I am a Zivver admin
Configure and manage Zivver
SSO with Okta
Introduction
Zivver supports Single Sign-On (SSO) via Okta, so that users can login to Zivver with the login data of their workplace. This manual explains how, as an administrator, you set up SSO.
SSO operates on the basis of Security Assertion Markup Language (SAML) v2.0. Okta is the Identity Provider (IdP) and Zivver is the Service Provider (SP).
To activate SSO in Zivver, this is necessary:
- You are a Zivver administrator.
- You have access to Management functionality in Okta.
example URL:https://[organization]-admin.okta.com/admin/dashboard
SSO setup in Okta
The first step is to get Zivver set up as a SAML SP application in Okta.
- Log in to Okta.
- Go to the Admin dashboard.
- Go to Applications.
- Click Add Application.
- Click Create New App.
- Set Platform to Web.
- Set Sign on method to SAML 2.0.
- Click Create.
- Enter Zivver as App name.
- If necessary, upload a logo, such as the Zivver logo.
- Click Upload Logo.
- Click Next.
- Disable Use this for Recipient URL and Destination URL.
Fill in this information:
Setting Value Single sign on URL https://app.zivver.com/api/sso/saml/consumer/
Recipient URL https://app.zivver.com/SAML/Zivver
Destination URL https://app.zivver.com/api/sso/saml/consumer/
Audience URI (SP Entity ID) https://app.zivver.com/SAML/Zivver
Default RelayState N/A, leave blank Name ID format EmailAddress Application username Email Click Show Advanced Settings.
Fill in these details:
Setting Value Response Signed Assertion Signature Signed Signature Algorithm SHA256 Digest Algorithm SHA256 Assertion Encryption No Authentication context class PasswordProtectedTransport Honor Force Authentication Yes SAML Issuer ID http://www.okta.com/{org.externalKey}
(Replace{org.externalKey}
with your own organizational external key)Go to the Attribute Statements (optional) section.
Enter this information:
Name Value https://zivver.com/SAML/Attributes/ZivverAccountKey
user.id urn:oid:2.5.4.42
user.displayName urn:oid:2.5.4.20
user.mobilePhone urn:oid:2.5.4.3
user.firstName Click Next.
Set Are you a customer or partner? to I’m an Okta customer adding an internal app.
If necessary, complete the optional questions.
Click Finish.
Go to the Sign On section of your newly created application.
In the Sign On Methods section, locate the Identity Provider metadata link right above the Credentials Details section.
Right-click the Identity Provider metadata link and select Copy Link Address.
You will need the Link Address when in the next section. Having trouble? Visit the Okta documentation.Go to Assignments.
Assign the Zivver application to persons/groups.
Okta is now correctly set up for Zivver.
Setting SSO in Zivver
The final step is to set up SSO in Zivver. You do this in the WebApp of Zivver:
- Log in to the WebApp.
- Click the room_preferences Organization Settings icon at the bottom left of your browser window.
- Go to people_outline User administration.
- Go to Single Sign-on.
- Select Automatically.
- Paste the URL you have copied at SSO setup in Okta.
- Click Save.
- On to of the page, click the key Enable Single sign-on button.
Okta SSO in Zivver is now set and ready for use.
Zivver 2FA exemption (optional)
A Zivver account is protected, by default, with an additional login method (2FA). 2FA is also required when logging in via SSO. It is possible to disable Zivver’s 2FA when users log in via Okta’s SSO.
Unfortunately, Okta can not indicate in the SAML response whether the user has already specified an additional login method. Okta always gives this SAML response:
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
This means that the SAML response does not contain any information that Zivver can derive from whether the user is logged in securely with 2FA. Therefore read the warning below carefully.
Do these steps to set the 2FA exemption for Okta in Zivver:
- Log in to the WebApp.
- Click the room_preferences Organization Settings icon at the bottom left of your browser window.
- Go to people_outline User administration.
- Go to Single Sign-on.
- Scroll down to the Zivver 2FA exemptions card.
- In the Authentication methods to be exempted field, enter these value:
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
.
- Click Save.
You have now successfully set a 2FA exemption for Okta. When users now log in via SSO, Zivver will not ask for 2FA.
Log in to the WebApp with SSO
- Go to the WebApp.
- Enter your e-mail address.
- What is your role in Zivver?
- User: you are immediately redirected to the login screen of your organization.
- Administrator: you choose between your Zivver password and your workplace login details to log in.
- Log in with the workplace login data of your organization.
Depending on the existence of a 2FA exemption you will be asked for an extra login method. With a 2FA exemption in place, the last step will be skipped. - Use your extra login method.
You are logged into the Zivver WebApp.
Log in to Outlook with SSO
In the Zivver Office Plugin in Outlook, you log in with SSO with these steps:
- Click the Zivver tab.
- Click Manage Accounts account_circle.
- Click the link Add an account add_circle.
- Select the e-mail address with which you want to log in.
- Click Yes, I want to log in now.
You will be redirected to the login screen of your organization. - Log in with the workplace login details of your organization.
Depending on the existence of a 2FA exemption you will be asked for an extra login method. With a 2FA exemption you skip the last step. - Use your extra login method.
You are logged in to Outlook.