  5. Select Mail from the category dropdown menu.

  6. Search for ZIVVER.

  7. Select the ZIVVER app by clicking on the ZIVVER tile.

  8. Click Add.
    Wait until the ZIVVER app has been added. You will be automatically redirected to the control panel for the ZIVVER app.

  9. Click Single sign-on in the Manage blade.

  10. Select the SAML tile.
    You will be prompted with a pop-up to save the single sign-on setting.

  11. Click Yes.
    You should now see the Set up Single Sign-On with SAML configuration screen.

  12. Click Edit edit at (2) User Attributes & Claims.

  13. Click add Add new claim.

  14. Fill in the following:

Name Namespace Source Source attribute

ZivverAccountKey

https://zivver.com/SAML/Attributes

Attribute

user.objectid

Warning
If you are using a hybrid setup with Active Directory on-premise and Azure AD, then user.objectid will not work. Please contact ZIVVER support to get help in this scenario.
  1. Click Save.

  2. Go back to SAML-based Sign-on.
    You might be prompted to Test single sign-on with ZIVVER. If so, click No, i’ll test later.

  3. Click Copy file_copy at App Federation Metadata Url under (3) SAML signing Certificate.
    You need this URL in the ZIVVER admin panel in the next section.

Configure SSO in ZIVVER

The second step is to set up SSO in ZIVVER. You do this in the ZIVVER admin panel.

  1. Log in to the [WebApp] (https://app.zivver.com).

  2. Click the Organization settings tune icon at the bottom left of your browser window.

  3. Go to Single sign-on vpn_key .

  4. Select Automatically retrieve metadata from URL (recommended).

  5. Paste the App Federation Metadata Url copied to your clipboard from the previous section.

  6. Check Use Single sign-On.

    Note
    This will allow users only to log in to ZIVVER via Azure. Only assigned users can log into ZIVVER after saving. The exception being administrators who always can choose between loging in via SSO and loging in with a username and password.
  7. Click SAVE.
    SSO is now configured in ZIVVER and you are ready for the next section.

ZIVVER 2FA exemption (optional)

A ZIVVER account is protected, by default, with an additional login method (2FA). 2FA is also required when logging in via SSO. It is possible to disable ZIVVER’s built-in 2FA when users already log in to Azure AD with a 2FA. This prevents users from having to fill in a 2FA twice.

Unfortunately Azure AD can not indicate in the SAML response whether the user has already specified an extra login method. Azure AD always provides the following SAML response:

  • urn:oasis:names:tc:SAML:2.0:ac:classes:Password

This means that the SAML response does not contain any information from which ZIVVER can decide whether the user is logged in securely with 2FA.

Warning
ZIVVER will never ask for a second authentication factor if you exempt this authentication context from 2FA in the SSO settings. This creates a security risk when users log in to Azure AD without 2FA in combination while a 2FA exemption is configured in ZIVVER. Therefore, it is important that users are required to log in to Azure AD with 2FA if you release the above-mentioned authentication context in ZIVVER.

Follow the steps below to set the 2FA exemption for Azure AD in ZIVVER:

  1. Log in to the WebApp.

  2. Click Organization settings tune in the bottom left of the side panel

  3. Click Single Sign-On (SSO) vpn_key .

  4. In the SAML 2.0 authentication contexts with ZIVVER 2FA exemptions field, enter the value urn:oasis:names:tc:SAML:2.0:ac:classes:Password.

  5. Click SAVE.
    You have now successfully set a 2FA exemption for Azure AD. When users now log in via SSO, ZIVVER will not ask for 2FA.

Assign users to the application ZIVVER in Azure

The third step is to assign users to ZIVVER SSO in Azure AD.

  1. Log in to Microsoft Azure.

  2. Click Azure Active Directory.

  3. Click Enterprise applications.

  4. Select ZIVVER from the list of Enterprise applications installed.

    Tip
    If you want to assign all users in you Azure AD to the ZIVVER application, then you can also toggle User assignment required? to No at the Properties tab under the Manage blade.This means that every Azure AD user is allowed to log into ZIVVER, given that they have an active ZIVVER account. If you use this option, you can skip the steps below.
  5. Select the Users and groups tab under the Manage blade.

  6. Click add Add user to add a user or group.

  7. Click Users >.

  8. Search for users or groups to assing to the ZIVVER application and select them from the list.

    Tip
    If you want to assign groups to the ZIVVER application in Azure AD, you need an Enterprise mobility + security E5 or Azure AD premium P2 license.
  9. Click Select.

  10. Click Assign to confirm your selection.
    The assigned users can now log into ZIVVER, given that they have an active ZIVVER account.

Testing single sign-on

Log in to the WebApp with SSO

  1. Go to the WebApp.

  2. Enter your e-mail address.

  3. Depending on your role in ZIVVER:

    • as a user: you are immediately redirected to the login screen of your organization.

    • as an administrator: you choose between your ZIVVER password and your workplace login details to log in.

  4. Log in with the workplace login data of your organization.
    Depending on the existence of a 2FA exemption, you will be asked for an extra login method. With a 2FA exemption in place, the last step will be skipped.

  5. Enter your extra login factor. You are logged in to ZIVVER WebApp.

Log in to Outlook with SSO

In the ZIVVER Office Plugin in Outlook you can perform SSO login in the following way:

  1. Click the ZIVVER tab.

  2. Click Manage accounts account_circle .

  3. Click the link Add an account add_circle .

  4. Select the e-mail address with which you want to log in.

  5. Click Yes, I want to log in now. You will be redirected to the login screen of your organization.

  6. Log in with the workplace login details of your organization.
    Depending on a 2FA exemption you will be asked for an extra login method. With a 2FA exemption you skip the last step.

  7. Enter your extra login method. You are logged in to Outlook.

Was this article helpful?

thumb_up thumb_down