SSO with Microsoft Entra ID

Introduction

Zivver supports Single Sign-On (SSO) via Microsoft Entra ID, so that users can log in to Zivver using their workplace credentials. This manual shows how to set up SSO, as a Zivver administrator.

SSO operates on the basis of Security Assertion Markup Language (SAML) v2.0; in this scenario, Microsoft Entra ID is the Identity Provider (IdP) and Zivver is the Service Provider (SP).

To activate SSO in Zivver, this is necessary:

  1. You are a Zivver administrator.
  2. You have access to Microsoft Azure and an Entra ID subscription.

Configure SSO in Entra ID

The first step is to set up Zivver SSO in Entra.

  1. Log in to Microsoft Azure.
  2. Click Entra ID.
  3. Click Enterprise applications.
  4. Click New application add .
  5. Select Mail from the category dropdown menu.
  6. Search for Zivver.
  7. Select the Zivver app by clicking on the Zivver tile.
  8. Click Add.
    Wait until the Zivver app has been added. You will be automatically redirected to the control panel for the Zivver app.
  9. Select the Properties blade.
  10. Set Assignment required? to No and click Save.
  11. Click Single sign-on in the Manage blade.
  12. Select the SAML tile.
    You will be prompted with a pop-up to save the single sign-on setting.
  13. Click Yes.
    You should now see the Set up Single Sign-On with SAML configuration screen.
  14. Click Edit edit at (2) User Attributes & Claims.
  15. Click the row Unique User Identifier (Name ID).
    You are redirected to the Manage claim page for this claim.
  16. At Source attribute select user.mail.
  17. Click Save and click the close icon (X) in the top right corner of your screen.
  18. Click Add new claim add .
  19. Fill in this data:
Name Namespace Source Source attribute
ZivverAccountKey https://zivver.com/SAML/Attributes Attribute user.objectid
Check if you are creating Zivver accounts from Active Directory on-premise with the Zivver Synctool, because user.objectid will not work as ZivverAccountKey. First, follow the instructions from the manual Synchronize “objectGUID” with Entra Connect in hybrid AD configurations, then refresh the page and select user.objectguid (extension_<YourTenantID>_objectGUID) from the dropdown menu as Source Attribute instead of user.objectid.
  1. Click Save.
  2. Go back to SAML-based Sign-on.
    You might be prompted to Test single sign-on with Zivver. If so, click No, I’ll test later.
  3. Click Copy file_copy at App Federation Metadata Url under (3) SAML signing Certificate.
    You need this URL in the Zivver admin panel in the next section.

Configure SSO in Zivver

The second step is to set up SSO in Zivver. You do this in the Zivver admin panel.

  1. Log in to the WebApp.
  2. Click the room_preferences Organization Settings icon at the bottom left of your browser window.
  3. Go to people_outline User administration.
  4. Go to Single Sign-on.
  5. Select Automatically.
  6. Paste the App Federation Metadata Url copied to your clipboard from the previous section.
  7. Click Save.
  8. On to of the page, click the key Enable Single sign-on button.
    SSO is now configured in Zivver, and you are ready for the next section.
This will allow users only to log in to Zivver via Entra ID. Only assigned users can log into Zivver after saving. The exception being administrators who always can choose between logging in via SSO and logging in with a username and password.

Zivver 2FA exemption (optional)

A Zivver account is protected, by default, with an additional login method (2FA). 2FA is also required when logging in via SSO. It is possible to disable Zivver’s built-in 2FA when users already log in to Entra ID with a 2FA. This prevents users from having to fill in a 2FA twice.

With these Authentication Methods, Zivver does not ask for a 2FA when logging in:

  • urn:oasis:names:tc:SAML:2.0:ac:classes:Password
  • urn:oasis:names:tc:SAML:2.0:ac:classes:Unspecified
  • urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

This means that the SAML response does not contain any information from which Zivver can decide whether the user is logged in securely with 2FA.

Zivver will never ask for a second authentication factor if you exempt this authentication context from 2FA in the SSO settings. This creates a security risk when users log in to Entra ID without 2FA in combination while a 2FA exemption is configured in Zivver. Therefore, it is important that users are required to log in to Entra ID with 2FA if you release the above-mentioned authentication context in Zivver.

Do these steps to set the 2FA exemption for Entra ID in Zivver:

  1. Log in to the WebApp.
  2. Click the room_preferences Organization Settings icon at the bottom left of your browser window.
  3. Go to people_outline User administration.
  4. Go to Single Sign-on.
  5. Scroll down to the Zivver 2FA exemptions card.
  6. In the Authentication methods to be exempted field, enter these values:
    • urn:oasis:names:tc:SAML:2.0:ac:classes:Password
    • urn:oasis:names:tc:SAML:2.0:ac:classes:Unspecified
    • urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
  7. Click Save.
    You have now successfully set a 2FA exemption for Entra ID. When users now log in via SSO, Zivver will not ask for 2FA.

Assign users to the application Zivver in Entra ID

The third step is to assign users to Zivver SSO in Entra ID.

  1. Log in to Microsoft Azure.
  2. Click Entra ID.
  3. Click Enterprise applications.
  4. Select Zivver from the list of Enterprise applications installed.

    If you want to assign all users in your Entra ID to the Zivver application, then you can also toggle User assignment required? to No at the Properties tab under the Manage blade. This means that every Entra ID user is allowed to log into Zivver, given that they have an active Zivver account. If you use this option, you can skip the steps below.

  5. Select the Users and groups tab under the Manage blade.

  6. Click Add user add to add a user or group.

  7. Click Users >.

  8. Search for users or groups to assign to the Zivver application and select them from the list.

    If you want to assign groups to the Zivver application in Entra ID, you need an Enterprise mobility + security E5 or Entra ID premium P2 license.

  9. Click Select.

  10. Click Assign to confirm your selection.
    The assigned users can now log into Zivver, given that they have an active Zivver account.

Testing single sign-on

Log in to the WebApp with SSO

  1. Go to the WebApp.
  2. Enter your e-mail address.
  3. Depending on your role in Zivver:
    • As a user: you are immediately redirected to the login screen of your organization.
    • As an administrator: you choose between your Zivver password and your workplace login details to log in.
  4. Log in with the workplace login data of your organization.
    Depending on the existence of a 2FA exemption, you will be asked for an extra login method. With a 2FA exemption in place, the last step will be skipped.
  5. Enter your extra login factor.
    You are logged in to Zivver WebApp.

Log in to Outlook with SSO

In the Zivver Office Plugin in Outlook, you can do SSO login with these steps:

  1. Click the Zivver tab.
  2. Click Manage accounts account_circle .
  3. Click the link Add an account add_circle .
  4. Select the e-mail address with which you want to log in.
  5. Click Yes, I want to log in now.
    You will be redirected to the login screen of your organization.
  6. Log in with the workplace login details of your organization.
    Depending on a 2FA exemption you will be asked for an extra login method. With a 2FA exemption you skip the last step.
  7. Enter your extra login method.
    You are logged in to Outlook.

References

For further reference, please see:
Configure SAML-based single sign-on for an application with Entra ID and
Tutorial: Microsoft Entra SSO integration with Zivver