SSO with OneLogin

Introduction

Zivver supports Single Sign-On (SSO) via OneLogin, so that users can login to Zivver with the login data of their workplace. This manual explains how, as an administrator, you set up SSO.
SSO operates on the basis of Security Assertion Markup Language (SAML) v2.0. OneLogin is the Identity Provider (IdP), and Zivver is the Service Provider (SP).
To activate SSO in Zivver, you need the following:

  1. You are a Zivver administrator.
  2. You have access to OneLogin administrator dashboard.
    Example URL: https://www.onelogin.com/

SSO setup in OneLogin

The first step is to get Zivver set up as a custom application connector in OneLogin.

  1. Log in to OneLogin.
  2. Go to Apps > Add Apps.
  3. Search for SAML Test Connector (Advanced) and select the first result from the search results.
  4. Go to the Info tab.
  5. Enter Zivver as Display Name.
  6. Go to the Configuration tab.
  7. Fill in the following information:

    Setting Value
    Audience (EntityID) https://app.zivver.com/SAML/Zivver
    Recipient https://app.zivver.com/SAML/Zivver
    ACS (Consumer) URL Validator* ^https:\\/\\/app\\.zivver\\.com\\/api\\/sso\\/saml\\/consumer\\/$
    ACS (Consumer) URL https://app.zivver.com/api/sso/saml/consumer/
    Login URL https://app.zivver.com/api/sso/saml/consumer/
    SAML not valid before 3
    SAML not valid after 3
    SAML initiator OneLogin
    SAML nameID format Email
    SAML issuer type Specific
    SAML signature element Assertion
    SAML encryption method TRIPLEDES-CBC
    SAML sessionNotOnOrAfter 1440
  8. Go to the Parameters tab.

  9. Select the option Configured by admin.

  10. Add the following parameters:

    NameID (fka Email) Email
    https://zivver.com/SAML/Attributes/ZivverAccountKey user.id
  11. Go to SSO tab.

  12. Select Standard Strength Certificate (2048-bit) for X.509 Certificate.

  13. Select *SHA-256 for SAML Signature Algorithm.

  14. Copy the Issuer URL. You need this URL in the next chapter.

  15. Click Save. The app is now created, but none of your users can access it. You can assign them to the app either individually via the menu Users > All Users or as part of roles (Users > Roles) and groups (Users > Groups). OneLogin is now correctly set up for Zivver.

Setting SSO in Zivver

The final step is to set up SSO in Zivver. You do this in the WebApp of Zivver:

  1. Go to the Zivver WebApp.
  2. Log in as an administrator.
  3. Click the Organization Settings room_preferences icon at the bottom left.
  4. Click on people_outline User administration.
  5. Click on Single Sign-on.
  6. Select Automatically.
  7. Paste the Issuer URL you have copied at SSO setup in OneLogin into the box under URL.
  8. Click Save.
  9. Click on Enable Single sign-on in the top right of the page.
    OneLogin SSO in Zivver is now set and ready for use.
From the moment when you enable SSO, Zivver starts trying to log in users via SAML. It is therefore wise to keep SSO in Zivver switched off until you have set everything up correctly on OneLogin. Users who are already logged in will remain logged in after you enable SSO.

Zivver 2FA exemption (optional)

A Zivver account is protected, by default, with an additional login method (2FA). 2FA is also required when logging in via SSO. It is possible to disable Zivver’s 2FA when users log in via OneLogin’s SSO.
Unfortunately, OneLogin cannot indicate in the SAML response whether the user has already specified an additional login method. OneLogin always gives the following SAML response: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
This means that the SAML response does not contain any information that Zivver can derive from whether the user is logged in securely with 2FA. Therefore, read the warning below carefully.

Zivver will never ask for a 2FA if you exempt this authentication context from 2FA in the SSO settings. This is a safety risk when users log in to OneLogin without a 2FA in combination with a 2FA exemption in Zivver. That is why it is important that users are required to log in to OneLogin with 2FA when you release the above authentication context in Zivver.

Follow the steps below to set the 2FA exemption for OneLogin in Zivver:

  1. Log in to the WebApp.
  2. Click the room_preferences Organization Settings icon at the bottom left of your browser window.
  3. Go to people_outline User administration.
  4. Go to Single Sign-on.
  5. Scroll down to the Zivver 2FA exemptions card.
  6. In the Authentication methods to be exempted field, enter these value:
    • urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport.
  7. Click Save.
    You have now successfully set a 2FA exemption for OneLogin. When users now log in via SSO, Zivver will not ask for 2FA.

Log in to the WebApp with SSO

  1. Go to the WebApp.
  2. Enter your email address.
  3. What is your role in Zivver?
    • User: you are immediately redirected to the login screen of your organization.
    • Administrator: you choose between your Zivver password and your workplace login details to log in.
  4. Log in with the workplace login data of your organization.
    Depending on the existence of a 2FA exemption, you will be asked for an extra login method. With a 2FA exemption in place, the last step will be skipped.
  5. Use your extra login method.
    You are logged into the Zivver WebApp.

Log in to Outlook with SSO

In the Zivver Office Plugin in Outlook you log in with SSO in the following way:

  1. Click the Zivver tab.
  2. Click on manage_accounts Manage Accounts.
  3. Click the link add_circle Add an account.
  4. Select the email address with which you want to log in.
  5. Click Yes, I want to log in now.
    You will be redirected to the login screen of your organization.
  6. Log in with the workplace login details of your organization.
    Depending on the existence of a 2FA exemption, you will be asked for an extra login method. With a 2FA exemption, you skip the last step.
  7. Use your extra login method.
    You are logged in to Outlook.