SSO with Okta

Introduction

ZIVVER supports Single Sign-On (SSO) via Okta, so that users can login to ZIVVER with the login data of their workplace. This manual explains how, as an administrator, you set up SSO. SSO operates on the basis of Security Assertion Markup Language (SAML) v2.0. Okta is the Identity Provider (IdP) and ZIVVER is the Service Provider (SP). To activate SSO in ZIVVER, you need the following:

  1. You are a ZIVVER administrator.

  2. You have access to Management functionality in Okta. example URL: `https://[organization]-admin.okta.com/admin/dashboard`

SSO setup in Okta

The first step is to get ZIVVER set up as a SAML SP application in Okta.

  1. Log in to Okta.

  2. Go to the Admin dashboard.

  3. Go to Applications.

  4. Click Add Application.

  5. Click Create New App.

  6. Set Platform to Web.

  7. Set Sign on method to SAML 2.0.

  8. Click Create.

  9. Enter ZIVVER as App name.

  10. If necessary, upload a logo, such as the ZIVVER logo.

  11. Click Upload Logo.

  12. Click Next.

  13. Disable Use this for Recipient URL and Destination URL.

  14. Fill in the following information:

    Setting Value

    Single sign on URL

    https://app.zivver.com/api/sso/saml/consumer/

    Recipient URL

    https://app.zivver.com/SAML/Zivver

    Destination URL

    https://app.zivver.com/api/sso/saml/consumer/

    Audience URI (SP Entity ID)

    https://app.zivver.com/SAML/Zivver

    Default RelayState

    N/A, leave blank

    Name ID format

    EmailAddress

    Application username

    Email

  15. Click Show Advanced Settings.

  16. Fill in the following details:

    Setting Value

    Response

    Signed

    Assertion Signature

    Signed

    Signature Algorithm

    SHA256

    Digest Algorithm

    SHA256

    Assertion Encryption

    No

    Authentication context class

    PasswordProtectedTransport

    Honor Force Authentication

    Yes

    SAML Issuer ID

    http://www.okta.com/$ {org.externalKey}

  17. Go to the Attribute Statements (optional) section.

  18. Enter the following information:

    Name Value

    https://zivver.com/SAML/Attributes/ZivverAccountKey

    user.id

    urn:oid:2.5.4.42

    user.displayName

    urn:oid:2.5.4.20

    user.mobilePhone

    urn:oid:2.5.4.3

    user.firstName

  19. Click Next.

  20. Set Are you a customer or partner? to I’m an Okta customer adding an internal app.

  21. If necessary, complete the optional questions.

  22. Click Finish.

  23. Go to the Sign On section of your newly created application.

  24. Copy the Identity Provider metadata URL and paste it into a file.
    Preferably, keep this page open in a separate browser tab or window. The URL will be needed for using SSO in ZIVVER. See the next chapter.

  25. Go to Assignments.

  26. Assign the ZIVVER application to persons/groups.
    Okta is now correctly set up for ZIVVER.

Setting SSO in ZIVVER

The final step is to set up SSO in ZIVVER. You do this in the WebApp of ZIVVER:

  1. Go to the ZIVVER WebApp.

  2. Log in as an administrator.

  3. Click the Organization Settings tune icon at the bottom left.

  4. Click Single sign-on vpn_key .

  5. Select Manually paste your organization’s Identity Provider (IdP) SAML metadata XML file contents.

  6. Paste the URL you have copied at SSO setup in Okta into the box under Identity Provider metadata URL.

  7. Check the option Use Single sign-on.

  8. Click SAVE.
    Okta SSO in ZIVVER is now set and ready for use.

Warning
From the moment when you enable SSO, ZIVVER starts trying to log in users via SAML. It is therefore wise to keep SSO in ZIVVER switched off until you have set everything up correctly on the Azure AD side. Users who are already logged in will remain logged in after you enable SSO.

ZIVVER 2FA exemption (optional)

A ZIVVER account is protected, by default, with an additional login method (2FA). 2FA is also required when logging in via SSO. It is possible to disable ZIVVER’s 2FA when users log in via Okta’s SSO.

Unfortunately, Okta can not indicate in the SAML response whether the user has already specified an additional login method. Okta always gives the following SAML response:

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

This means that the SAML response does not contain any information that ZIVVER can derive from whether the user is logged in securely with 2FA. Therefore read the warning below carefully.

Warning
ZIVVER will never ask for a 2FA if you exempt this authentication context from 2FA in the SSO settings. This is a safety risk when users log in to Okta without a 2FA in combination with a 2FA exemption in ZIVVER. That is why it is important that users are required to log in to Okta with 2FA when you release the above authentication context in ZIVVER.

Follow the steps below to set the 2FA exemption for Okta in ZIVVER:

  1. Log in to the WebApp.

  2. Click Organization Settings tune in the bottom left of the side panel.

  3. Click Single Sign-On (SSO) vpn_key in the User administration card.

  4. In the SAML 2.0 authentication contexts with ZIVVER 2FA exemptions field, enter the value urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport.

  5. Click SAVE.
    You have now successfully set a 2FA exemption for Okta. When users now log in via SSO, ZIVVER will not ask for 2FA.

Log in to the WebApp with SSO

  1. Go to the WebApp.

  2. Enter your e-mail address.

  3. What is your role in ZIVVER?

    • User: you are immediately redirected to the login screen of your organization.

    • Administrator: you choose between your ZIVVER password and your workplace login details to log in.

  4. Log in with the workplace login data of your organization. Depending on the existence of a 2FA exemption you will be asked for an extra login method. With a 2FA exemption in place, the last step will be skipped.

  5. Use your extra login method. You are logged into the ZIVVER WebApp.

Log in to Outlook with SSO

In the ZIVVER Office Plugin in Outlook you log in with SSO in the following way:

  1. Click the ZIVVER tab.

  2. Click Manage Accounts account_circle .

  3. Click the link Add an account add_circle .

  4. Select the e-mail address with which you want to log in.

  5. Click Yes, I want to log in now.
    You will be redirected to the login screen of your organization.

  6. Log in with the workplace login details of your organization.
    Depending on the existence of a 2FA exemption you will be asked for an extra login method. With a 2FA exemption you skip the last step.

  7. Use your extra login method.
    You are logged in to Outlook.

Was this article helpful?

thumb_up thumb_down