Activating SSO

Introduction

This use case shows how users can authenticate themselves in Viedoc using an external identity provider (IdP) instead of the built-in identity provider, and thus being able to log in using single sign-on (SSO).

The users identify themselves with an email address containing a domain name—below referred to as hostmaster@your.domain.name—that the user owns or that you as the Organization Administrator is in control of.

We go from this:

...to this:

Using Google Workspace as IdP

Pre-requisites

The domain name for which you want to configure SSO must have an email address like this: hostmaster@your.domain.name, and you must be able to get hold of a key sent to that address.
You must have Organization Administrator access to Viedoc.

You must have Administrator access to Google Workspace.

Step-by-step guide

In this guide we use the domain name fubar.se and the European Viedoc training instance.

1	As Organization Administrator, go to Admin and click Organization Settings:
2	Click the tab SSO > Add SSO configuration, enter the Domain name and click Continue.
3	Contact the person in your organization with access to the hostmaster@your.domain.name email inbox, to retrieve the verification key that proves that you own the domain.
4	Enter the verification key in Viedoc and click Verify.
5	Make a note of the Redirect URL and the Entity ID.
6	In a separate tab, log in to Google Workspace Admin Console, go to Apps > SAML apps.
7	Click to Add service and click to SETUP MY OWN CUSTOM APP:
8	From the Google IdP Information window: Copy the SSO URL and paste it into the Viedoc field titled Endpoint URL. Download the certificate and open it in a text editor, for example Notepad. Copy and paste it into the Viedoc field Certificate. Click Save.
9	In Viedoc, copy the redirect URL and go back to the Google Workspace tab and click Next.
10	In the Basic information for your Custom App window: Enter an appropriate Application Name describing the Viedoc instance, for example “Viedoc Training SSO”. Download the Viedoc logo from the following URL https://www.viedoc.com/viedoc-gsuite-sso-256x256.png and upload it in the Google Workspace dialog box. Click Next.
11	In the Service Provider Details window: Paste the redirect URL into the ACS URL field. Copy the Entity ID from the Viedoc tab into the Entity ID field in the Google Workspace tab. Select Signed Response. Set the Name ID to Basic Information and Primary Email. Set the Name ID format to EMAIL. Click Next.
12	In the Attribute Mapping window, click Finish.
13	Click OK.
14	Click the down arrow of the User access section of the newly configured SAML App. Select ON for everyone and click Save.
15	Go back to the Viedoc tab and click Validate. Note! You might be promted to enter your email address and password in order to authenticate with your IdP if not already logged in. Upon successful authentication you will automatically be redirected to the domain verification page.
16	Verify that the domain is validated and then close the tab.
17	Click Next.
18	The SSO configuration is now completed. When all users are informed about the new login URL—with the configured domain as their login name (the primary email address is used for authentication in both the IdP and in Viedoc)—click Activate > Yes.

Using Microsoft Azure AD as IdP

Pre-requisites:

The domain name for which you want to configure SSO must have an email address like this: hostmaster@your.domain.name, and you must be able to get hold of a key sent to that address.
You must have Organization Administrator access to Viedoc.
You must have Administrator access, or higher, in Microsoft Azure Active Directory (AD).

Step-by-step guide

In this guide we use the domain name pcg-solutions.com and the European Viedoc training instance.

1	As Organization Administrator, go to Admin and click Organization Settings:
2	Click the tab SSO > Add SSO configuration, enter the Domain name and click Continue.
3	Contact the person in your organization with access to the hostmaster@your.domain.name email inbox to retrieve the verification key that proves that you own the domain.
4	Enter the verification key in Viedoc and click Verify.
5	Make a note of the Redirect URL and the Entity ID.
6	In a separate tab, log in to the Microsoft Azure portal and go to Azure Active Directory. Click Enterprise Applications > New application and select Non-gallery application.
7	Enter an appropriate Name describing the Viedoc instance, for example “Viedoc Training SSO”. Click Add.
8	Click Single Sign-On > SAML.
9	Click Edit the Basic SAML Configuration. From the Viedoc tab, copy and paste: The Entity ID into the Identifier (Entity ID) field. The Redirect URL into the Reply URL (Assertion Consumer Service URL) field. Click Save and close the dialog box.
10	Click to Edit the User Attributes & Claims.
11	Map the Unique User Identifier (Name ID) to the attribute that best matches the email address that users authenticate with in Viedoc, typically [user.userprincipalname] or [user.mail].
12	From the Azure AD window: Download the certificate in base64 format and open it in a text editor, for example Notepad. Copy and paste it into the Viedoc field titled Certificate. Click to copy the login URL and paste it in the Endpoint URL field in the Viedoc tab. Click Save.
13	Download the Viedoc logo from the following URL https://www.viedoc.com/viedoc-msaad-sso-256x256.png and upload it to the Properties section in the Azure AD tab.
14	Under Users and groups, add all users or security groups that shall be able to log in to Viedoc using SSO.
15	Go back to the Viedoc tab and click Validate. Note! You might be promted to enter your email address and password in order to authenticate with your IdP if not already logged in. Upon successful authentication you will automatically be redirected to the domain verification page.
16	Verify that the domain is validated and then close the tab.
17	Click Next.
18	The SSO configuration is now completed. When all users are informed about the new login URL—with the configured domain as their login name (the primary email address is used for authentication in both the IdP and in Viedoc)—click Activate > Yes.
19	Log out and log in using the new login URL. You will now be authenticated and redirected to the newly configured external IdP.